Many industries are not implementing general, but critical, cybersecurity safeguards, leaving them vulnerable to deeper and more troublesome attacks, according to a key Department of Homeland Security (DHS) official.
“They are more focused on the day-to-day potential loss of intellectual property, the potential for criminal activity, all things that are very important, (but) without a deeper understanding, or look, into what is in their critical infrastructure and what can be attacked,” Director of DHS’ National Cybersecurity and Communications Integration Center Larry Zelvin said yesterday at the Kaspersky Labs 2013 Government Cybersecurity Forum in downtown Washington.
Zelvin said common cybersecurity concerns like spear phishing are not being heeded. Spear phishing is where victims are targeted through emails that appear to be official, like an email from a bank, allowing criminals to steal personal information.
“Things like spear phishing…just having the most basic security controls in place to make it harder for adversaries to get in,” Zelvin said.
DHS says two other common cyber attacks are corporate security breaches, where hackers exploit victims through social engineering and scams, and social media fraud, where criminals use social media to engage in identity theft and entice individuals to download malicious code or reveal passwords. DHS says it is working to promote cybersecurity awareness and digital literacy among all internet users through the Multi-State Information Sharing and Analysis Center (MS-ISAC) as well as the National Association of State Chief Information Officers (NASCIO).
MS-ISAC is a focal point for cyber threat prevention, protection, response and recovery for the United States’ state, local, territorial and tribal governments. NASCIO is a nonprofit, 501(c)3 association with a mission of fostering government excellence through quality business practices, information management and technology policy.
Zelvin said he’s never seen U.S. intelligence agencies in his 27 years in government push to declassify information so it can be shared like he’s seeing today. Zelvin said the United States has gone from a “need to know” to a “need to share” mentality. President Barack Obama in his February executive order called for the federal government to share classified and unclassified cyber threat data with the private sector (Defense Daily, Feb. 13).
“We’re making great progress,” Zelvin said. “Is it perfect? No. Are we far better than we were a few years ago? My impression is yes, vastly.”
Zelvin said, on a positive note, that he believes the United States is taking appropriate measures to strengthen cybersecurity for critical government infrastructure.
“In many cases, at least in the U.S., we don’t focus on a problem until it is a large, national problem,” Zelvin said. “I think we are focusing on this in a serious way and I am hopeful it will not take a tragedy like (9/11 and Hurricane Katrina) to really get people to awake and prepare for these things.”
Electric utilities in the United States are barraged with cyber attacks and most comply with mandatory cyber security standards, but the standards setting process is slow and in the case of employing voluntary security standards most of these utilities don’t bother, according to a report by two Democratic congressmen (Defense Daily, May 24).