State-sponsored attacks designed to steal intellectual property, infiltrate defense contractors and gain access to the systems running the nation's critical infrastructure must be met with stronger intelligence ties between the public and private sector, according to a security consultant and former National Security Agency official.
The rapid growth of Internet-connected systems, many of which are increasingly interwoven, are creating complex systems that are not being adequately secured to meet the sophisticated threat landscape, said Colonel Cedric Leighton, founder and president of Cedric Leighton Associates, a crisis and risk management consultancy. Leighton, a retired Air Force Colonel, was an intelligence officer and served as the NSA’s deputy director for training in his last military assignment
Cybercrime is costing the U.S. economy billions, Leighton told attendees at the SecureWorld Expo regional security conference Wednesday in Boston. The rising economic costs of cybercrime, the staggering amount of intellectual property theft taking place and the potential of an attack on the nation’s critical infrastructure necessitate stronger ties between the federal government and the private sector, Leighton said. The scope of the NSA’s global surveillance program, revealed in documents leaked by government contractor Edward Snowden, is not a reason to shift attention away from threat intelligence sharing, Leighton said.
"In this day and age when both virtual and real worlds are becoming one in the same, intelligence agencies have to deal with reality," Leighton said. "They have to deal with it in a way that reflects what is out there."
Other countries have offensive capabilities, Leighton said, noting the U.K., France, Germany, Russia and China and citing their close but complex ties to private industry to protect the economy. Leighton acknowledged that legal hurdles remain and said efforts to pass the Cyber Intelligence Sharing and Protection Act (CISPA), controversial among privacy advocacy groups and some technology experts, have failed to gain passage. Private companies need to have liability protection if they are going to share information with the federal government, he said. Rather than providing protections for public-private sharing, lawmakers are currently considering ways to scale back the broad data collection activities conducted by the NSA.
"The intelligence community has unique sources of insights," Leighton said. "Actionable information, shared quickly in a way that both public and private sector can find value in it."
Solution providers are girding for the potential impact to business prompted by the NSA revelations, with companies that have global operations impacted the most. European countries where data privacy is a serious concern are also considering further restrictions and some could be turning away from U.S. technology firms, said Jason Hicks, managing consultant in data security and privacy at FishNet Security. In the U.S., businesses want more transparency and are asking more questions of their providers, Hicks said.
"People are legitimately upset overseas and there will be some shakeout from that," Hicks said in an interview with CRN. "There are a lot of people who are asking a lot of questions right now."
Hicks advocates a focus on security best practices and said businesses should properly implement data encryption and other security measures for the most sensitive data. That begins with an analysis of where sensitive data resides within the organization and what controls can feasibly be put in place to protect them, he said.
Meanwhile, in his presentation, Leighton pointed out that traditional security technology is providing a false sense of security for most organizations. Firewalls are being bypassed consistently using custom malware, and authentication technologies are poorly implemented and lack standards to make them work properly across systems and hardware. Businesses are forced to overlay outdated security technologies, often increasing network complexity and opening up weaknesses that can be exploited by attackers, Leighton said.
"Security simply is not baked into the hardware and software we use in our daily lives," Leighton said. "All these things point to the issue of standards that are not there or, when there are standards, they are ad hoc and don't fit in with the advances of that technology."
PUBLISHED MARCH 26, 2014