5 Questions on Critical Infrastructure with Larry Clinton
Larry Clinton, CEO/President, Internet Security Alliance tells Qatalyst Global about his thoughts on the state of cyber security in Critical Infrastructure.
What three Cyber Security trends do you see happening within Critical Infrastructure ?
The first trend that I see is that the Cyber Security system itself is becoming technically weaker due to the expansion of the system and the explosion in mobile devices.
The fact is, the attack community are using their enormous profits to reimburse their business. They are going back to the core protocols that the internet was built on in the 70s and 80s, which was built on an unsecure system to begin with, and attacking the core vulnerabilities, in addition to finding new vulnerabilities to exploit. The system itself is technologically actually getting weaker.
While the system is getting weaker, the attack community is getting better at their job and becoming much more sophisticated. 8-10 years ago analysts coined the term ‘APT’ – Advanced Persistent Threat. These were the sort of attacks seen largely between Nation Sates and the Defence Sectors and are very sophisticated. They have multiple level recognizance, targeting specific people and networks using cyber malware. This malware would use unique ways of getting into your system that would be different to getting into mine, and it would keep coming at you over and over again. These very sophisticated attacks were able to compromise the traditional security systems like firewalls, passwords and intrusion sophisticated systems. We saw these types of attacks in government systems etc but now we are seeing them everywhere.
The same sort of APT attacks are now common place, we see them against manufacturing communities, against the educational systems, agriculture etc. APT now stands for the AVERAGE Persistence Threat, rather than Advanced.
We are seeing that all the economics of cyber security favour the attackers because attacks are comparatively cheap and easy to access. The business model that the attacker uses is a highly efficient model, they can use the same attack methods over and over again with very little personnel. Many of these attacks are done by organised criminals, these criminals used to spend more on drugs and drugs is a hard business; undependable workforce, growing the produce etc, whereas now it is extremely easy to essentially set up a boiler room operation in Bulgaria and attack millions of businesses from there. They have a cheap, easy, highly profitable and great business model. Compare that to the defence side, we are almost inherently a generation behind the attacker. We have to see how they are attacking us before we can build a defence.
It’s really hard to show ROI to things that are prevented, so we’re not investing as much as we need to. We really don’t know where to invest these things. We also have virtually no law enforcement; we’ve successfully prosecuted maybe 1 or 2% of cyber criminals.
Is the Industry prepared to handle these trends? Or is this a serious issue that needs to be addressed?
I would say the industry is making some progress. For example, a couple of years ago the National Association of Corporate Directors, in conjunction with ISA, developed a hand book on cyber security for corporate boards. We approached cyber security not from an IT perspective, i’m talking intrusions and standards and IT issues, but instead we focused on cyber security in the way a board member would understand. For instance, we focused on mergers, acquisitions, ovation and new product development. By putting cyber in that context we have been better able to reach corporate boards. Last year PwC did an analysis of that programme and found that it had led to a tremendous increase in board involvement in cyber security. This has resulted in a 24% increase in corporate spending on cyber security, resulting in better risk management, better alignment of cyber security with business goals and creating a culture of security within an organization, in addition to improving communication.
Corporations are definitely moving in the right direction, which is a good thing, but the problem is that not enough is being done, so while we are making some progress, it’s frankly not enough.
Another problem is that the government has not really stepped up and understood the problem well enough, or responded aggressively enough. They’ve done a couple of things and that’s good, but for the most part government is still understanding cyber security as an IT issue. It’s not an IT issue, it’s an enterprise wide, risk management issue, that deals with things beyond IT. Government is throwing IT at the problem and that’s not the right approach. For example, they’re not providing enough investment in cyber security. We have a cybercrime problem with an estimated range costing us between half a trillion to a whole trillion dollars a year in lost intellectual properties, business processes and competitiveness etc. The Federal Government is spending $9 billion on defence, that’s $9 billion facing maybe a trillion-dollar problem, it’s just not nearly enough. Of course the Government’s own systems are obviously not being properly secured, as we well know. So I think while there are steps being taken in the right direction, we really need to pick up the pace.
Expanding on what you have just said, from your experience at Internet Security Alliance, do you think it has become accepted that Cyber Security is no longer just an IT issue, but an issue for a company as a whole within the manufacturing industry?
What we’re finding, and this is largely through our work within the National Association with Corporate Directors, is that there are a set of principles that the private sector is slowly moving towards. One is that yes, this is not just an IT issue, but an enterprise wide risk management issue. It is also a recognition from the corporate boards that they’re senior management needs to have a cyber security frame work in place. It must also be a proactive cyber security frame work, not just what to do when we’re breached. It has to be how we prevent breaches taking place because it’s more than just having firewalls and passwords; it’s educating employees, it’s having a contract with your vendors, supplies and your customers, assuring that there’s adequate security when your systems interact.
It’s also identifying what your cyber risks are and identifying which ones you need to accept; there’s a certain amount of risk that is inherent in business, some you can mitigate through various mechanisms, and others you can transfer through insurance.
You need a sophisticated cyber risk management programme, and I think when this is coming down from the boards to senior management and is being coupled with investment, then we’re seeing actually corporate structures change. For instance, a few years ago cyber security was generally in the hands of a CIO. Now there has been a tremendous evolution whereby cyber security is being dealt with by a specialist in cyber security, such as the development of CISO’s. We see CISO’s as being part of an enterprise wide risk management team.
The most common vulnerability however is not the technology, but the people – badly trained people, lazy people, corrupted people etc. To avoid these attacks, the system is not the problem, the people operating the system are the problem. Human resources are very, very important to be brought in to the cyber security discussion.
As I said previously, a lot of the other attacks come not because a corporation’s own system is vulnerable, but because the system of somebody they’re interconnected with is. So for example, Target actually had pretty good security, but they were compromised because the AVC vendor that they had didn’t have good security. So the attacker attacked the AVC company and those interconnected got hit. The legal people need to make sure that the agreement between companies regarding security are sound. This is what I mean by enterprise wide, it’s not just an IT issue, it’s the board, the legal, the HR and the marketing department. All these people need to be brought in together and we’re seeing trends moving in that direction.
That’s what we’re starting to see. Again we’re only really seeing that on the enterprise side, we’re really not seeing that so much on the government side.
You are moderating the opening panel at the MANUSEC USA Summit in October on th topic: ‘You Are Only as Strong as Your Weakest Link’. If there is only one key point that you would like the audience to take away from your presentation, what would that be and why?
I think the one key point really is that this is not an IT problem, it’s an enterprise wide risk management problem. You can’t solve it just with IT. It has an IT component to it, but you need a full system response to cyber security . This involves all those other portions of the organisation and it needs to be proactive, it can’t just be reactive.
We’ve got to be out there looking at our systems and seeing where we are vulnerable, who might want to attack us and how might they attack us. From there we must have a good incident response plan in place.
You can’t just buy a firewall, it’s way beyond that.
Finally, what are you most looking forward to at the event?
I’m looking forward to interacting with the community there. I have not had as much activity in this particular community as I have had in some of the other communities, such as the defence, IT and technology companies. Those sectors have been a little bit more involved in cyber security, but I think the manufacturing community is becoming more aware, particularly with the advent of IoT, it is becoming a higher priority.
I’m also looking forward to sharing some of the ideas and methods that we’ve be able to develop over a number of years to increase security.
One of the things that I’ve emphasised is that we need a whole system answer to this. In the old days, if you ran a company and you were concerned with its security, you could hire more guards and put in stronger locks and basically security yourself; you could become a little fortress. You can’t do that in the digital age, we’re inherently interconnected and you can’t secure yourself, it has to be a community effort, so working with the full community is critical.