Cyber Experts Talk Trends
Print Issue: June 2014
Companies are focusing on several trends in the coming year, including the fallout from government surveillance, new public-private partnerships, and the threat of cyberattacks.
The global economy loses up to $400 billion annually to malicious cyber activity, according to a 2013 report by the Center for Strategic and International Studies. In today’s world of virtual business, cyber companies around the globe are focused on solving the expensive problem of cybercrime to better serve their customers.
There are several trends that enterprises and consumers should understand to better protect their data. Several cybersecurity companies shared their thoughts with Security Management on the current state of cybersecurity and how the past year’s events have had an impact on the industry. The National Security Agency (NSA) surveillance program, public-private partnerships, and shifting methods of cybercrime top the list of trends.
NSA surveillance. At the opening event of the RSA 2014 Conference, which was held in San Francisco in February and deals in all things cybersecurity, executive chairman of RSA Art Coviello said in his keynote speech that personal information is the new currency that cybercriminals are after, and that governments have a responsibility to protect the information of their citizens. “Governments have a duty to create and enforce a balance that embraces individual rights and collective security,” he noted. “We as an industry need to do our part by developing and implementing the capabilities that secure those norms in the future.”
The NSA surveillance program and the global impact of the infamous classified document dump by former contractor Edward Snowden will resonate far into the future, according to experts, and will have a major effect on the way the NSA conducts its intelligence gathering. One particular discussion at RSA offered a candid perspective of the NSA situation from former government officials who worked closely with the agency.
In a presentation on Washington’s take on NSA surveillance, Richard Clarke, who served as special advisor to the president for cyberspace and national coordinator for security and counterterrorism for three consecutive administrations, unabashedly painted Snowden as a traitor. “What he has done is to reveal to terrorist groups and foreign governments ways in which we collect intelligence to make our country safer, and our country is less safe because they know the things that they know because of him,” he said. Even though the avenues of reporting suspected government wrongdoing could be improved, Snowden never attempted to go through the proper channels available to whistleblowers before leaking the documents, Clarke added.
Former director of the CIA and NSA Michael Hayden, another panelist, said that while Snowden’s actions were illegal, the American people are better off knowing what methods the NSA is using, rather than being in the dark. However, he added that without the intelligence collection from the NSA, the U.S. government would have less information about what the threat actors are doing. “When you have lawful tools, be careful about taking them off the table,” he said.
In addition to Snowden, the panel also discussed the recommendations that President Barack Obama’s review group made about the NSA surveillance program in December. Clarke was a member of the group, which recommended that the NSA discontinue amassing phone data on millions of Americans, warning that there was a “lurking danger of abuse” behind such a program.
During the discussion at RSA, Clarke elaborated on the review group’s recommendations. “We have to have a strong intelligence capability to stop [an attack], and to protect our allies around the world,” he said. However, “the question is, can we have that strong intelligence capability in a way that is more transparent and creates less collateral damage?”
This transparency might be furthered through legislation recommended in the group’s report. One proposed bill would require that information about surveillance programs be made public, while another would mandate that phone companies publicly disclose any information requests they receive from the government. “Such information might disclose the number of orders that providers have received, the broad categories of information produced, and the number of users whose information has been produced,” states the report.
Panelists at RSA also addressed the reaction of foreign governments to the NSA surveillance program, many of whom expressed outrage at the notion that their leaders were being spied on. Clarke and Hayden both noted that most major nations have surveillance programs that listen in on foreign leaders, and that the United States is far from alone in the way it gathers intelligence on other countries.
In late March, the Obama administration announced that it was indeed implementing a key recommendation from the advisory group when it proposed the NSA end its telephony metadata collection program. The President proposed that, rather than keeping a running list of data from Americans’ phone calls, the government would ask permission from the Foreign Intelligence Surveillance Court when investigating the length and time of a specific phone call or series of calls that officials suspect may have a connection to terrorism.
In Congress, leaders of the House Intelligence Committee introduced a bill (H.R. 3361), that would require the spy agency to go through phone carriers directly when conducting metadata inquiries. (Currently, the NSA obtains records in secret at the discretion of the Foreign Intelligence Surveillance Court.) The bill also calls for the government to discontinue its bulk collection of metadata including telephone, Internet, and e-mail messages.
Partnerships. Another trend is the importance of collaboration between the public and private sectors to defend against cybercrime. Trend Micro representatives emphasized that information-sharing partnerships between law enforcement and cybersecurity companies are crucial as threat actors become increasingly sophisticated in their techniques and more malicious in their attacks.
“The success is in taking the [bad guys] down, not in taking the infrastructure down, because that’s the long-term impact on cybercrime,” said Rik Ferguson, vice president of security research at Trend Micro. He pointed out that while many investigations that shut down cybercrime disable the servers and machines controlled by the bad actors, actually arresting the responsible parties is much more effective in deterring criminal acts. “A lot of the attraction of becoming a cybercriminal is that it’s perceived as being a pretty safe place to do business, and it’s the job of security companies to work with law enforcement to make sure it’s not comfortable there, to make that seat hot,” he explained.
In an example of such public-private partnerships, Trend Micro teamed up with international police organization Interpol last year to develop a cybersecurity center in Singapore, the Interpol Global Complex for Innovation (IGCI). The IGCI, which will officially open in 2015, will focus on complex research to aid cyber companies and police organizations in solving cybercrime. Specifically, the IGCI will concentrate its efforts in the following areas: digital security, including a forensic laboratory to support digital crime investigations; capacity building and training, which involves preparing police organizations for fighting cybercrime; and operational and investigative support, which focuses on identifying emerging threats as well as providing incident response and support.
In addition to the IGCI, Trend Micro has threat researchers embedded with Interpol so that they can work literally side by side to spot threats and take down the bad actors.
Ferguson says that there are challenges when it comes to information coordination between research groups and law enforcement, including transborder issues such as different legislation in different countries, as well as the varying definition of what a cybercrime actually is. “What’s a crime in the United Kingdom might not be a crime in Spain, and that problem is exacerbated when you start to take into account that the United States, Latin America, Russia, China, and some of these places are real homelands of a lot of cybercrime,” he notes.
Cyberattacks. Recent large-scale cyberattacks on Americans’ debit and credit cards, especially the breaches at Target and Neiman Marcus, have led cybersecurity experts to focus on EMV (Europay, MasterCard, and Visa) cards with integrated chips. Those payment methods may present new vulnerabilities in the payment card system.
Richard Henderson, security strategist at Fortinet, says that as the United States moves to chip-and-PIN technology for credit and debit cards, it will be interesting to see what methods hackers use to compromise them. He notes that a new trend in financial hacking will likely involve more malware that compromises two-factor authentication safeguards. Henderson notes that this malicious software pretends to be the institution that you are authenticating onto, but it is actually intercepting the two-factor authentication token meant for the user. The hackers then use that token to log in under the compromised credentials.
Experts also say a growing trend in cyberattacks is the method hackers used to get at Target’s networks, which was by stealing the credentials of a third-party vendor who had access to the retail giant’s network. “One thing that people are going to be talking about a lot this year is supply chain,” John Pirc, chief technology officer at NSS Labs, told Security Management.
Pirc pointed out that as larger companies acquire smaller ones, they should be vigilant about ensuring the security measures are in place throughout the entire supply chain. “When you start looking at a lot of these mergers and acquisitions, when a big 10,000-pound gorilla company acquires a startup…the adversary is going to target the little company, bury themselves in, then get connected. So I think you’re going to see more of that,” he said.
Finally, companies point to a growing awareness among all levels of the enterprise about the need for good cyber hygiene and basic user education. Businesses that are not traditional security companies are increasingly investing resources, both financial and human, in preventing cyberattacks, according to Cameron Camp, security researcher at ESET. He says that more companies have been hiring chief information security officers and chief intelligence offers to bridge the gap between IT departments and the C-suite. “They want to hear what IT has to say, whereas before it was just the guys keeping the gears running.”