architecture for addressing it
According to the Pentagon’s 2015 Annual Report, “The military’s computer networks can be compromised by low to meddling skilled attacks. Military systems do not have a suffi ciently robust security posture to repel sus- tained attacks. The development of advanced cyber tech- niques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a posi- tion to degrade DOD missions when and if they choose.” If the cyber systems of the world’s most sophisticated and best funded armed forces can be compromised by “low to meddling skilled attacks,” how safe can we expect discount retailers, movie studios, or any other corporate or public systems to be?
That is not even the bad news.
■ Things are getting much worse: Three reasons
1. The system is getting weaker.
The bad news is that the cyber systems that have become the underpinning of virtually all of aspects of life in the digital age are becoming increasing less secure. There are multiple reasons for this distressing trend. First, the sys- tem is getting technologically weaker. Virtually no one writes code or develops “apps” from scratch. We are still relying on many of the core protocols designed in the 1970s and 80s. These protocols were designed to be “open,” not secure. Now the attacking community is going back through these core elements of the Internet and discovering still new vulnerabilities. So as new func- tionalities come online, their own vulnerabilities are sim- ply added to the existing and expanding vulnerabilities they are built upon. The reality is that the fabric of the Internet is riddled with holes, and as we continue to stretch that fabric, it is becoming increasingly less secure.
Additionally, vulnerabilities in many open source codes, widely in use for years, are becoming increasingly apparent and being exploited by modern “zero-day”
new access points to large amounts of data resulting from the explosion in the number of mobile devices vastly increases the challeng- es to securing cyberspace.
However, the rise in use of mobile devices pales in comparison to the coming Internet of Things (IoT). The IoT, embedded comput- ing devices with Internet connections, embraces a wide range of devices, including home security systems, cars, smart TVs, and security cameras. Like the bring-your-own- device (BYOD) phenomenon, the coming of the IoT further undermines the overall secu- rity of the system by dramatically increasing the vectors, making every new employee’s internet-connected device, upon upgrade, a potential threat vector.
2. The bad guys are getting better.
Just after the turn of the century, the NSA coined a new term, the “APT,” which stood for the advanced persistent threat. The APT referred to ultrasophisticated cyberattack methods being practiced by advanced nation-state actors. These attacks were char- acterized by their targeted nature, often
focused on specifi c people instead of
networks, their continued and evolving nature, and their clever social engineering tactics. These were not “hackers” and “script kiddies.” These were pros for whom cyberat- tacks were their day job.
They were also characterized by their ability to compromise virtually any target they selected. APTs routinely compromised all anti-virus intrusion detection and best practices. They made perimeter defense obsolete.
Now these same attack methods, once practiced only by sophisticated nation-states, are widely in use by common criminals. Whereas a few years ago these attacks were confi ned to nations and the Defense Industrial Complex, they now permeate virtually all economic sectors.
The APT now stands for the average persis- tent threat.
The increasing professionalism and sophistication of the attack community is fueled by the enormous profi ts cyberattacks attacks, and the patching system we have
relied on to remediate the system can’t keep pace. Huge vulnerabilities such as Heartbleed and Shellshock have existed within open source code for years only to be revealed recently when scrutinized by fresh eyes.
Within hours of the Heartbleed vulnerabil- ity becoming public in 2014, there was a surge of attackers stepping up to exploit it. The attackers exploiting the vulnerability were much faster than the vendors could patch it. This is a growing trend. In 2014 it took 204 days, 22 days, and 52 days to patch the top three zero-day vulnerabilities. In 2013 it took only four days for patches to arrive. Even more disturbing is that the top fi ve zero-day attacks in 2014 were actively used for a com- bined 295 days before patches were available. Moreover, because almost no one builds from scratch anymore, the rate of adoption for open source programming as a core com- ponent of new software greatly exceeds the vetting process for many applications. As the code gets altered into new apps, the risks continue to multiply. In 2015 Symantec esti- mates there are now more than a million malicious apps in existence. In fast-moving, early stage industry, developers have a strong incentive to offer new functionality and features, but data protection and priva- cy policies tend to be a lesser priority.
The risks created by the core of the system becoming intrinsically weaker is being fur- ther magnifi ed by the explosion of access points to the system, many with little or no security built into their development. Some analysts are already asserting that there are more mobile devices than there are people on the earth. If that is not yet literally true, it will shortly be.
It is now common for individuals to have multiple mobile devices and use them inter- changeably for work and leisure often with- out substantial security settings. Although this certainly poses a risk of data being stolen directly from smartphones, the greater con- cern is that mobile devices are increasingly conduits to the cloud, which holds increasing amounts of valuable data. The number of
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
corporate growth, innovation, and profi ta- bility also undermine cybersecurity.
Technologies such as VOIP or cloud com- puting bring tremendous cost effi ciencies but dramatically complicate security. Effi cient, even necessary, business practices such as the use of long supply chains and BYOD are also economically attractive but extremely prob- lematic from a security perspective.
Corporate boards are faced with the conundrum of needing to use technology to grow and maintain their enterprises without risking the corporate crown jewels or hard- won public faith in the bargain. In addition, the fears and potential losses from cyber events tend to be speculative and future ori- ented, whereas most corporate leaders (as well as the citizen investors who have their 401(k)s tied up in the stock market) tend to make their decisions with an eye toward the next quarter or two.