Ecosystem of Cybercriminals and Nation-State Hackers Grows Stronger
U.S. 'not ready' to combat rising threats, retired general tells summit
On the same day that news headlines implicated Russian hackers in a significant cyber attack and breach on the White House, officials attending a cybersecurity summit Tuesday in the nation’s capital warned of the uptick in the number of nation-state sponsored cyber attacks against the U.S. government and businesses.
The amplification could be worrisome because cybersecurity experts already cannot keep up with, much less get ahead of, the cyber activities that pose a national threat and have risen to the level of a national emergency.
“We’re not ready,” Gen. Keith B. Alexander, USA (Ret.), former commander of U.S. Cyber Command and former director of the National Security Agency, stated bluntly at the 5th Annual HP Software Government Summit.
The changing cyber landscape keeps security personnel in a perpetual chase to reverse damages caused by breaches while looking for ways to outsmart adversaries and counter the estimated 82,000 variants of malicious software and intrusion techniques released daily. The number of nation-state perpetuated or sponsored attacks has jumped, as has the sophistication and expertise behind the malware. Cybercrime costs for an organization have increased to $12.7 million a year, compared to about $3.8 million in 2010, according to HP, and time spent recovering from a data breach has increased from 14 days last year to 48 days.
“One of the main challenges that we face in cybersecurity is that there really is a smashing together of a couple of pretty significant trends in our environments that is making security a lot more complicated,” said Art Gilliland, senior vice president and general manager of HP Software Enterprise Security Products. “Different actor communities are buying and selling services to each other. They’re sharing information, they’re investing in tools and they’re specializing in specific skill sets. Because if you specialize in a marketplace, you make more money.”
It was widely reported Tuesday that Russian hackers are behind the October breach of White House systems in which they accessed sensitive information such as unpublished details of the president’s travel plans. Hackers reportedly accessed the White House via a phishing scam on the U.S. State Department. Additionally, officials traced to Iran the distributed denial-of-service attacks on the financial services in 2013, in which Iran turned to the cyber hacker communities and paid out bounties—the more damage inflicted, the higher the payout, Gilliland said.
“We’re seeing this federation of skill sets being brought together by a market-based ecosystem,” Gilliland said. “That ecosystem is becoming more sophisticated and our customers, our partners, are having to deal with that kind of bad-guy ecosystem.”
This month, President Barack Obama authorized the use of financial sanctions against malicious hackers and companies that knowingly benefit from cyber espionage and attacks.
The other challenge is the explosion of devices, delivery of services and new technologies. Connectivity through the Internet of Things has increased vulnerabilities at a pace in which security experts cannot keep up. A recent HP research project found that on average, each device examined had 25 vulnerable access points and 90 percent incorrectly used encryption technology. Additionally, 84 percent of successful breaches via mobile devices occurred because hackers took advantage of a vulnerability in an application, Gilliland offered.
Industry allocates 86 percent of company budgets to keeping intruders from breaching the networks. “If we’re competing against specialists … after they’re inside, they pretty much own us through the whole rest of the chain, because we’ve spent less than 15 percent of our budgets on everything else,” he shared. Companies spend as much money to protect the financial data as they do on protecting the company lunch menu, he quipped. There is no need to pay to put barriers around an entire enterprise “if we can be a lot more focused on the information that matters.”
Encryption technology provides formidable protections against intrusions, as does good cyber hygiene and practices and a constant monitoring of systems, to include employee behavior, said Maj. Gen. Earl Matthews, USAF (Ret.), vice president of Enterprise Security Solutions, HP Enterprise Services.
Critics of legislation now being debated in Congress and the administration question whether proposed laws to ease information sharing between government and industry go too far and threaten privacy.
Also, businesses and agencies can better help protect themselves by focusing more on training employees and improving internal processes rather than chase a technology "silver bullet," Gilliland suggested.