Ignorance Is Not BlissMany Enterprises Don't Know They've Been Breached
An old saw - old, in Internet time, that is - states: There are two types of organizations; ones that have been breached and ones that will be breached. Most likely, those that will be breached already have been attacked.
A large number of organizations are unaware they've been breached, often times for weeks, months or even years, and don't learn of it until law-enforcement authorities inform them, recently retired FBI Executive Assistant Director Shawn Henry told lawmakers.
It's not just blissful ignorance that endangers our IT, but misdirected attention to those that could do us the most harm.
"While I was at the FBI, our agents regularly knocked on the door of victim companies and told them their network had been intruded upon and their corporate secrets stolen, because we found their proprietary data resident on a server in the course of another investigation," Henry said in testimony delivered April 24 to the House Homeland Security Subcommittee on Oversight, Investigation and Management. "We were routinely telling organizations they were victims, and these victims ranged in size and industry, and cut across all critical sectors."
That's a point made in a recent interview I had with Phil Neray, head of security intelligence strategy and marketing for Q1 Labs, an IBM company [see Identifying Undetected Breaches], who said: "The problem most organizations have is that they even don't know they've been breached. They only find out through some third party [such as] a consumer whose credit card has been used in a fraudulent way."
The number of cybersecurity incidents being reported is skyrocketing. Citing a Government Accountability Office analysis of U.S.-CERT data, Gregory Wilshusen, GAO's information security issues director, told the subcommittee of a 680 percent increase in cyber incidents between 2006 and 2011, just among federal government agencies. Imagine the number of breaches at private-sector organizations that don't have the cybersecurity wherewithal of the federal government.
At that hearing, security maker McAfee Chief Technology Officer Stuart McClure spoke of amazing technological advances in which diabetics use wirelessly connected insulin pumps, doctors monitor patients from afar and motorists unlock car doors remotely(see Medical Device Security: Call to Action). "But," he said, "unless the devices are locked down and secured by design, the cybercriminals will be given even more opportunities to profit, plunder and pillage."
It's not just blissful ignorance that endangers our IT, but misdirected attention to those that could do us the most harm. Much attention about foreign hacking has focused on China and Russia, and no doubt political and military espionage as well as intellectual property thefts originate from within those nation's borders. But neither China nor Russia is seen as targeting America's critical IT infrastructure, the information networks that are vital to the way we function. The real threats come from North Korea and Iran, said James Lewis, the IT security expert at the Center for Strategic and International Studies, a Washington think tank.
On North Korea, Lewis said in his prepared testimony: "Technological backwardness and political culture are major obstacles to developing strong hacking capabilities, but, as with nuclear weapons, if North Korea is able to support sustained investment in cyberattack capabilities and find some outside support, it will eventually acquire them. North Korea's erratic behavior suggests it will use cyberattacks against South Korea, Japan or U.S forces in Korea, should it succeed in its long quest to obtain a cyberattack capability."
Lewis said Iran is the more troubling case; it's been pursing the acquisition of cyberattack capabilities for several years. Iranian officials hold the United States and Israel responsible for the Stuxnet attacks on its nuclear centrifuges, and retaliation in kind would be justified (see Researchers: Stuxnet Virus Origin Dates). "Iranian hackers have greater access to the Internet and to the cyber black market than North Korea, suggesting that their development of cyber capabilities will be more rapid," Lewis said.
But the greatest threat to America's cybersecurity comes from within. "This threat is complacency," Lewis said. Too many people feel the Internet can heal itself, that civil society and multistakeholder Internet governance will ultimately provide adequate security are simply naÃ¯ve.
"This sort of approach has never worked anywhere else," he said, "and it is not working now in cyberspace."