CyberThreat_US is a new series from OhMyGov exploring the
urgent cybersecurity issues faced by the U.S. government. The series is brought
to you by Microsoft Government.
Learn more in Microsoft's whitepaper (pdf) Managing
Cyber Risk in the Face of Sophisticated Adversaries.
With the abundance of high-profile and potentially damaging cybersecurity failures — the Aurora breach, China's mysterious hijacking of Internet traffic, the powerful Stuxnet worm, and of course, Wikileaks — the year 2010 won't go down as the best one for cybersecurity. What's scarier, in the eyes of most experts, is that 2010 won't be the worst year we will see.
All signs, in fact, point to a growing appetite for cyber warfare among foreign adversaries, bad hackers and rogue actors within the U.S. government or industry. There is more data to get, more Internet-connected devices through which to get at it, and more people spending more time online... too often mindlessly clicking, typing and downloading.
To counter the growing cyber threat, the U.S. government and supporting industry experts have been busy beefing up the nation's defenses. This year, a new military command called CYBERCOM was taken operational under the auspices of National Security Agency Director General Keith Alexander. And a new agreement was inked between the Departments of Defense and Homeland Security on divvying up responsibility for protecting the nation's cyber assets. William J. Lynn, the deputy secretary of defense, took to the editorial pages and talk shows in the fall to alert a wider audience to the catastrophic threat posted by cyberwarfare.
Defense against computer-based intrusions is everyone's business, after all, because everyone is a potential target. While the defense, intelligence and IT leaders put large-scale cyberdefense plans and policies into practice, government and private-sector employees of all stripes can do small but important things to keep us all safer.
With this multi-tier approach to cybersecurity in mind, OhMyGov asked a variety of cyber experts to consider the year ahead — what they predict will happen, what they wish will happen, and what they resolve to do (and think we should all resolve) to help protect the nation against our digital adversaries.
Here's what they had to say...
PREDICTIONS FOR 2011
Prepare to see more and more personal smartphones in the office, along with all the associated perils, several of our experts predict. Even as agencies move more digital assets to the cloud, the vulnerabilities found within the office walls won't necessarily diminish, as attackers "follow the people" with ever-more-sophisticated traps set using social media, and employees bring their personal devices "within the security boundary." Those phones open up brand new vectors by which attacks can penetrate government and industry facilities. Collaboration won't go away, but with the only "wiki" on everyone's mind these days being Wikileaks, there will be an "increased focus on
preventing information leakage through both accidental and intentional means." And unless new protections are put in place, and fast, at least one expert predicts "more disaffected Feds with access to
secret/sensitive information" seeking out their own (anonymous?) glory by divulging data to Wikileaks or elsewhere.
Students will begin to understand the importance of
developing their online computer talents, especially as it relates to national
security and economic development.
— Congressman Jim Langevin, (D) Rhode Island, House
Cybersecurity Caucus Co-Chair
Cloud based protections will become the accepted way to
protect government agencies and enterprises from malware and intrusion.
— David Perry, global director of education for Trend Micro,
a computer antivirus software company
Personally-owned devices will start to be accepted into the
enterprise. This will further
de-perimeterize the network, as not only will the enterprise exchange internal
data with external systems, it will include partially or completely unmanaged
systems within the security boundary. This of course happens already, just
without CISO approval. Agencies
will find ways to make this work, much the same way that Cloud environments and
services have been made compliant.
— Ralph Broom, principal InfoSec engineer at Noblis, a nonprofit
science & technology organization serving the public sector
Cybersecurity will continue to be a major focus area for
organizations of all sizes in the public and private sectors in 2010 and will
likely see spending at an accelerated pace. In response to events that occurred
in 2010, protecting the nation’s critical infrastructure and key resources
(CIKR) will remain a key focus area. We will also see increased focus on
preventing information leakage through both accidental and intentional means.
The information leakage efforts will be connected to continuing efforts to
effectively and safely empower greater levels of collaboration across
organizations, while increasing telework solutions as the federal government
continues to drive more focus on the cost-savings and efficiency gains to be
found in strong telework programs.
— Steve White, cybersecurity architect for Microsoft Public
Sector Services' Cybersecurity Team.
A whole lot more disaffected Feds with access to
secret/sensitive information are going to echo the WikiLeaks event unless there
is an immediate crackdown on access controls on all mobile devices, iPads,
smartphones, USB, DVD, etc. from being allowed in and out of facilities
— Winn Schwartau, information warfare expert, author, and
chairman of MobileActiveDefense.com
My prediction for 2011 is that more and move organizations
will move their database assets to the "cloud." Initially this will
be to private virtualized networks, but as the year progresses we will see more
and more assets moved to public cloud environments.
— Thom VanHorn, vice president of global marketing for
Application Security, Inc.
Despite efforts through education, regulation and
pontification by various persons, I predict that 2011 will see more data
breaches than ever.
— Jon McDowall, co-founder of the Center for Information
Attacks will follow the people. As social media and mobile
computing continue to play a larger role in our networked environment, problems
seen in these areas will continue to rise. We should expect to see more
vulnerabilities in both areas, and we should expect to see hackers take
advantage of those vulnerabilities. We will see dedicated attacks making their
way across social media, including unpleasant software, and improper
"click-throughs." We will see more fake people, fake profiles, and
falsified ratings, but probably not enough to shake faith in the trust of
social media…. Smart devices will get hit. Hard…. The caution is to not rely on
the security inherent in these devices, and to continue to protect your
valuable data, regardless of where it is located.
— Jon-Louis Heimerl, director of strategic security for
RESOLUTIONS FOR 2011
Everyone agrees, action is needed. But what exactly can be done to improve the cyberdefense posture? We hoped to get a range of New Year's Resolutions from our panel, ranging from what Congressional and agency leaders must do, to what any employee at his or her desk can reasonably do. Indeed, we received a range of inspiring resolutions, some personal, others shared...
I resolve to… Work with my colleagues through the bipartisan
House Cybersecurity Caucus to keep cybersecurity a top national security
priority for the 112th Congress. [And] Continue oversight of the new Cyber
Command at the Defense Department as they continue to grow and support our
troops online and overseas.
— Congressman Jim Langevin, D-Rhode Island
I resolve to… Continue in my commitment to end user
education. Meaningful user
education is the most viable means I’ve found to limiting data leakage,
unintentionally unleashing malware and the host of ails that accompany these
— Jon McDowall, Center
for Information Security Awareness
We should all resolve to… Continue to focus on teaching the
organizations we work with about the security management life cycle — the
continuum of “protect, detect, respond, and recover” that is helping
organizations anticipate dangers, neutralize and limit the impact of those
dangers, and react quickly and effectively in the event of an incident.
White, Microsoft Public Sector Services' Cybersecurity Team
I resolve to… Change my passwords every 90 days.
— David Perry, TrendMicro
We should all resolve to… Operationalize all customer
compliance activities. Whenever I hear a client talk of “checkboxes” we will
look hard at those activities and adjust them so that in addition to meeting requirements,
they enable or enhance the security operations of the system. This must include security metrics to
measure the effectiveness of the controls. While there is typically no ROI for security, the proper
metrics can show performance and effectiveness, enabling cost/benefit
— Ralph Broom, Noblis
I resolve to… Provide a data security solution that is easy,
effective, and low cost for clients to implement and manage.
— Rob Fitzgerald, president of digital
forensics company Lorenzi Group
We should all resolve to… Begin instituting a cyber policy
of Graceful Degradation. Our systems are designed and implemented in a binary
form, such that we are often forced to shut down or lose services across too
many networks. Designing in Graceful Degradation will allow us, when under
attack or other cyber event, to disconnect and isolate mission critical and
designated systems, to maintain some operational capabilities while we
initiated remediation processes.
— Winn Schwartau, information warfare expert
We should all resolve to… Make database security a priority.
There are a lot of simple things that can significantly improve security
posture. Let's resolve to eliminate default, weak, and easily guessed passwords
— and to eliminate database misconfigurations. Once we've done that, we can
move on to establishing proper separation of duties controls and implementing
real-time database activity monitoring.
— Thom VanHorn, Application Security, Inc.
WISHES FOR 2011
Last but not least, we gave our experts the opportunity to do a little wishful thinking, or dreaming aloud, by sharing one wish for how government and industry will respond to the cyber threat in 2011.
I wish… 2011 is the year we turn the corner on
— David Perry,
I wish… Industry and government [will] recognize and
acknowledge the magnitude of the cybersecurity challenge and proceed
expeditiously to create a fully functioning joint, integrated public/private operational
capability to improve detection, prevention, mitigation, and response to cyber
— Bob Dix, vice president
for U.S. government and critical infrastructure protection for Juniper
I wish… Vendors, network operators and customers move to
secure communications protocols, and deep-packet inspection is replaced with
flow analysis and logging. Far too
much traffic happens over unencrypted sessions, and few monitor who is
accessing what data. Encrypting
everything from IM to web sites helps protect data when users are away from the
enterprise. Moving IDS functions
to the endpoint or using man-in-the middle techniques at enterprise gateways
still enables content inspection where required.
— Ralph Broom, Noblis
I wish… Government agencies would begin to focus on
countering the cybersecurity threat using a risk-management based approach with
a focus on reducing the cyber adversary’s ROI. They would start with a risk assessment so they can
focus on improving the most critical risks in their ecosystem. After assessing the risk, they would
then take a lifecycle approach to improving their cybersecurity posture. Using this lifecycle approach, they
would include the fundamental building blocks of a solid cybersecurity strategy
and reexamine their current plans to make sure these basics are included. Often
agencies are after the “silver bullet” or the latest and greatest security
technology that will eliminate the risk of a cyber attack in one fell swoop.…
Government agencies need to take a look at their foundations and make sure
there are no cracks in the security landscape.
— Steve White, Microsoft Public Sector Services'
I wish… Cyber security experts would stop scaring clients
and instead work with clients to understand the issues at the clients' level so that proper solutions can be implemented.
— Rob Fitzgerald, president of digital forensics company Lorenzi Group
I wish… We would properly vet people with “access.” We need
to implement Industrial Psychological Profiling with a cyber-view. We need to
know personal and professional stress points, allegiances, proclivities, and
belief systems before we hand people the “keys to the cyber-kingdom.”
— Winn Schwartau, information warfare
I wish… Database security will get the attention it
deserves. Too many organizations think that they can put up a firewall and it
will keep their sensitive data safe. Database hacks in 2010 have proven that
firewalls aren't enough. Organizations need to secure the data in the database
where it lives.
— Thom VanHorn,
Application Security, Inc.
I wish… That those with bully pulpits to increase computer-
and internet-related best practices would use those pulpits and would lead by
example, practicing what they’re preaching.
— Jon McDowall, Center for Information Security Awareness
I wish… [Congress will] pass H.R. 6531 to implement stronger
protections for our nation’s power grids, water supply, and other critical
infrastructure to keep us safe and secure.
— Congressman Jim Langevin, D-Rhode
We wish that reason prevails over fear, politicking and turf wars in 2010, so that government agencies and elected officials can quickly put in place the needed policies, people and technology to reduce our vulnerability to a very real threat.
(with reporting by Tricia Martin)
Read the full CyberThreat_US series:
A Candid Q&A with DoD and Industry Leaders
OhMyGov's CyberThreat_US series is sponsored by Microsoft Government. Learn more
about managing cyber risk in this whitepaper.