Article - Columbia Business School

advertisement
Head: The Challenges of Cyber Security
Dek: We're losing billions and are vulnerable to 'a digital Pearl
Harbor.' Experts offer their opinions on how to combat cyber threats.
"O brave new world, that has such people in't."
Neither Shakespeare, who coined the phrase in The Tempest, nor Aldous
Huxley, who borrowed it for his futuristic novel, imagined hacktivists,
spearphishers, or digital terrorists and organized crime lords. But cyber
criminals are top of the mind for CEOs of companies ranging from The New
York Times to Coca-Cola. They've wrecked havoc on law firms, financial
houses, universities, Internet security companies and such government
agencies as the CIA, DOJ and Department of Homeland Security. They
represent an international threat, originating from every nook and cranny on
the map. "We are losing money, we are losing data, we are losing ideas,"
said FBI Director Robert Mueller in the Spring of 2012. "Together we must
find a way to stop the bleeding."
An expert panel sponsored by Columbia University's Richard Paul Richman
Center for Business, Law, and Public Policy, recently addressed "Cyber
Threats and Cyber Security." What they said was both terrifying--by some
accounts international businesses are losing more than $1 trillion a year to
digital crimes--and oddly reassuring--diligent organizations can pull from an
arsenal of both simple fixes and sophisticated analytics in the war against
computer invasion.
A Four-Pronged Threat
But don't get comfortable. The panelists agreed: It's not a question of
whether computers will be hacked, but when. And even with precautions,
both finding the culprits and stopping the damage is problematic at best.
Solving security challenges amount to tackling what Brendan Hannigan,
General Manager of IBM's Security Systems Division, calls "a complex,
four-dimensional puzzle."
Problem 1: The Criminals Have Changed
To get a handle on cyber crime, the panelists said, we must understand the
evolving nature of the threats. In the 1990s, cyber crime was personified by
the "I love you" bug, which swept through Microsoft's system to bring down
thousands of computers whose users clicked on the eponymous email. The
threat was malicious and ubiquitous. But once identified, technicians
devised a security patch to spurn similar invasions in the future.
"In the past--meaning five years ago--hackers were crafting attacks
against broad targets. Their intent was notoriety," observed Hannigan,
whose division consults with global organizations to install cyber defenses.
Recent assaults have a more specific intent: to steal information from a
particular organization, create denial of service, disrupt a business or
threaten national security. Because these sophisticated attacks hide among
reams of computer code, the threats often go undetected. "Our customers
biggest worry concerns attacks that they don't know about," said Hannigan.
And, since they are written for a specific target, they have no common, easy
fix once discovered.
Problem 2: Digital Technology Is Evolving at a Breakneck Pace
Today's criminals have multiple points of entry: Not just PCs, but also
datacenters, laptops, mobile devices and the cloud. A multinational
company may have tens of thousands of apps on its computers. From any of
these points, malware can spread throughout a system to reach the criminal's
intended target, which may be the storage bin for a company's intellectual
property secrets or where customer credit card information is collated.
Judith H. Germano, head of the District of New Jersey's Economic Crimes
Unit, U.S. Attorney's Office, talked about "drive-by downloads": "You just
have to walk by a table in a crowded restaurant and [criminals] can take info
off your phone."
Problem 3: Data Is Liquid
The increase in transactional online commerce has been exponential,
meaning sensitive consumer data can be gleamed from countless sources, or
hackers can piggyback on legitimate interchanges. What's more, "In the
past, data was structured," held in spreadsheets or locked away as official
information, observed Hannigan. The rise of "unstructured" data, found in
email, social media, Twitter feeds--and whatever new form of
communication next crops up--has given criminals a much broader and
deeper pool to fish in.
Problem 4: Connectivity Puts Us All at Risk
Hackers denied access through a company's front door have a host of backdoor options: Employees, customers, outsourcers, suppliers, consultants.
Beyond the company's own site, individual employees or customers may
have visited any number of danger spots that lets criminals in. Germano
noted that attacks on small businesses (which may link to larger suppliers or
customers) have more than doubled over the past year. "Companies want to
be friendly, but they have to make a business decision: Are vendors' systems
safe? Customers' systems?" she asked. "Hackers take the path of least
resistance. Why would they blow through the wall of a safe if they can just
open a window?"
Constructing a Wider Moat
Some high-tech counter weapons are available to protect against cyber
crime, with more on the horizon. Hannigan talked about high-powered
behavioral analytic technology that captures business processes and triggers
on unusual activity, such as recurring codes or connections to unexpected
sources, such as a finance feed to a single PC in Bulgaria.
He also pointed out that large cloud services may build in more protections
than small companies and individuals dealing with sensitive information can
afford. "Look for external providers with expertise wrapped around
applications," he advised an audience member worried about his small
business' security.
But the first--and often most effective--step is vigilance. Citing a
PricewaterhouseCoopers survey released last September, Germano noted
that "only 8% of companies say they have an overall information security
strategy plan in place." At the same time, more than 70% of respondents are
confident that their security is effective. "We need to question that level of
confidence," she said, going on to list several simple fixes:
 Get the CEO involved. Rather than silo security within the IT
department, an organization-wide plan needs to be led from the top
to assure the attention that cyber security warrants.
 Extend security training throughout the company. "If a company has
50,000 employees, it needs to think about data security with 50,000
people," said Germano.
 Erect firewalls and pigeon-hole information on a "need to know"
basis.
 Beef up password protection by requiring less predictable codes and
storing employee and customer information in an encrypted fashion.
 Monitor emails. All of them.
The Legislation Conundrum(s)
In February, President Barack Obama signed an executive order that calls on
government officials to create cyber risk standards. With a particular nod to
private companies that control critical infrastructure, he encouraged sharing
of information and private sector adoption of the standards.
But mandatory participation requires legislation since an executive order
carries zero weight in the private sector. Citing last year's Congressional
failure to pass laws aimed at cyber attacks, Columbia law professor
Matthew Waxman is pessimistic regarding effective legislation any time
soon.
In outlining obstacles to cyber laws, Waxman pointed out that some
challenges are generic to all governments, such as the borderless nature of
cyber attacks and the fast-evolving technology that could quickly make
legislation obsolete or inadequate.
Other challenges are unique to particular countries. Concentrating on the
U.S., Waxman worried that the nation's critical infrastructure, including
telecommunications and utilities, is run privately. In our anti-regulatory
political culture, expect "resistance to solutions labeled as regulatory," he
predicted. Similarly, "Americans are especially sensitive about civil liberties
and distrust giving government access to their data."
And, given the borderless features of the Internet and global reach of
multinational businesses that have to deal with multiple legal regimes, any
effective legislation will require international coordination. Since global
interests are not necessarily aligned, Waxman expects coordination to be
thorny. For example, while the U.S. wants to protect the free flow of
information, other countries, including China, worry about containing
political content.
The panelists feared a digital 9/11 or Pearl Harbor is plausible, and agreed it
could be the spark that leads to legislation. Yet they all suspected that laws
are not the final answer--or even offer the first line of defense. "The
borderless features of cyberspace, and the empowerment that the Internet
gives individuals and non-state groups may suggest that nations are not the
key actors to focus on," said Waxman.
Instead, they look for solutions in ways the public and private sectors
cooperate. Rather than more traditional regulation, said Waxman,
"addressing the challenges may require some new forms of government."
Download