Emerging threats (and, again, especially those emerging from the IoT)
On March 7th, SINET ITSEF 18's first plenary session featured a discussion of emerging and serious threats. Brian White (VP, Forcepoint) moderated a panel consisting of Richard Hale (Global CISO, Sony), Tony Cole (CTO, Attivo Networks), Bob Novy (Deputy Assistant Director, US Secret Service) and Joe Weiss (Principal, Applied Control Solutions).
Criminals and connected consumer devices.
Novy presented an overview of the criminal threat, his specialty, from his perch in the Secret Service. Criminals now look to the IoT to create profitable botnets. He also reminded the conference of the importance of the insider threat: criminals want more physical access to systems. An example of such access is jackpotting. "We've also seen criminals approach people in companies," he said, "offering to pay them for some compromise, perhaps something as simple as clicking a link in an email."
Cole sees great scope for education against online scams. People still fall for familiar venerable scams. The Internet-of-things is growing willy-nilly, without much reason or reflection. ("Why do you need a connected toaster?" he asked.) Billions of new IoT devices present a vastly increased attack surface. "The adversary could annihilate us with DDoS." He fears the lessons we're not learning, and the new technology we're not prepared for.
Currently the Sony CISO, but until recently the CISO of the US Department of Defense, Hale saw us failing to make progress on the basics." He sees a "new pattern of attacking third-parties in order to take a whack at somebody else." He also sees the return of the worm. "We hadn't had ugly worms for awhile, but the combination of all these is worrisome." Industry too has its dependability problems. Connected plumbing, for example, is all the rage, and, one might ask, as Cole did with toasters, why anyone needs their household plumbing connected to any information network.
Are we overlooking the industrial Internet-of-things?
Weiss, alone on the panel, took the perspective of the industrial Internet-of-things. He came into security through engineering. His world, control systems, is worried about safety and reliability, not security for the sake of security. "You haven't," he said, addressing information security specialists, "explained to that world how security serves safety and reliability." He's identified more than a hundred deaths and more than $60 billion in damages caused by incidents affecting industrial control systems. He worries more about hacking a nuclear plant to catastrophic failure than he does stealing episodes of Game of Thrones. Everyone's heard about Game of Thrones hacks, but who's heard about North Korea hacking South Korean nuclear plants? Far fewer than one would hope.
The knowledge to conducts very destructive, crippling attacks is now loose. Weiss described Project Aurora, which demonstrated how a cyber attack could work physical destruction in power generating turbines. So the knowledge is now out, but "to this day there's no security whatsoever at level-0 or level-1 devices." Consider the cloud. "Microsoft says it assumes all sensor data that goes to the cloud is secure and authenticated. It's not—the whole infrastructure is built on quicksand."
Perspectives on defense: where are the gaps?
Education is important, both in awareness and in cyber hygiene, Novy said. He's become a fan of phishing tests, for example. Training has led to better reporting of phishing attempts. He also thinks deterrence and disruption important. How might you deter and disrupt criminals? "You've either got to take the tools out of the criminals' hands, or take the criminals off the street," he said, adding that "we've been successful in doing so." There's been improved cooperation internationally against cybercrime. Europol, for example, now has a close partnership with the US Secret Service. At Europol, there are now squads. It's no longer just an information brokering outfit. "They work cases, with us, as squads. We can find crimes and venues internationally. We're sitting side-by-side to disrupt the criminals."
Cole seconded Novy on Europol—there's more law enforcement working together around the globe. He likes the cyber deception space as a way of giving the upper hand back to the defender. But too many people still don't realize that they're targets. He thinks GDPR will help in this regard. Significant fines following failure to report breaches of personally identifying information will serve a useful forcing function. But more work on detection is needed.
"It's important to talk to senior people about consequence and risk," Hale said, "whether you're in the product space (where you consider security in design) or elsewhere, where you need to understand the business risks. Somewhere along the line the economics will shift. The engineering schools don't teach this yet: that there are bad guys, and that they are part of the realistic environment you need to design for. We have to design around the completely interconnected world with bad guys the way civil engineers design around gravity."
Weiss argued that we need to understand what we have installed, and what it's connected to. And then, we need to determine whether we have compensating controls. "In the ICS [industrial control systems] space, there's a lot of technology that isn't there yet, and so we need to control through policy, procedure, architecture. Very few engineering disciplines require attention to security, very few IT disciplines that require attention to safety and reliability."
A role for government: how are conversations about threat evolving?
Novy thought the history of the Secret Service instructive, and so he offered a perspective from the Service's investigation of financial crime, its core mission. He thought that original model might be carried forward. "In 1865 we were founded to fight counterfeiting. The agent's job was to ride into town, find the sheriff, find the banker, then partner with them. The agent would teach them how to recognize counterfeiters, work together to build a relationship, then quietly leave town to let the locals take credit. Today we make notifications in cyberspace. But we've found companies didn't know what to do with these." Relationship building is vital.
In Cole's view, "We have pockets of good and pockets of really bad. The US Government has some good areas, but it's a massive target. It also has the largest footprint." The Government itself has a lot of work left to do. People think they have solutions (like secure coding) but in fact they don't.
Hale advocated Government funding of cybersecurity research and development. "The necessary R&D isn't going to generate revenue for any company, so the government needs to support it." And he'd like to see very liberal intelligence sharing, and collaborative work to drive up costs for bad guys.
Weiss also saw opportunities for collaboration. In his dealings with the Government, he's found that the Government believes in security, but that it doesn't necessarily understand the domain being secured. Private industry understands the domain, but not the security. "So there's an opportunity for complementarity." And he added that "Real information-sharing on incidents comes from the engineers, not IT or security. We [engineers] have always shared incidents, and we need to do more of it."