Cyber threats, and agency costs, expected to climb in 2013
McAfee warns: New adversaries aim 'not to annoy you but to cripple you.'
Cyber threats grew exponentially in recent years, a trend that will likely continue in 2013. And that, cybersecurity experts say, could spell trouble for cash-strapped agencies.
Top concerns in 2013 include larger-scale attacks that seek to destroy rather than disrupt, vulnerabilities introduced by new and disruptive technologies (including mobile), and an evolving adversary that may be politically extreme, supported by nation-states or driven by a cyber-weapons “black market.”
“Cyber criminals and hacktivists will strengthen and evolve the techniques and tools they use to assault our privacy, bank accounts, mobile devices, businesses, organizations and homes,” a new 2013 threat prediction report from McAfee states.
Defense Secretary Leon Panetta has on several occasions warned of cyber attacks that will escalate from disruptive – such as denial of access – to destructive, which was illustrated last year by attacks on the Saudi state oil company that corrupted 30,000 computers. According to the McAfee report, this acceleration already is occurring.
“What we’re finding is consistent with what Panetta has talked about ... a shift where adversary intends not to annoy you but to cripple you,” said Tom Conway, McAfee director of federal business development. “We’ve been predicting for years that attacks would become more destructive to operations. People may be surprised by how fast that’s happening.”
And it is happening as government leadership, like it or not, works to figure out how to embrace the technologies that are part of everyday life outside federal offices. Mobile is one of the biggest factors, but even upgrades in software and operating systems are subject to cyber threats that continue to advance.
“We see trends building – mobile is becoming more of a threat because people are using it more as their predominant end point. HTML5 is the next generation of the web; it has a lot of great features, but a great feature in wrong hands can be dangerous,” Conway said. “A lot of government agencies, especially the military, are moving to Windows 8. Microsoft increasingly does a better job, but bad guys will always find a way in ... it’s always a cat-and-mouse game.”
According to a recent report from the Business Roundtable, government systems and users increasingly are being targeted. Furthermore, the government does not do itself any favors with the current system for addressing information security, the report noted.
“Cybersecurity threats from well-financed and motivated adversaries have the potential to disrupt critical services ... threats are increasingly targeting core functions of the government, economy and U.S. national security infrastructure,” the report stated. “However, instead of focusing on information sharing and collaborative risk management, government proposals misdirect scarce public and private-sector resources to compliance-based, check-the-box models.”
To add to that, the government – particularly in the current fiscal climate – can be slow to upgrade, resulting in an IT environment with varying iterations of systems and software that is more difficult to secure, Conway pointed out.
“The government doesn’t upgrade all at once, so there’s a huge variety of really old, semi -modern and new, like Windows 8," he said. "It’s a huge scale issue and complexity issue because it takes long time to upgrade. There are always multiple environments, and that’s harder to defend than a homogeneous environment.”
So what can government agencies do to boost security amid growing threats and shrinking resources? Both Conway and the BRT report highlighted the importance of information-sharing and risk management, which will require, at least in part, changes to current policies.
“The single most important element of an effective cybersecurity policy is information sharing,” the BRT report notes, stressing the need for public-private partnership. “Effective information sharing is not only an exchange of threat information but also a robust set of trusted, well-structured and regularized policies and processes among the U.S. government, international allies and private-sector entities. Effective information sharing includes the two-way exchange of alerts, response actions, situational awareness and mitigation analysis.”
Conway said that information-sharing must go beyond just person-to-person, to faster machine-to-machine exchanges that keep pace with cyber threats and allow for better continuous monitoring. Agencies with scant resources need to take full advantage of what is already available to them, and managers must fully weigh the risks and benefits, he added.
“In a tough budget environment, agencies need to get every ounce of capabilities out of their portfolio. The government can do a better job of getting more out of what they own,” Conway said. “That means not buying new stuff, better training ... and don’t just willy-nilly introduce new technologies into the enterprise without serious consideration of the vulnerability you’re introducing. You have to do the risk management. CIOs have to make balanced decisions and go in with eyes wide open and understand the effects on their security posture.”