Cybersecurity: Building an arsenal to defend against invisible enemies
Note: This is an updated version of the original article that was first posted in June 2015.
With the proliferation of interconnected devices and virtually anything of import accessible from the internet, the threat from cyberattacks is ever present. What cybersecurity strategies do global companies and governments need to adopt to protect themselves?
In the recent high-profile security breach that was stunning in its calculated scale and audacity, the US government revealed in June that sensitive information had been stolen in not just one, but two, separate rounds of cyberattacks—breaches that officials say involve restricted data pertaining to millions of federal employees as well as intelligence and military personnel.
The two hacks occurred at the Office of Personnel Management (OPM). One cyberattack targeted a federal personnel database that contained information on at least 4 million past and present employees, with some officials suggesting the number could go as high as 14 million. The second breach infiltrated a security-clearance database, which authorities now fear could compromise employees working at the CIA, National Security Agency, and military special operations.
Taken together, the cyberattacks—attributed by US officials to the Chinese, a charge Beijing denies—are the largest security ruptures ever suffered by Washington. In both cases, the incursions revealed catastrophic lapses by the OPM for failing to take basic steps to secure its computer networks.
The OPM assault follows in the wake of a spate of cybersecurity hacks in the corporate world—much- publicized events that shamed and hurt giants like JP Morgan Chase, Target, Sony (see sidebar 1 at the end of the story), and healthcare provider Anthem (see sidebar 2). Given the increasing frequency and virulence of cyberattacks, at no time has there been greater attention paid to cybersecurity—or the damaging fallout that can ensue for failing to do so.
Broad and expansive in its reach, cybersecurity encompasses tools, policies, security concepts, best practices, and technologies—all of which can be deployed in concert to protect both the virtual data and physical infrastructure forming an organization’s assets. Against a backdrop of persistent and unrelenting threats in cyberspace, cybersecurity’s mandate is to defend and secure an organization’s assets to ensure their continued availability, integrity, and confidentiality
The cybersecurity market remains small at present—just $589 million was spent in 2013 worldwide on industrial cybersecurity systems (see sidebar 3), a small subset of the entire cybersecurity market. However, the potential for growth is significant, especially as the world begins to craft coherent cybersecurity strategies to combat increasingly dangerous cyberattacks. Overall, the global cybersecurity market is estimated at $80 billion in 2015, rising to more than $140 billion by 2019.
Cyberthreats and emergingtechnologies
Cyberattacks are increasingly sophisticated as their destructive incursions seek new ways to breach security and inflict damage. In an age of increasingly porous digital borders, three areas pose grave challenges in the cybersecurity wars:
- The all-things-connected phenomenon known as the Internet of Things (IoT)
- Cloud computing or the online storage and repository of data
- The continuous churn of enormous amounts of information being gathered and sifted for specific purposes, otherwise known as Big Data
The Internet of things
In the coming years, billions of new devices ranging from cars to household appliances will be fitted with computer chips that enable interconnectivity with the internet. Experts estimate there will be nearly 50 billion connected devices by 2020, with an average of more than six connected devices per person. This is the vast universe making up the IoT, and the interconnected nature of such a massive system significantly raises cybersecurity risk factors. Because IoT devices are designed for connectivity and not security, they are vulnerable to malware attacks. Each device is a potential portal through which a cyberattack can gain entry, and then proliferate throughout the chain.
In the IoT universe, cyberattacks can hit anywhere. No industry is exempt, including banks and financial institutions; healthcare and medical facilities; utilities and critical infrastructure; oil and gas refineries and chemical plants; insurance and their carriers; retail and consumer data; automotive and connected cars; and telecommunications and satellites.
Cloud computing enables convenient, on-demand access for individuals and businesses to a shared pool of computing resources, including networks, servers, data storage, and other applications. However, these very advantages represent an attractive target for cyberattacks. This is because an attack on a stand-alone system is ultimately less dangerous than one on a networked model like the cloud, which could result in a cascade of failures across the network.
The finance industry is especially vulnerable to the inherent threats of cloud computing. Trading brokerages, banks, and credit unions all highlight their 24/7 online availability for consumers to check their accounts, conduct transactions, and monitor financial activity as key selling features. Yet this type of ubiquitous access, heavily reliant on cloud computing, renders the paradigm susceptible to attack.
Big Data exploits the massive reams of data flowing over the internet—driven in large part by the growth in social media apps and mobile devices—to identify underlying patterns and trends. From a corporate security perspective,
Big Data allows companies to observe the larger threat picture against enterprises, incorporating internal and external threats alike. By pooling internal data and relevant outside information to correlate high-priority alerts across monitoring systems, companies can cut down on the white noise and false alerts endemic to existing monitoring tools.
For these reasons, Big Data is not so much another vulnerability but a tantalizing new opportunity for corporate players to take proactive measures against cyberthreats. A Big Data paradigm can efficiently log information, events, and activities occurring within a preselected tracking environment; consolidate the data in a central location; and then use advanced analytics to help identify patterns that no individual monitor can do on its own, in the process creating a holistic picture to analyze and investigate security-related issues.
One potential concern, however, for the broader application of Big Data is the scarcity of data scientists specializing security issues. In many cases, organizations will need to engage third parties to compensate for the lack of in-house expertise.
Cyber warfare and the defense sector
As governments around the world awaken to the impact of cybersecurity breaches, a primary focus remains the prevention of cyberattacks from being deployed as an instrument of warfare by both state and non-state adversaries. Indeed, a quick glance at national defense spending over the past decade bears out the growing investment by governments in cybersecurity.
In the United States alone, spending on cybersecurity at civilian and military agencies will reach nearly $14 billion in the current fiscal year (FY), which includes $5.1 billion for the Pentagon to invest in cyberspace operations. These outlays represent increases over last year’s funding, in an environment that witnessed a general decline in federal spending.
President Obama’s FY2016 budget proposal will increase information technology (IT) spending by $2.25 billion. Total outlays are $86.4 billion, with $49.1 billion in civilian-agency IT spending and $37.3 billion going to defense IT.
Cybersecurity funding as a subset of that overarching IT budget is $14 billion, according to the political website The Hill, representing a $1 billion increase from FY2015 and accounting for 44% of the overall IT increase from last year.
The Department of Defense’s budget allocates $5.5 billion to cyberspace operations in FY 2016, up from $5.1 billion in FY 2015. This funding supports both defensive (cybersecurity) and offensive (cyberattack) cyberspace operations, as well as the development of the US Cyber Command’s Cyber Mission Forces.
None of this is lost in the business world. Witness the growing number of mergers and acquisitions over the past few years, with larger and more established corporate players buying smaller IT firms, especially those with cybersecurity skills. Examples of such corporate deal- making include the acquisition of Mandiant by FireEye; Urgentis Digital Crisis Solutions by Deloitte; Blackbird Technologies by Raytheon; and SilverSky by BAE Systems.
The Obama administration has not only acknowledged the presence of offensively focused teams at the strategic and operational levels, it has also implied the use of such capabilities at the tactical level. Perhaps more significant, active training and military exercises in offensive operations have now become the norm, along with the creation of stand-alone cyberforce organizations, nurturing a new generation of digitally savvy cyber warriors. For instance, the US Army recently established a cyber branch for officers on the same level as traditional infantry or armor specialties.
This growing embrace of holistic cyber capabilities, which integrates defensive attributes with offensive missions in a proactive fashion, is not the only new force shaping cyberspace operations in the defense sector. As national defense increasingly embraces the necessity of investments in cyber programs and personnel, other key trends include the following:
- Infrastructure. Protecting the security of industrial control systems for key elements of critical infrastructure will grow in importance. Also known as SCADA (Supervisory Control and Data Acquisition), these computer systems control activities over multiple sites. A successful attack against SCADA can shut down, destroy, or manipulate infrastructure activities. Imagine cyberattacks causing power grids to go offline, airplanes flying in the dark after the failure of air-traffic control systems, or the shutdown of a municipal water system. As the threat magnitude grows, so too will research and development into cyber-defense applications to produce more robust defenses.
- Self-repair. A greater emphasis is anticipated on real-time continuous monitoring and mitigation to defend against persistent threats, which will gradually take the place of the traditional “react and patch” approach, enabling greater automation and self-awareness when it comes to cyber defense applications. Technological advances will usher in more prominent self-repair network attributes. These capabilities—monitoring, mitigating and self-repairing—will pave the way for a resilient network ecosystem which until now has been in the conceptual and research realms.
- Compliance. From a tactical perspective, network cybersecurity needs will grow as the military becomes fully networked. These networks must be secured, and for the US military this means complying with information assurance accreditation and certification requirements. Cybersecurity opportunities will increase accordingly, as seen in the recent US information security contract awards for the Virginia-class submarine and F-35 fighter.
- Collaboration. The international cybersecurity market will experience significant growth. Rapid evolution is already occurring at the nation-state level, ranging from the routine establishment of national cyber emergency response teams, to the development of cyber forces with potential offensive capabilities. Bilateral and regional cooperation, both in the investment of resources and shared training, is beginning to accelerate. Industry is also joining in, with the establishment of overseas centers of excellence and growing mergers-and-acquisitions activity.
The way forward
Cyberattacks have become a permanent and pervasive peril to governments and businesses alike and managing the risks must become a priority. But understanding the challenges and implementing appropriate strategies for the long term require resources and expertise. The threats are evolving as are the tools and technologies. To manage the emerging risks successfully, it’s useful to keep three things in mind:
Cybersecurity is a corporate imperative. Every major entity, whether governmental or corporate, is a likely target. Complete security is impossible, but leaders must remain ever vigilant and employ all available means to defend against the threats. Consequently, cybersecurity is a C-suite, senior management issue, and must be incorporated into strategic planning with risk mitigation explicitly addressed as well as routinely reviewed and updated.
Government and industry must enhance their collaboration in identifying, assessing, and responding to cyberthreats. The time for siloed approaches to defense and deterrence has passed. The Obama administration has been working with key members of Congress on legislation that would encourage greater information sharing on cyberthreats, in part by providing liability protection for firms that share sensitive information, which should form part of a multi-pronged response. Understandably, companies are hesitant to divulge or share information for fear of public exposure on the true extent of a cyberattack, so a means must be found to surmount this obstacle.
Finally, cybersecurity is too important to be left to technology or security specialists alone. Because cyberattacks can go through any portal or user, everyone—from CEOs to front-line workers—should be mindful of appropriate cybersecurity best practices and recognize the danger from breaches. In particular, corporate leaders must understand that cybersecurity is just as important as product development, earnings reports, and future growth plans. The spate of data breaches against high-profile US entities has shown the reputational damage that can be inflicted by a cyberattack. Indeed, a company’s ability to successfully manage myriad cybersecurity risks could determine how well it is able to navigate and succeed—or flounder and stumble badly—in this new, more dangerous age.
Thomas Lynch is research director, critical communications, IHS Technology; Dennis Murphy is senior analyst, cyberspace operations for IHS Aerospace, Defense & Security; and Christoforos Papachristou is analyst, cybersecurity, IHS Technology.
Sidebar 1: A cautionary tale: Sony’s embarrassing hack and public shaming
In an unprecedented attack that grabbed headlines and made lurid tabloid fodder, Sony Pictures entertainment in November 2014 was forced to take its computer networks and systems offline for an extended period after being hacked in spectacular fashion.
Instead of appropriating sensitive data for cyber espionage or financial exploitation, the hackers instead sought to bring the company to its knees by effectively obstructing Sony from carrying out daily operations and by destroying valuable corporate property. Malware deployed in the attack essentially wiped clean significant portions of key databases.
The key lesson here is that businesses must invest more in network security and develop an emergency response plan if an attack occurs. Sony appeared flat- footed in the initial days following the first data breach, and did not have an effective crisis-response plan in place to assure employees and communicate with the broader public, including the press. Just as contingency plans are set by companies for other forms of crisis management, protocols for a formal response after a cyberattack should be put in place.
The nature of the Sony attack also led many to believe it was carried out with some assistance from company insiders, highlighting again the importance of background checks on those with access to key networks and databases.
The other major takeaway is that everyone must be careful about what they put on a computer screen, no matter how seemingly safe or private. The most far- reaching damage to Sony may have involved the publication of private email exchanges between senior executives disparaging key figures in Hollywood, including prominent film stars. That old adage, of never including in an email anything that one wouldn’t want to be made public, rings truer than ever. – Thomas Lynch
The Anthem hack: A new approach proves highly destructive
In February, a major cyberattack targeted Anthem Inc., the second-largest health insurer in the United States, with hackers breaching a key IT system and stealing the personal data of current as well as former customers and employees.
The attack affected approximately 80 million people—nearly one in five Americans. Not the first cyberattack suffered by Anthem, this one was particularly worrisome in its acquisition of social security numbers (SSN), since SSNs could be used to perpetrate other forms of identity theft. Unlike other personal information, SSNs cannot be changed, so the repercussions are severe and long-lasting.
Medical data is more valuable to cybercriminals than traditional financial data, and stolen SSNs fetch a higher price in the black market than filched credit-card information. In the wake of the Anthem breach, the healthcare industry as a whole should thoroughly audit data on customers, determine access rights to such data, and explore whether steps like encryption can enhance security.
Data encryption adds costs and can still be circumvented if a hacker deciphers the codes, but combined with updated physical data-security infrastructure can be highly effective at securing organizational assets against the vast majority of cyberattacks.
State-sponsored Chinese hackers were the likely culprits in the Anthem case, but the identity of the hackers may not matter much in the end, because all firms must take steps for safeguarding, regardless of the source of attack.
The Anthem incursion highlighted a new cyberattack approach, moving from a traditional focus on financial institutions to less protected areas like healthcare, with a treasure trove of data ripe for stealing. And unlike stolen credit and debit cards that can be immediately canceled with minimal damage to consumers, medical identity theft often goes unnoticed for months or even years, giving criminals the luxury of time to exploit purloined credentials under the radar. Christoforos Papachristou
Sidebar 3: Industrial cybersecurity presses its case to safeguard manufacturing environments
Industrial cybersecurity involves the protection of embedded industrial systems from espionage and sabotage, an increasing concern amid growing tension and uncertainty around the world. But in spite of continued growth, the market is small at the moment: The $589 million spent on securing industrial cybersecurity systems in 2013—the latest year for which full figures are available—was equivalent to less than 1% of the total industrial automation equipment trade at $170 billion.
The market is also extremely immature, with more than 160 vendors vying in the space and offering a variety of hardware, software, and services.
Growth over the next few years is expected to be good but not spectacular, posting a compound annual average growth of 12% from 2013 to 2019. By 2019, industrial cybersecurity revenue will reach an estimated $1.2 billion, or slightly more than double the 2013 level. North America and Europe are the largest markets, with the two regions combined accounting for nearly 60% market share of total industry sales.
Services made up the largest share of the industrial cybersecurity market in 2013 in terms of product type, with $240.3 million or 41%. Software was next with $216.7 million or 37%, followed by hardware with $132.1 million or 22%.
Overall, the industrial cybersecurity landscape will continue to be sustained by the high number of legacy systems that need securing.
Over the next 10 to 15 years, demand for on-top or add-on industrial cybersecurity hardware, software, and services is likely to decrease, as fewer compensating controls will be required to safeguard already secure assets.
In particular, a new cybersecurity standard known as IEC 62443 is gaining support among industrial asset owners and vendors alike for offering more robust protection, and addressing issues that were thought to compromise the integrity of systems.
Toby Colquhoun, Senior Analyst, Discrete & Process Automation, IHS Technology