Having been in the security industry for a long time now, I’m keenly aware of the fact that we are sometimes upstaged by expectations that don’t immediately materialize. Consider it an occupational hazard of preaching constant vigilance that can sometimes lead to skepticism if a threat is not verified quickly. However, there are points in time that force you to take notice and pay attention to the severity of what is going on.
This past week is annually one of the biggest weeks in our industry as leaders in security from all walks of government and industry gather at the Black Hat and DEF CON conferences to discuss the state of the industry and the current threat environment. While some interesting stories such as the simplicity with which a hacker can access a hotel keycard system grabbed some of the early headlines going into the show, it was the bigger threats to areas such as national infrastructure and IP that grabbed my attention and frankly, I believe justifies the hype.
First, while addressing the Aspen Security Forum, Gen. Keith B. Alexander, who heads the National Security Agency, reported a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations.
General Alexander went on to say that what most concerned him was the growing number of attacks aimed at “critical infrastructure,” and that the United States remained unprepared to ward off a major attack. He estimated that on a scale of 1 to 10, our preparedness for a large-scale cyberattack is “around a 3.” The cynic in me waits for the following request for more money and or power to fix the problem that the experts have identified, but that was not the case this time, and the issues are real.
At Black Hat, Shawn Henry, the FBI's longtime top cybercrime official, painted an equally dismal picture of what we are facing in terms of cybersecurity.
"The adversary knows that if you want to harm civilized society -- take their water away, do away with their electricity," Henry said. "There are terrorist groups that are online now calling for the use of cyber as a weapon."
"I believe that people will not truly get this until they see the physical implications of a cyberattack," he said to reporters after his speech. "We knew about Osama bin Laden in the early '90s. After 9/11, it was a worldwide name. I believe that type of thing can and will happen in the cyber environment. And I think that after it does, people will start to pay attention."
Some chilling words from the man who has been on the forefront of the cyber battle since it began. For those of us in the business world who may look at these remarks and pass them off as a government problem, Mr. Henry had some sobering words for us too.
"I still hear from CEOs, 'Why would I be a target?'" Henry said. "We worked with one company that lost $1 billion worth of IP in the course of a couple of days -- a decade of research. That is not an isolated event. ... Your data is being held hostage, and the life of your organization is at risk."
What I take out of this past week is that security awareness is still in its initial stages and that we have a long way to go. Attacks are becoming better funded and more sophisticated every day and we are not nearly as well prepared as we should be. It’s always startling at first to learn that you are actually losing the battle, but that is precisely what is happening. But we’re making progress and some progress is better than none.
We have reached a tipping point in the battle for our most valuable assets and critical infrastructure. Prior to 9/11 nobody anticipated that a terrorist group could launch a major attack on US soil. And back then I’m sure there were parts of our society and government accusing some agency or another of over-hyping the threat. I’m just suggesting that we don’t make that same mistake again.
– Mark Hatton, President, CEO