Even in the wake of near-disastrous data breaches of its own personnel records, and some of the largest corporations in the country, the U.S. government is woefully unprepared to detect and defend against cyber attacks, according to cyber security experts who gathered July 20 to debate issues of free-information flow.
“One of the things we have come to realize with cyber security is that this is a 21st century problem and we are operating with 19th– and 20th-century mechanisms to deal with it,” said Larry Clinton, chief executive of the Internet Security Alliance, at a forum hosted by the Open Group in Baltimore, Md. “We need to evolve some management mechanisms that are dynamic enough to keep up with evolving threats and, of course, with evolving technology.”
The Open Group is a consortium that focuses on the development of open-architecture, “vendor-neutral” information technology systems and common software and hardware standards.
Clinton said that IT systems are under attack almost constantly and management of people with access to vulnerable networks is the best means of preventing digital intrusions and data breaches. Many of the recent high-profile data breaches, including the theft of millions of Office of Personnel Management employees records and the “hack” of Sony by North Korea, likely began with a single errant click of a link that gave the cyber criminals access to those networks, he said.
“Contrary to popular thought, cyber security is not an [information technology] issue,” he said. “Obviously it has an enormous IT component to it. But the number-one threat that we have, frankly isn’t technical at all. It’s people. They say in the automotive world that the biggest safety feature of any car has always been the nut behind the wheel. It is the same thing with respect to cyber systems. It’s the people who are our biggest vulnerability.”
He also dismissed as outdated the word “hacker” to described cyber threats. In the case of Sony, a nation-state targeted the intellectual property and email databases of a private U.S. company, an unprecedented offense. The acronym APT, which once stood for advanced persistent threats is more accurately rendered as “average persistent threats,” he said of nefarious cyber actors.
“Today, we are dealing with the A-Team. These guys are professionals,” Clinton said. “This is their day job and they are really, really good. … The sort of advanced and elite mechanisms we saw being practiced by nation-states and nation-state affiliated defense contractors a few years ago, we are now seeing throughout the economy.”
Extremely sophisticated cyber criminals are constantly attacking networks that in Clinton’s view are becoming ever weaker and less defended as mobile devices and internet-enable appliances and vehicles proliferate. Where there are about 15 billion mobile devices in the world today, there will be an estimated 50 billion devices within 5 years, Clinton said.
The Sony and OPM breaches, along with other cyber crimes like the theft of millions of credit card numbers from retail giant Target last year, have brought into question the role of government in defending against such cyber threats. Private companies generally do not have the ability to defense against persistent attacks launched by nation-state-sized entities, he said.
“We realize now that we can’t mandate security,” he said. In the case of Sony, in which the company was attacked by cyber criminals affiliated with North Korea, there is no precedent for the federal government coming to the aid of a private company, Clinton said.
“I don’t know what the role of the government is” in that situation,” he said. “We need to find that out.”
Bruce McConnell, senior vice president at the EastWest Institute, a New York-based international security think tank, said there is a long road to hoe before standards are set in place to manage the security of commercial and government networks.
“The core technologies need to be more secure in the first place,” he said. He suggested establishing an international standard of cyber security systems and then encourage and incentivize industry to adopt and adhere to them.
“Actually, the government could turn out to be too slow to do anything,” McConnell said.
Cyber attacks are inexpensive and relatively easy to launch, and can potentially yield great profit. Cyber defense, on the other hand, relies on systems and technologies that are usually at least a generation behind the attack, is expensive and has no law-enforcement mechanism. Fewer than two percent of cyber criminals are ever caught and charged, Clinton said.
Clinton said both Republicans and Democrats agree upon the need for cyber security standards for U.S. companies, but efforts to pass legislation to that effect have failed. Technological advance outpaces the speed at which Congress can pass laws and as soon as such a measure did pass, it would be obsolete, he said.
The Obama administration instead has chosen to create incentives for corporations to adopt voluntary industry-developed cyber security standards. But online threats are outpacing even that effort, Clinton said.
“From my point of view, they are on the right path but not moving nearly fast enough,” he said. “We are not investing enough either on the government or the private side. We are not moving fast enough to develop these standards.”