Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Introduction
What Every Current and Future Senior Executive Must Know about the Cyber Threat
A Perfect Digital Storm Is Forming

A “perfect storm” has been described as a combination of circumstances that aggravate or intensify a situation. The 1997 book The Perfect Storm, by Sebastian Junger, describes the events of a perfect meteorological storm formed in the fall of 1991. The swordfishing boat Andrea Gail, sailing out of Gloucester, Massachusetts, was lost 575 miles off the New England coast to one of the worst storms in maritime history. I often think about that storm when considering the cyber threat.

We are, arguably, experiencing a set of circumstances that significantly intensify the impact of the cyber attacks that occur all the time. Let me be clear. I am not forecasting one such perfect storm, resulting in a catastrophic digital Pearl Harbor strike against the United States that disables critical infrastructure, from the distribution of electricity to the movement of money across the financial system. Of course, that could happen. But I am talking about enterprises large and small, commercial and governmental, that operate continuously under a range of perfect storm-like conditions. These cyber attacks have a telling and sometimes material impact on the organization.

But which organizations? In the February 5, 2013, edition of the Wall Street Journal, the editorial writers remarked that “On a visit to our offices last year, a U.S. lawmaker with knowledge of intelligence affairs explained that, when it comes to cyber-espionage, there are only two kinds of American companies these days: Those that have been hacked, and those that don't know they've been hacked.”¹

Perhaps not every company has been hacked, but that lawmaker's comment is not far off the mark. Given just the number of breaches of personal information, including health data, reported in the press, it is easy to believe that the problem is extremely serious. But then consider all the breaches that never appear in the media. These are breaches of information integrity that are not reported, for a number of reasons. One reason is that when some companies are breached, management is not aware of any obligation to report the breach to U.S. federal or state or even foreign-country regulators. While it may seem improbable that companies are often not aware of the need to comply with various regulations, it does happen.

Another reason that companies fail to report these breaches of regulated personal information is that they simply choose not to do so. This is because some of these companies are not compliant with even the most basic regulations and fear civil and even criminal consequences. Other companies operate in a state of regulatory confusion, complying with some regulations but not others. Many smaller companies lack consistent and focused security, legal, regulatory compliance, risk management, and privacy expertise, complicating the process of following the many requirements mandated by law.

And then there are the corporate breaches of intellectual property and trade secrets. In the majority of cases, outside of any special U.S. Department of Defense requirements or other federal reporting requirements, there is no mandate to report the breach. While legislation is circulating that would require the disclosure of certain intellectual property and trade secret thefts, this is not currently the case.

What Factors Create a Perfect Storm?

Any number of conditions may contribute to the digital perfect storm. Here is a short, and by no means complete, list:

Industry is vulnerable. We're not ready to meet the cyber threat, technically, organizationally, or operationally.
The threat is expanding and intensifying.
Legal jurisdictions often protect criminals and nation-states behind the threat.
Government is far behind the curve and its strategy cannot adequately meet the threat.
The global regulatory framework is inconsistent. Even within the United States, there are significant differences between states and between states and the federal government.
Intellectual property and trade secret compromises typically do not fall under reporting guidelines, although some exceptions apply, as in the defense industry and some critical infrastructure.
The level of awareness of the problem by executive management and boards of directors is too low.
Companies operating on small profit margins walk a delicate balance when deciding to invest in security.
Security is too often considered a technology issue and not an operational risk issue.
Mobile devices are creating a highly distributed information architecture.
Social media enables unprecedented data sharing.
Social engineering for information access is reaching new levels and is easier to execute because of social media.
Many companies have not adequately calculated the potential risk impact of a cyber attack that is either targeted specifically at that company or in which they are one of many enterprise victims in a broader-scale attack.
More and more information moves offshore and to third parties.
The insider threat continues to haunt companies, and it may get worse because we don't investigate backgrounds adequately.
Many enterprises are in denial of their vulnerability.

Industry Vulnerability

We're not ready for cyber attacks. That's the simple truth. Think about it this way: Government regulations reflect a mandatory minimum requirement for companies to protect personally identifying information. A minimum requirement. This sets the defensive bar pretty low, although there are exceptions, including in the Commonwealth of Massachusetts, which, under the privacy regulation 201 CMR 17.0, is generally acknowledged as the most robust regulation in the United States. Still, many companies fail to meet even the low level of protection as defined by states other than Massachusetts. And that doesn't begin to address the systems associated with critical infrastructure and proprietary corporate information. Inside many companies, the levels of awareness and compliance are low. That's not a good combination, and it promises a bad outcome in the event of attack, attacks that have come and will continue to come.

Threat Intensification

The threat range is diverse. That's part of the problem. It's not one country or one group of hackers, though China and the Russian Federation are indisputably behind the majority of attacks against U.S. targets. Nor is it just one company hacking into its competitor, or one entity described generically as “organized crime.” And there is not just one reason or motive behind the attacks. While the Internet started as a simple idea, it is anything but simple today. That magnifies the problem—and the solution.

Threat intensification is reflected in the numbers, which seem almost incredible. The U.S. government reports a 17-fold increase in cyber attacks from 2009 to 2011. The U.S. Federal Emergency Management Agency reports a 650 percent increase in attacks between 2006 and 2010. It is believed that the U.S. Navy sustains some 110,000 cyber attacks every hour, about 30 attacks every second or more than 963 million a year. And that is just the U.S. Navy. The quest for global economic competitive positioning drives much of the espionage committed over the Internet. The People's Republic of China, while not the only acquirer of secrets, certainly tops the list, with its Project 863, the country's blueprint for technological and economic domination. Stealing U.S. information is a shortcut to competitive advantage. Organized criminal cyber attacks seem to be on the rise as well. Blackmailing and extorting companies is big business. Web site hijacking and associated frauds are attractive and relatively low-risk for the cyber attackers, who often hide behind the protective shield of foreign-country jurisdiction, where it remains difficult for U.S. companies to seek redress, let alone justice.

Inadequate Government Preparedness

The United States continues to advance the cyber preparedness agenda, and some very good work is going into cyber defense programs. But is it too little, too late? Better late than never, but our defenses are inadequate. Speaking at the Aspen Security Forum in 2012, General Keith B. Alexander, then chief of the National Security Agency and the head of the U.S. Cyber Command, rates U.S. cyber defense preparedness at a 3 on a scale of 1 to 10. He said that counts as an “F.” So the news is not good. Consider the cyber attack history at the Department of Energy's National Nuclear Security Administration. The organization that manages the nation's nuclear stockpile is hit by as many as 10 million cyber attacks daily. Only about one-hundredth of the attacks are believed to be successful. But that still translates into about 1,000 successful attacks a day, 365,000 successful attacks a year. Ironically, the agency was created by Congress in 1999 after the Wen Ho Lee spy scandal, in which the Department of Energy was lax in its security, resulting in the loss of U.S. nuclear secrets to China.

Many smart and diligent employees of the federal government, from the National Security Agency and Department of Homeland Security to the Federal Bureau of Investigation and Central Intelligence Agency and many, many others, are working to get ahead of the threat. They are working with defense contractors, think tanks, private corporations, even other governments. But as the old Breton fisherman's prayer says, “Oh God, thy sea is so great and my boat is so small.” Implied in the prayer is the theme that the challenge is fearsome, but that there is hope. Certainly this is the case. Government preparedness is low, and there's no excuse for it. The threat has been building like a tsunami for a long time. The government is acting on it as the wave is getting ready to break. But so, generally, is corporate preparedness low, and that same tsunami-like condition has been witnessed by companies, too. Yet there is hope. Perhaps the greatest hope is in achieving high levels of awareness, in government and industry—and then acting aggressively on that foundation. The time is now. Not in the next congressional session. Not in the next presidential election. Now!

Low Level of Awareness

Ignorance of the law may be no excuse for a failure to comply, but that doesn't change the discouraging and disappointing fact. Not only is there a low level of compliance with security and privacy regulations that address sensitive personal information, but there is a low awareness of the need to protect intellectual property and trade secrets. Many in government and industry are not aware of the true diversified threat to intellectual property and trade secrets. We see this frequently. When management is inadequately informed, you can be sure that awareness throughout the enterprise is low. This is a common problem even in companies (typically in smaller companies) that are bound by regulation to establish security awareness programs. These companies often lack internal (and sometimes even external) legal counsel, security officers and privacy officers, and regulatory compliance professionals. Many companies large and small also fail to properly make employees aware of the dangers of using new technologies. Mobile devices and social media are great examples.

Inadequate Risk Assessments

Many companies fail to conduct meaningful risk assessments. Oftentimes risk assessments are conducted internally by staff who lack sufficient perspective, knowledge, and experience. Or an external firm is engaged, but the lowest-cost provider resorts to a checklist approach, fails to properly scope the risk assessment, and does not test any of the controls designed to defend against constantly evolving threats. Inadequate risk assessments can be particularly dangerous because they instill a false sense of security. A false sense of security can lead to devastating consequences—and it has.

Offshoring of Data

More and more we see sensitive information sited in environments that may or may not be secure. There's inadequate vetting of security in many of these places. And often security is grossly inadequate and there are few controls in place to ensure information integrity. This is not an issue specific to regulated information. Some offshore information management companies experience high employee turnover and trade secrets disappearing with employees who move on to the next employer. Data managed offshore doesn't necessarily mean there is a higher level of risk, but it also doesn't mean there isn't. Some offshore locations establish better security than some domestic organizations. But others do not. Being able to differentiate between these two conditions is critical in the quest of sustainable information risk management through enhanced cyber security. Yet so often the distinction isn't made, and the gap widens between more secure and less secure, unarticulated, and unverified.

Insider Threat

This is a major problem, from terrorism to organized crime to competitive intelligence and corporate espionage. There are also lone wolf hackers, disenfranchised, malicious employees who steal data and sabotage data, imperiling the brand. Companies often fail to conduct good background investigations on candidates and don't reinvestigate based on factors such as life events or the passage of time. Incredibly, some companies fail to conduct any background investigations. That failure has contributed to cyber breaches that otherwise would not have occurred. There's an inherent trust of employees. We want to trust. We want to believe that our colleagues are trustworthy. But that isn't always the case. We're also broadening the definition of insiders today. Part-time employees, contractors, third-party firms, business partners all enjoy varying levels of trust—and access. Consider Edward Snowden. He worked for a third-party firm and was assigned to the U.S. National Security Agency. Whatever anyone's opinion about what Snowden has done, it's clear that there was a monumental lapse in security. And then, sometimes, background investigations are not key indicators of risk. This is what may make insiders the ultimate threat. They get our trust, in part, based on clean background checks.

Denial of Vulnerability

“It won't happen to me” is a common theme. Even though more and more cyber attack stories appear in the business and popular press, there remains a sense of disbelief among many. More than a decade ago, I wrote an Information Security magazine article about denial or lack of awareness at companies that think they are not going to be targeted.² Some executives believed then, as some do now, that they are too small, that no one knows about them. “Why would anyone attack us?” was the common refrain. I noted then that the Internet and the Web are the great democratizers of the free market. Even the smallest of organizations can appear to be—and actually are—omnipresent in a 24/7 cyber world. The World Wide Web makes companies global. I once saw a Web site representing a one-man shop in an emerging nation in Africa. He was selling to only the local market. But anyone connected to the Web had the ability to learn about his small company. Many other fledgling entities are less transparent and use the Web to transcend the trade barriers imposed by business size, reach, and scope. Of course, this is the classic double-edged sword: being visible to the market means being visible to the criminals lurking throughout the Internet. This concept escaped many businesses for a long time. Unfortunately, the myth of marginal visibility or invisibility remains entrenched in the minds of too many.

The digital threat today is as diverse as the cyber thugs, malicious insiders, nation-states, and criminal enterprises that deploy it. According to the U.S. government, more than 100 nations are engaged in technology and economic espionage. While many nations are targets of the cyber attackers in pursuit of proprietary information, the United States is target number one. The reason is straightforward. According to a Rand Corporation study, the United States leads the world in research and development, accounting for some 38 percent of the worldwide R&D spend. That's significant enough for cyber attackers to dedicate considerable resources to the task of stealing U.S. secrets.

Increasingly Sophisticated Attacks

The risk is as multidimensional as the enterprises that do not adequately protect against it. The potential risk impact is as extensive as the virtually unlimited reach of the Internet. And the technologies that convey the attacks are far more powerful than those that placed astronauts on the moon, and so affordable that almost anyone can afford them. The total population of the world is approximately 7 billion people. Cisco Systems Inc. is forecasting that 50 billion mobile devices—just mobile devices, not desktop or even laptop computers already in the installed base by that time—will be connected to the Internet by 2020.³ The U.S. Census Bureau forecasts that in that same year, the world population will grow to about 7.6 billion people. That's about seven mobile devices for every man, woman, and child in the world.

Cisco also reports that Android malware growth is up in 2013 over 2012 by 2,577 percent!

In 2012, we conducted an informal survey. The executives polled indicated that each one possessed at least three mobile devices, while some had four, a combination of personal devices and ones issued by their companies. We are a nation and world buried not only by information but also by the very devices that store and transmit that information. And this is still the pioneer era of mobile technology.

To the average person, the number of devices per capita may not seem to matter. But from a security, risk, and privacy perspective, it is a reflection of the amount of data that is at risk through widespread distribution. It is also an issue of how many devices may be lost or stolen, of how much data is at risk in multiple places.

Mobile Devices at Higher Risk

A study by the Ponemon Institute⁴ clearly illustrates the mobile device concern. According to the report, large numbers of laptop computers are stolen or lost each week in U.S. airports. The total number cited in the study isn't important. It would not be unusual if the devices stolen are taken by organized criminal networks. Only the fact that portable computing devices are being stolen is new. As far back as the 1950s, airports were prime theft venues heavily penetrated by organized crime. Portable devices are stolen, targeted by criminal enterprises that understand the value of information and the fact that these units often contain vast archives of highly valuable as well as portable data. The data may be personal information or intellectual property and trade secrets, but it has value on the black market.

Sometimes Security Just Doesn't Take Hold

On many occasions, industry's often distracted and worn-down road warriors have been observed displaying poor judgment. To some extent, it's understandable. Seated at the gate, waiting for the next flight, some secure seats close to a gate agent because they are on standby for a first-class upgrade. Typing away on their laptops, they appear industrious and engaged in writing up an expense report or maybe making a trip report, maybe a legal brief. But their ears are tuned for that magic moment when the gate agent calls their name for the upgrade and the trepidation associated with travel in the cramped and noisy economy cabin fades away. But first it's necessary to get to the gate agent before the upgrade is given to someone else. That otherwise well-meaning and maybe even cautious executive places the open laptop on the gate area seat and races to confirm the upgrade.

That's all it takes. In a fleeting moment, the laptop is gone. Worse, it is open and no password is needed to access the data. For the bad guy, it's been a good day.

In another case, an executive at a well-known firm is out of town with an associate and a client. Driving around in a rental car that evening, they opt to drop into a strip club. The executive remembers something about a security warning: Don't leave a laptop computer in the cabin of a car. If you can't take it with you (and, no, that wasn't going to happen), place the laptop in the trunk. Oh, and don't leave the keys with the valet parking attendant. So, parking the car himself, following the recommendation from the security department, he believes the computer is locked up and secure. But then he does something quite unbelievable. He places the car keys under the floor mat on the driver's side of the car and the three walk into the gentleman's club. Several hours later when they emerge, the car and the laptop are missing.

It's Friday evening, and the executive also remembers that security had advised employees that in the event of a lost or stolen laptop they should call in immediately to notify. What the executive does know is that he is going to have a hard time explaining this one, so he puts it off as long as he can. He waits until the following Monday. Bad call.

On Monday, he calls security. Security immediately sends a signal to the laptop to disable it. But from Friday night until Monday morning the laptop was not secured. And in order for the remote signal to be effective, the machine must be connected to the Internet. Unfortunately, tens if not hundreds of thousands of personal financial records are on the laptop.

Security and management have to make a tough call. Will they have to report the missing laptop to regulators? Yes. But they fail to mention the strip club, and they also state that the device is encrypted and that customer data was not exposed. But was it? Would the capture of client data, if it was exposed, result in an increase in phishing attacks and identity theft? We'll never know.

It Wasn't Always Like This

Building a business or attacking one over the Internet rests in devices that now fit in the palm of a hand, in our laps, or on our desks. Distributing disinformation, disrupting communications and commerce, threatening critical infrastructure in a myriad of ways, waging symmetric and asymmetric information attacks, stealing information—these are the ways in which the Internet is used by criminals and nation-states. But it wasn't always that way.

Ironically, when the Internet was conceived, it was devised to be the last great hope of a successful Cold War communication between the United States and the Soviet Union, a sort of fail-safe, last-ditch effort to prevent MAD (mutual assured destruction). If nuclear war was about to be unleashed by either side, the result would be devastating. Each side assumed that the level of destruction wrought upon the other would be catastrophic, and there is little doubt that it would have been. Traditional communications might be knocked out in a preemptive strike. Or maybe the complexity of super-secure communications would not be quick enough to disengage from the process of a nuclear strike.

But the Internet had no security. In 1962, the Internet was an early-stage initiative at the Massachusetts Institute of Technology that was soon transferred to the Defense Advanced Research Projects Agency (DARPA). When the Internet came online in 1969, it was known as ARPANET, or the Advanced Research Projects Agency Network. It was the result of a private-public partnership, and perhaps one of the most telling. In those days, the Internet was four computers at four different universities. That these machines were unencumbered with security made the Internet the perfect vehicle for an emergency communication. Nothing had to be decoded or encrypted. It was brilliant in its simplicity. No suitcase with super-secret nuclear weapon launch codes always within reach of the president. Nothing to complicate or delay emergency communications with the other side. Just an immediate, simple, communication link between two heads of state when it mattered most. It was a digital lifeline, a communication link that could prevent the nuclear holocaust that all in their right mind feared. However, its simplicity was fleeting, and its accessibility has spiraled from perhaps a few dozen users to much of the world.

We have so far avoided global annihilation. The Internet has moved on. Ironically, its complete lack of security during the Cold War has led to the quest for continuously improved security.

Without a Bang

The meeting point between the nuclear age and the digital age arrived, fortunately, without a bang. But neither was the arrival heralded with a whimper; it was more like an alarm bell, a warning before the next storm. The technology trail was clear, especially in retrospect:

Information would multiply.
Computers would become more powerful, yet smaller, and more ubiquitous than anyone could have imagined.
They would hold increasingly large amounts of information.
The Internet would keep expanding, moving more and more information at faster and faster speeds.
Computers would also become less and less expensive.
More people would have more information stored on more computing devices.
Cyber security was slow to catch up—and still is.

The days of social media, mobile devices, and Internet everywhere and all of the time were still ahead of us. Of course, security failed to keep pace with the technology race. Many technologists believed that all information should be accessible to all, shared by anyone and everyone. Those who believed security was essential fell behind the curve that became the tsunami of the information age and the information superhighway. This led to companies and government adopting technology at a dizzying pace. The purchase of information technology was tied inextricably to increasing performance associated with creating, moving, and storing increasingly massive volumes of data. It was the evolving Big Data of yesterday. But like all tsunamis, one of two eventualities occurs: It either peters out or it crashes down on the inadequately prepared and the unaware, wreaking havoc.

Security, then, was an afterthought. This led to a problem: Technology adoption was based on issues other than the defense of information. There was a huge gap between performance and security as elements of consideration in the adoption and integration of technology. It seems hard to believe today, but it was true. Security got in the way.

We are witness to an information explosion. A lot of the information is in the form of e-mail. In May 2013, the web site the Culture-ist (www.thecultureist.com) posted some interesting statistics about the Internet and its use. Nearly two and a half billion people, or some 37.3 percent of the planet's population, use the Internet, approximately 70 percent of them on a daily basis. This translates into about 144 billion e-mails every day. But here's the problem: Nearly 70 percent of the e-mails are not to and from friends and business colleagues. These roughly 99 billion daily e-mails are spam (mostly advertisements) coming from around the world, many of them infected with viruses in an attempt to gain access to computers and compromise information integrity.

A Board Issue

This book is an attempt to raise the level of awareness about the cyber threat and what to do about it. The cyber threat is a board of directors' issue. Yet when some senior executives and board members hear the word “security” or “technology,” there's a disconnect. They think it's not their issue. Let the technology people deal with it. Let the security people deal with it. Although there is evidence that this perception is changing, we have a long way to go. The word “cyber,” they're starting to get.

For several years I had the opportunity to travel around the country, addressing information security officers in a number of cities. Over that period I met with perhaps a couple of thousand security professionals. From one city to the next, a common theme became apparent. In most every venue, at the conclusion of a presentation there was the opportunity for these professionals to ask questions or make comments. The most consistent comment was something like this: “No one in upper management at my company seems to care about security. If I mention a security issue, they sort of roll their eyes and refer me to somebody else, usually somebody lower in the organization. What should I do?” Clearly, many of these professionals were looking for support. My recommendation was this: Internal audit and legal should always be interested in any security concerns. But that's not always the case.

Stephen Burns and David Marston of the National Security Institute have addressed the issue of how to get people interested in information security. “Here's an age-old security riddle: How do you get people in the workplace to pay attention to information security? Answer: Make it personal and tell them what's in it for them.” The question may then be asked: How do you get the board of directors and executive management interested in information security? The answer is much the same. Make it personal and tell them what's in it for them. Effectively managing risk is personal. Information security is personal. We don't always interpret it that way, but it is.

The chief information security officer (CISO), in tandem with others, will have to create this momentum, along with the general counsel, chief risk officers, and others. “The focus of information security and cyber risk management is heading in the right direction,” according to M. J. Vaidya, CISO for Americas at General Motors and an adjunct professor at New York University's School of Engineering. “The role of the CISO is clearly changing and growing,” he says. “The CISOs of today have to embrace ambiguity, focus on risk, build relationships throughout the organization, gather intelligence, and consistently innovate.”

The Cyber Frankenstein Cometh

Managing the cyber threat and resulting cyber risk results in increased competitiveness, enhanced value, the creation of exploitable opportunity, and economic advantage. The cyber threat is not unique. It is manageable; its impact can be mitigated. We have created the cyber Frankenstein monster of our day, but we can deal with it. What we cannot do is ignore it. We cannot pretend that it is “a technical thing,” as many do, and thereby relegate discussions of it to a technical team. Yes, it does involve technology, which scares a lot of people, among them nontechnical board members and senior management. We've got to move beyond that, and we've got to do it now. The message is getting out there, but not fast enough. The cyber threat is accelerating faster than we seem capable of managing it. But that's got to change.

We have identified this monster, this perfect storm. There's no going back. We know what all the elements of it look like. We know what powers it, and we know how it materializes and how it impacts organizations large and small, private and public, regulated and unregulated, foreign and domestic. Where we have perhaps failed is in our ability to organize against the threat, to organize our thinking about the consequences of inaction, to coordinate our defenses, and to invest in the ability to better manage and defeat the threat.

Managing information has been perceived as a productivity issue. In reality, managing information in a fashion that does not increase personal and institutional risk is the issue. We have placed our feet into the waters of a new wave of how information will be managed. It is subject to this perfect storm. How we engage the future of information management will be a principal determinant of how we will define success.

Information is value. Companies build value, which is based on the integrity of their information. Value defines success. Success builds the foundation for sustainability, and there is no sustainability without value. Sustainable value must be the wheel that turns the ship to face this perfect storm head-on. This requires managing cyber risk, and right now there's not much to brag about in how that risk is being managed.

Defining Success

I will consider this book a success if it brings boards and executive management one step closer to bridging the communications gulf that separates the defenders of information and the defenders of corporate value. Both groups are working toward the same conclusion. Independently they are working to sustain integrity. They just don't speak the same language and they take different paths, but all paths are not created equal. And in failing to speak the same language they fail to be adequately prepared to face the challenges that all of us face today and will continue to face well into the future.

A question that is often asked in executive social media forums is, “What do you say when the CEO asks, ‘Are we secure?’” Too often, the answer does not match the reality.

Notes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.