Cybersecurity--
Everybody's Doing It

Large companies take varying actions to deal with emerging markets, threats, trends and the future of cyber.

With attacks on critical data increasing in numbers, intensity and sophistication, securing networks is becoming a global effort while fostering greater information sharing among agencies, governments and the public and private sectors. The future of cybersecurity offers greater opportunities for industry and greater cooperation on national security and critical infrastructure protection, say executives at some of the largest U.S. defense companies.

While traditional defense budgets shrink in the United States and elsewhere, cyber spending is increasing rapidly. But the emerging cybersecurity market is not limited to specific geographic regions or even market sectors—it is a global phenomenon. “It’s pretty well spread across the world,” says Mike Guzelian, vice president of secure voice and data products for General Dynamics C4 Systems, Fairfax, Virginia. “I wouldn’t say there’s one specific area or continent that’s more worried than the others. They’re all worried about it.” He adds that the emerging market includes both governments and private sector opportunities, especially with those companies involved in critical infrastructure, such as the defense, finance, oil and gas and electrical power industries. Even state and local agencies are spending more on cybersecurity, although they tend to be most concerned about data sharing with federal agencies, Guzelian says.

Market analysis firms confirm the rapidly growing cybersecurity market. Two different reports—by Global Industry Analysts Incorporated, San Jose, California, and MarketsandMarkets, Dallas, Texas—suggest the global market could reach between $80 billion and $120 billion by 2017.

Other industry executives agree that the growing market is both universal and diversified, in part because of a growing, more sophisticated threat. “The threat landscape has changed dramatically over the last few years,” says Peter George, president of General Dynamics Fidelis Cybersecurity Solutions, a wholly owned subsidiary of General Dynamics headquartered in Bethesda, Maryland. “Enterprises and governments in every part of the world now have to defend themselves against sophisticated, persistent and patient adversaries who are launching customized, targeted attacks designed to get into the network, steal data and stay there without being detected. Today, targeted threats are global in their destination as well as their origination.”

Roger Krone, president of the Network and Space Systems business unit within The Boeing Company, Chicago, predicts a splintering of the market into new opportunities, including greater opportunities for cybersecurity services. Right now, many companies offer cybersecurity services as part of a package deal because they provide and secure a network as part of a larger contract. “We believe that cybersecurity will be unbundled, and there will be opportunities at all levels of the value chain to sell cybersecurity services, hardware and certain software. Right now the market is a bit all over the map. We believe the market will continue to mature,” Krone says.

Fidelis executives say they see the commercial market growing more rapidly than the government sector, both domestically and abroad. About five years ago, 60 percent of the company’s business came from the government sector; now, only 20 percent does so, even though the U.S. Air Force remains the subsidiary’s largest customer. Fidelis recently opened a new cyber forensics laboratory in Columbia, Maryland, primarily to help support commercial sector growth. “The commercial marketplace needs help. They’re used to dealing with the hacker down the street, but if the attack is sponsored by a nation-state with an intelligence agency, for example, they just don’t have the skills and tools to do it,” George says.

According to Fidelis executives, 30 percent of today’s attacks come from spearphishing attempts with embedded software designed to elicit classified information for financial gain, trade secrets or military information. Another 30 percent take advantage of known vulnerabilities that have not been fixed, such as when software security patches are issued but an organization doesn’t implement them, says Jim Jaeger, Fidelis vice president, cybersecurity services. The remaining 40 percent of attacks come from a variety of insiders, wireless attacks and advanced attack techniques. “Typically, the malware is going to beacon back out through command and control channels and will also propagate across the network,” Jaeger explains. “Defenders need to be looking at all of that activity, not just the initial infiltration. You have to look for the command and control, and you have to look for the lateral propagation.”

Preventing data loss is the final step in defense. “Once you’ve gotten to that level, you’re in trouble. You really need to identify the breaches early on,” Jaeger maintains.

Many experts in government and industry agree the threat is growing more sophisticated and persistent, and some argue that it likely will grow worse. “The number one influence on the future of cyber is going to be a significant attack, no question in my mind. I think we could see a major cyber attack on the power grid that takes down a main section of power for days. There is absolutely the threat of that happening. It’s a matter of time,” Guzelian says. “If a terrorist organization had the ability to shut power off to a large section of New York City, I think they’d do it.”

He cites the financial industry as another prime target. “Maybe you can’t steal money, but you can bring things to a halt for an extended period of time,” Guzelian contends. “We have seen a huge, significant rise in the number of attacks on networks for those industries as well as for the government. It’s gone up exponentially over the past five years. It’s a constant barrage.”

Robert Smith, vice president of space and cyber for Lockheed Martin Information Systems and Global Solutions, Gaithersburg, Maryland, agrees on the growing nature of the threat, saying most attacks can be foiled with traditional security measures, but increasingly those measures are not enough. “Everybody who has a corporation with any significance has had attacks on their networks whether they realize it or not. We see continued enhancement of the capabilities of adversaries,” Smith contends. “Eighty percent of all our problems can be managed through having good security postures. But the top 20 percent become more sophisticated, and there are more of them, and they’re coming from all directions, and they have better resources, and they have more success.”

Smith adds that protecting data is becoming more complicated as new devices, such as mobile phones and tablets, enter the market. “The connectivity is getting greater and greater and therefore the opportunity and the vulnerabilities at different stages continue to compound exponentially,” he says.

As more countries, agencies and corporations contend with the threat, they are becoming more eager to share information about data breaches, according to industry officials. The U.S. government has pushed for greater information sharing with the private sector since at least the mid-1990s but has met with mixed success. Now, however, industry officials say they see a new enthusiasm for information sharing. Some credit Google for publicly disclosing state-sponsored attacks on its systems last year. With that one disclosure, the stigma of having systems compromised was lifted, experts say.

“People were talking about advanced persistent threats four years ago, but it was always in whispers in a back room. Now, all of a sudden, it’s not a scarlet letter to be compromised, and all of our customers are talking about how to deal with this problem,” George says. “We’ve been to eight Fortune 100 companies in the last three weeks, and the lid’s come off of the problem. Everybody’s talking about it.”

And that willingness to share information crosses borders, according to the Fidelis officials. Intelligence is being shared across enterprises, governments and law enforcement agencies, they say.

The U.S. government continues to push for greater sharing. Congress introduced—but did not pass—two separate cybersecurity bills. The president has issued a presidential directive on cybersecurity and an executive order on critical infrastructure protection. The government’s activities so far are receiving mixed results.

Guzelian, for example, expresses concern about the cost of implementing the White House plan. “I’m worried about the impact of an executive order. An executive order without a budget behind it is going to be tough for people to implement,” he says.

On the other hand, Boeing’s Krone argues in favor of legislation. He compares the “wild and woolly” Internet to the early days of aviation, which has been more and more regulated over the past 100 years for safety’s sake. Krone calls for the creation of a .secure domain for business transactions.

“The problem is that we don’t have 100 years. What was cool about aviation was that technology matured in a thoughtful, methodical way. We didn’t go from Kitty Hawk straight to fighters with turbojets, but that’s what has happened with the Internet. I think the Internet is going to be segmented and managed in such a way that my son can use Facebook, yet a company that wants to conduct a financial transaction can use the Internet in a way that is more secure,” Krone predicts.

To truly secure the Internet, Krone indicates, some monitoring will be required. “There are places on the Internet where it makes sense to look for signatures of advanced persistent threats, denial of service attacks and things like that. And the way you do that is that you grab a data packet and you do a deep packet inspection and compare what’s in the packet against signatures you know to be bad—or things you know not to be good. The easiest place to catch someone is on the superhighways, on the big backbones of the Internet,” he asserts.
 

The first step, Krone says, is to pass legislation. “We need cyber legislation. Whatever we pass first will not be perfect, but regulation will morph over time, just as airspace control morphed over time,” he says. He acknowledges the privacy concerns many people have, but he contends regulating the Internet is as necessary as regulating the airways, highways and waterways, all of which society has accepted. “We just want the Internet to be a safe place to live,” Krone says.