The cyberthreat environment has changed from individuals casting wide nets to large, well-funded, organized groups with precise, targeted attacks.
The average length of time an attacker is now inside an organization before detection is 200 days, and an increasing amount of harm is done from the inside.
Panelists at an AFCEA C4ISR symposium Monday said that data analytics used to interpret activity versus pinpoint odd usage will become increasingly important, and that security is being implemented on a far wider scale. Companies and organizations are looking at this all the way down the supply chain.
“[Cyberthreats have] gone from being a hobbyist activity for people wanting to try to get something out of data to a full-scale criminal enterprise,” said Andrew Lee, CEO of ESET North America and the co-chair of San Diego’s Cyber Center of Excellence.
This means that attackers have access to buy the same tools as those on the defense side of the wall, and are getting more creative in their phishing efforts.
Chuck Kelley, information security and risk management officer at Qualcomm (Nasdaq: QCOM), said the telecom giant has seen this play out in two ways.
First, companies that Qualcomm has announced interest in acquiring or merging with are getting hacked a year or two before integrating. Hackers remain dormant, waiting for Qualcomm to connect to the new company’s networks.
Second, security vetting now extends to the whole supply chain.
“We’re seeing a significant shift in information security throughout the industry,” Kelley said.
“Part of my team goes to China and works on business development and does threat assessments on our supply chain — that wasn’t done five years ago,” he said.
In the past, suppliers would make the required products with no thought to their security or the integrity of their intellectual property protections.
“We have a licensing business in China, right,” he said. “So we have employees performing contractual-type activity with various partners. So we’re going into those offices and helping them, securing their email, making sure we have … secured communications to all their partners … all the way through the supply chain. That’s a significant shift.”
But as the attackers get more creative, so do the defenders. Lee said that because hacking is a business with actors seeking financial gain, like any other, the key is to keep raising the stakes to make it increasingly expensive for them to breach layers of defense.
Kelley said when Qualcomm did this, it discovered a trickier problem: insider attack.
“Historically, I was told insider threat was negligible — all your problems are malware,” Kelley said. “We solved for malware and, in fact, now we’re seeing the huge insider threat problem.”
How huge of a problem is it? Kelley said in a recent round of 300 layoffs, 25 to 30 percent of that group “was caught trying to steal data prior to departure — 25 to 30 percent. Some intentional, some not intentional.”
He suggested monitoring employee access to certain networks and putting in place a corporate policy to handle these situations.
Then there’s the outright theft of intellectual property in such places as China, where Kelley said Qualcomm knows there is a threat, with people going so far as stealing or going through laptops at the airport.
Their strategy is to “out-innovate” faster than data can be stolen, and to pay what panelists call the "cybertax": the cost of doing business in places with less-than-ideal intellectual property protection in the form of increased expenses on information security.
“There’s a cost of doing business in cyber and I think one of the keys to this is that when you look at the attack profiles of 99.999 percent of attacks, it’s low-hanging fruit, and they’ll go somewhere else because it’s more expensive to attack you than it is to attack the next guy,” Lee said.
“You just want to make it really expensive for the attacker to go after you versus someone else.”
Large corporations may have the resources for this, but new, small startups entering the Internet of Things' playing field often don’t — or won’t — put their money there.
“What scares the hell out of me, if I think about Microsoft or HP, these companies have been around for a long time, they understand security, they had their hard knocks and went through the whole process like the rest of the industry,” Kelley said.
“Now you have some startup that’s going to make some little device for you that you can plug into the Internet. He’s going to throw it into the cloud, you have no idea how he handles privacy or data or anything.
“So I think from a consumer perspective, I’m very scared about trying these new devices. I can’t imagine Frigidaire knowing how to secure the Internet, so I don’t want my refrigerator connected.”
Solutions to data and information security don’t come easy. The lag between technological development and legislation would make regulation almost futile.
Because cybersecurity is a global problem, protocols the United States might require wouldn’t protect a device interacting with information and devices around the world that don’t follow the same regulations.
Lee said he believes the solution is in ensuring all connected devices are built with privacy as a priority. Kelley said the development of guiding frameworks for cloud companies and device makers — along with requirements to abide by them, especially in the consumer sphere — will be crucial.
Todd Heberlein, senior analytics scientist at FICO (NYSE: FICO), said placing liability will also become necessary.
“It’s a tough proposition because we in the software field have always had this little box that comes up when you install new software that says ‘This software may totally destroy your system and you cannot hold us liable for that,’” Heberlein said.
“At some point, we’re going to have to move past that and start thinking that people who start putting these devices and people who start putting software on your machines might need to be held liable.
“As someone who’s owned a small business for years and years, government intrusion scares me. But at the same time, I see the attack surfaces, and that scares me too.”
610 W. Ash St. Ste., 1700
San Diego, CA 92101