“You’ve got to ask yourself one question. Do I feel lucky?”
As the delineation between cybercrime and state-sponsored attacks grows more nebulous, coincident with widespread adoption of the cloud, global enterprises are being exposed to significant security threats. As nation states and adversaries alter their tactics from explosives to explosive viruses, cyber warfare is on track to become the new form of traditional warfare.
U.S. House Homeland Security Committee Chairman Michael McCaul (R-Texas) commented in his opening statement on H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act of 2013 that “while high profile retail breaches like the one at Target resonate with the public, a successful cyber-attack on our critical infrastructure could cause much more damage in terms of lives and monetary damage.” Yet cyber risk remains under-estimated by both individuals and most corporations. A Verizon study found that almost half of all companies believe that they did well with cybersecurity, but in fact, only 10 percent were taking adequate steps. A stunning statistic from that same report found that 96 percent of successful breaches could have been avoided if the victim had put in place simple or intermediate controls. According to a major Department of Energy (DOE) report, “the U.S. grid faces imminent danger from cyber-attacks … Widespread disruption of electric service because of a transmission failure initiated by a cyber-attack at various points of entry could undermine U.S. lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens.”
It is clear that our world is quickly moving to a highly connected framework where entire segments of our home, personal life and business are and will continue to be connected in a highly automated, machine-to-machine fabric where actions are taken in milliseconds with minimal human intervention. Over 100 cities across the world in places like Dallas, Chicago, Barcelona, Dubai and elsewhere are moving forward in an Internet of Things (IoT)/Internet of Everything (IoE) concept known as smart cities. Consumers are encouraged through tax incentives to become part of the related smart home construct, where our use of energy and other resources, like water or gas, are automatically monitored via smart thermostats or utility-supplied smart meters. In the healthcare space, connected heath components connect us not just in the hospital where we might expect that to be the norm, and we might even expect it to be secure, but even remotely where our pacemakers or implanted medical devices have the capability to be wirelessly connected for purposes of remote monitoring, telemedicine, clinical trials and the like. Unfortunately, all that traffic is riding on the same Internet where we get our email, watch the latest series on our favorite streaming service or where we shop for everything from clothes to cars to coffee.
So the question is: do you feel lucky?
If not, what should you do individually and what should you do corporately?
First, relative to individuals or consumers, a national, if not international, focus must be initiated to decrease vulnerabilities from consumer electronics. The primary emphasis on cybersecurity should be on the manufacturer with accountability aligned to the risk, much as it is in all other major sectors available to consumers (e.g., prescription medication, transportation). We expect those industries to deliver products to us that first do no harm. Likewise, for consumer based electronics, we should expect companies to create products and systems with security built-in. Period. And as in those other sectors, which are highly regulated, our government has an obligation to put in place the necessary regulations and systems to allow everyone from my teenage daughter to my mother-in-law to look at a purchase she is preparing to make and understand the risk and exposure it will incur. While raising cybersecurity awareness is important and all would agree that an educated, informed consumer is key, it is unrealistic to believe that consumers can solely address the issue when new zero-day vulnerabilities are discovered each week with a life-expectancy of over 5 years.
Second, corporately, it is imperative that companies take a frank and frequent look at their cyber posture. Numerous studies (PWC, Verizon, Symantec) have shown that the gap between a company’s perception of their security posture, and where they really are as measured by independent parties is significant. In the oil and gas segment alone, although 42percent of the corporations believe they are well prepared, only 15percent really are. In the utilities market segment, 38percent believe they are well prepared, but in reality, only 4percent really are. Said another way, using information provided by utility companies, the only reasonable conclusion you can draw is that 96 percent are vulnerable, or very vulnerable to a cyber-attack. The challenge of clearly identifying the benefits of making certain cybersecurity investments is a key focus critical to addressing the risk, as companies are reluctant to invest absent an understanding of the risk and the return on investment. No incentive is more likely to generate attention in the corporate boardroom than the prospect of a lawsuit and the incentive of immunity from a lawsuit in exchange for compliance. We must increase awareness that cybersecurity is not simply a technical issue allocated to the CIO team, but a core business imperative.
Unfortunately, our nature and our history suggest we will forego the necessary investment and precautions to increase our cybersecurity posture both individually and corporately. As every nation state and malicious actor continues to invest in machine learning or artificial intelligence, the day is not far off when the convergence of wireless technologies, analytics as applied to artificial intelligence, and the IoT will be applied to cyber warfare. And on that day, no one will be safe.