As computing takes on a more ubiquitous role in both the personal and business domains, opportunities for innovation and development continue to increase exponentially. With these opportunities come increased connectivity and smarter everyday objects and of course, crippling data breaches, cyber-attacks and ransomware, aspects of particular concern as businesses collate vast amounts of data on their customers, partners, suppliers and government entities.
By 2020, Microsoft estimates that four billion people will be online—that is double today’s number – that fifty billion devices will be connected to the Internet and online data volume will be 50 times greater than today.
Cyber security threat predictions for 2017 paint a dire picture for information security. In its annual 'Threat Horizon' report, the International Security Forum (ISF) says that the pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organisations. In its top nine threats to watch for through 2017, the ISF lists; supercharged connectivity overwhelms defences; crime syndicates take a quantum leap; tech rejectionists cause chaos; dependence on critical infrastructure becomes dangerous; systemic vulnerabilities are weaponized; legacy technology crumbles; death from disruption to digital services; global consolidation endangers competition; and security and impact of data breaches increases dramatically.
Discussing organised crime syndicates, Steve Durbin, Managing Director of the ISF, explains in the study: “They really are very efficient and effective at communicating with each other and building centers of excellence that try to take advantage of the fact that we do have such advanced technology these days,” adding “This really does point squarely at the need for us to be communicating and collaborating much more effectively.”
Durbin expressed similar concern over dependence on critical infrastructure. He cited a study by the US Department of Homeland Security in 2011 that found that of 15 critical infrastructure systems in the US, 11 relied upon GPS as a core component. According to the DHS study, a failure in that system could be catastrophic. Similarly, in 2013, attackers hijacked the Associated Press' Twitter account to report that an explosion in the White House had injured the president. The fake tweet sent the stock market whirling until the hack was exposed.
BAE Systems, the world’s third largest defence company, reportedly experiences cyber-attacks as often as twice a week, according to a Financial Times report published in February. Kevin Taylor, managing director of BAE’s Applied Intelligence division, told the FT that the company was fending off more than 100 “potential state attacks” a year on average. It identified a number of online criminals, including the so-called “mule”, a casual criminal used to launder the proceeds of cyber-crime, or the “getaway,” an adolescent keen to impress peers and who acts safe in the knowledge that he or she is too young to be jailed, it added.
Although cyberspace offers opportunities for leading organisations, the environment is uncertain and potentially dangerous. It is a place where hacktivists and cybercriminals are honing their skills and governments are introducing new regulation and legislation in response to major incidents and public concerns. Organisations are forced continually to adapt and respond rapidly. Those that are informed and prepared for change will go a long way to securing their future, the ISF adds in its report.
Chris Gibson, director of the UK’s national computer emergency response team blamed, “poor security measures for 80% of the security issues<P>,” his team records. While speaking at the Public Sector ICT Summit in March, he said wider use of basic security measures, “<I>could place greater emphasis on proactively identifying new threats. [….]If you put in the cyber essentials, the fairly simple stuff that we all know about – passwords, patching, having a governance process and so on – 80% of the problems that we deal with would disappear in a puff of smoke. [….]Having cyber essentials in place would actually reduce some of the harmful effects of zero-day vulnerabilities which we see.”
The Road to Resilience
In response to current and future cyber incidents, a new discipline – cyber resilience – is beginning to emerge. The realisation that cyber prevention is no longer a sound option for organisations and government bodies has led to a trend towards resilience, preparation, continuous assessment and response. While there is no internationally accepted definition of cyber resilience, there is a growing consensus that it can be termed, “the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks,” Microsoft explained in a blog post published in February 2016.
Resilient cyber systems exhibit common resilience attributes including (1) awareness, (2) diversity, (3) integrated character, (4) self-regulation, and (5) adaptability. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or a city – can purchase from a vendor. It is built through leadership, teamwork, optimal risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city, Paul Nicholas - Senior Director, Trustworthy Computing, Microsoft explained further.
In late 2015, Scotland released a cyber resilience strategy to, “support the development of a culture of cyber resilience and, at the same time, create the necessary environment to ensure Scotland becomes a leader in meeting the growing demand for cyber skills talent.” In its mission statement, the resilience strategy comprises a series of steps to be taken by the Scottish Government and public authorities, including, among others; establishment of a strategic governance group under Scottish Ministers to oversee the effective implementation and evaluation of the strategy; incorporation of cyber resilience into all national and local government policies; development of cyber incident reporting measures and links to wider ICT/ digital and business continuity plans; embedding of cyber risk and resilience assessments when developing new products, services and processes; and consideration of shared development or procurement of cyber resilient systems and tools for the public sector.
“Resilience needs to apply to the essential infrastructure in nearly every business function and we need to ensure that resilience is factored into all aspects of the design of new digital services. The infallible prevention against cyber threat is not achievable and so the focus moves to detection, rapid response and recovery. We need to imagine the unexpected, plan for it and practise our response. We will do this by ensuring that cyber resilience scenarios and cyber incident response plans are regularly reviewed, tested and exercised,” according to Anne Moises, the Scottish Government’s Chief Information Officer.
Similarly, in February, the White House announced the Cybersecurity National Action Plan (CNAP) which will work to protect federal agencies from cyberattacks similar to the one the US Office of Personnel Management experienced two years ago. According to a statement issued by the White House, the Administration has created the position of Federal Chief Information Security Officer to drive cybersecurity policy, planning, and implementation across the Federal Government. Additionally, the Department of Homeland Security, the Department of Commerce, and the Department of Energy are contributing resources and capabilities to establish a National Center for Cybersecurity Resilience, where companies and sector-wide organizations can test the security of systems in a contained environment, such as by subjecting a replica electric grid to cyber-attack.
Moreover, the DHS, the General Services Administration, and other Federal agencies will increase the availability of government-wide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning, and operating their own IT when more efficient, effective, and secure options are available, as well as ensuring that individual agencies are not left on their own to defend themselves against the most sophisticated threats, the press release added.
NATO is also taking similar steps to ensure cyber resilience. Within the framework of the NATO Industry Cyber Partnership (NICP), the NATO Communications and Information (NCI) Agency announced an agreement with Fortinet in February that will boost two-way information sharing, in particular on cyber threat intelligence. This is often a high impact and efficient way to enhance cyber resilience and mitigate vulnerability to attack. “NATO is facing cybersecurity threats across the world that could drastically affect national economies and citizens. To avoid it, [the] NCI Agency strongly believes in early information sharing on threats and vulnerabilities with leading companies worldwide, such as Fortinet,” Koen Gijsbers, NCI Agency General Manager, said in an official statement.
Through this initiative the NCI Agency, responsible for operating and defending NATO's networks, will be able to improve cyber defence in NATO's defence supply chain, facilitate participation of industry organizations in multinational ‘Smart Defence’ projects and improve sharing of expertise, information and experience of operating under the constant threat of cyber attack, including information on threats and vulnerabilities such as malware information sharing. It will also raise awareness and improve the understanding of cyber risks, leverage private sector developments for capability development, and generate efficient and adequate support in case of cyber incidents.
Addressing Critical Issues
In February Microsoft, Oracle and five other leading providers of security products and services launched the Coalition for Cybersecurity Policy and Law, a new organization that will focus on education and collaboration with policymakers on the increasingly complicated legislative and regulatory policies related to cybersecurity. Founding members of the Coalition include Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec.
“The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Ari Schwartz, Coordinator of the Coalition and former White House Special Assistant to the President for Cybersecurity. “The range of digital threats we face has never been greater, including criminal syndicates and state-sponsored attacks, and this Coalition will serve as the voice of the industry as we work with policymakers to develop the most effective responses to those threats.”
The mission of the Coalition is to bring together leading companies to help policymakers develop consensus-driven policy solutions that promote a vibrant and robust cybersecurity marketplace, support the development and adoption of cybersecurity innovations, and encourage organisations of all sizes to take steps to improve their cybersecurity. Working at the intersection between government entities, researchers, and vendors, the Coalition will speak on behalf of the cybersecurity industry in Congress, federal agencies, international standards bodies, industry self-regulatory programmes, and other relevant policymaking venues, the Coalition said in a statement in February.
Meanwhile, the USAF announced a significant milestone on 12 February when the Cyberspace Vulnerability Assessment/Hunter (CVA/H) weapon system reached Full Operational Capability (FOC) status. CVA/H is a tool for cyber defence, used inside the boundaries of the defended cyber system. The Air Force equips its Cyber Protection Teams with the CVA/H weapon system. It provides the ability to find, fix, track, target, engage and assess advanced persistent threats to AF missions on prioritised network enclaves within the AFIN.
“Achieving FOC means the CVA/H weapon system is fully capable to serve as the premier enclave defence platform for prioritized traffic in the Air Force Information Network. The CVA/H weapon system enables execution of vulnerability assessments, adversary threat detection and compliance evaluations,” the USAF explained in a press release. Brig.Gen. Stephen Whiting, AFSPC Director of Integrated Air, Space, Cyberspace and ISR Operations, who signed the FOC declaration, said: “This achievement underscores our commitment to the US Cyber Command Cyber Protection Team mission and to the defence of prioritised cyberspace terrain in the Air Force portion of the DoD Information Network. CVA/H defends the Air Force's ability to fly, fight and win in air, space and cyberspace.”
CVA/H operators focus on providing vulnerability assessment and the Hunter mission, which latter capability provides the 24th Air Force commander and supported combatant commanders with a deployable, precision capability to identify, pursue within network boundaries, and mitigate cyberspace threats impacting critical links and nodes in support of theatre or functional operations. The CVA/H weapon system provides a cyberspace security capability offering in-depth assessment of information system assets such as computers, infrastructure, applications, data, and cyberspace operations, according to the USAF.
Other cyberspace weapon systems include the Air Force Cyberspace Defense Weapon System, the Cyber Security and Control System Weapon System, the Cyber Command and Control Mission System Weapon System, and the Cyberspace Defense Analysis Weapon System.
Bindiya Carmeline Thomas