There have been gains in the ways the United States counters cyber threats but those threats have grown and become more sophisticated, creating additional challenges, according to the views of several cyber security experts that appeared on a panel this week exploring the cyber threat landscape.
Compared to six months ago and even five years ago, “I believe we are better,” which is “reflected in the way we are addressing the threats,” Rear Adm. Mike Brown, director for cybersecurity coordination at the Department of Homeland Security, said at the annual government cyber security symposium hosted by information security provider Symantec [SYMC].
Brown, who is also DHS’ main liaison with U.S. Cyber Command for coordinating and synchronizing federal civilian and defense efforts in the cyber arena, also said that there are more efforts within the federal government and between the public and private sectors to “work together, to build capability and capacity” and to improve the cyber workforce. These efforts are on the “up slope,” he said.
Sherrill Nicely, deputy chief information officer for the CIA, agreed with Brown.
“Yes, yes, the bad guys have gotten better, so have we,” Nicely said. For example, she pointed out that several years ago commercial providers of computers and computer operating systems were not supplying technology that was as secure as it can be but now they are tightening these up.
She also said the “national cyber community,” including the federal government and private sector, continues to do a better job working together and sharing useful information.
The problem is, “we’re not better than, and that’s where we need to be,” Lynn DeCourcey, director of Cyber Security for NJVC, an information technology solutions provider in the federal security space. The threats outweigh the resources being put behind cyber security and more needs to be done in the areas of education, training and awareness, she said.
Matt Stern, an employee with General Dynamics [GD] who is the program director for the DHS U.S. Computer Emergency Readiness Team, said that the focus, at least for him, has to be on the people who are behind the cyber attacks.
“I think that we’re not affecting the people behind the keyboard,” Stern said. “And so right now it’s World of Warcraft. I can sit at my computer and I can hack all day long and what’s the consequence?”
Moreover, even if U.S. authorities can attribute the attack to a particular individual or group of people, depending on what country they are operating from may make it hard to get “justice,” Stern said.
“We really need to start looking hard at how do we affect the behavior and how do we affect their want, need and desire to do it, how do we drive up the risk and drive down the reward,” Stern said. “And looking at other means to do that is I think going to be key to success in the future.”
As to the sophistication of the threat, Joji Montelibano, the insider threat security analyst with the CERT Program at Carnegie Mellon Univ., said he could look at malware 10 years ago and figure out its purpose but not today. “It’s a different game,” he said. “Are we ahead of the curve? I don’t know.”
Stern said that the threat has “grown exponentially,” and similar to DeCourcey, said that the threat, that is the amount of “people trying to get after…our democracy and our livelihood” is greater than the “cyber capabilities in this country.”
“So these small pockets of great resistance to that bigger threat, this great pervasive capability and the fact that the threat, regardless of size, can generate that much code means to me that we’re on the backslide,” Stern warned. “We’ve got to do something disruptive to get ahead of the curve.”
The panelists also offered their take on the biggest cyber threats they are seeing.
The “number one way” attacks are penetrating information systems is social engineering, Stern said. These could be phishing and spear phishing and even phone calls to dupe system administrators into giving out passwords, he said.
“So those simple things are still ways the threat is getting in,” Stern said.
Brown said that DHS is confronting the “pervasiveness” of threats and attacks against critical infrastructure and intellectual property. These threats are growing in scope, which in turn means the public and private sectors need to continue to bolster their cooperation in response, he said.
Montelibano said the “attack vectors” his CERT is looking at include intellectual property theft and sabotage as well as fraud, particularly in the commercial sector.
The CIA, given its reliance on commercial off-the-shelf hardware and software applications, means it is threatened by the “same attack vectors as everyone else,” Nicely said. “So our largest fear to the greatest extent and greatest concern is the zero day attack.”
It’s hard to defend against unexpected attacks and against vulnerabilities “that you did not know existed,” she said.