Physical threats to the nation’s infrastructure and other sensitive assets aren’t the only ones to keep an eye on.
“Critical threats facing our nation today emanate from the cyber realm,” said Shawn Henry, then Executive Assistant Director of the FBI for cyber security in a speech at the Information Systems Security Association International Conference in Baltimore. The October 2011 speech is transcribed in full on the FBI Web site. “We’ve got hackers out to take our personal information and money, spies who want to steal our nation’s secrets, and terrorists who are looking for novel ways to attack our critical infrastructure.”
Henry, who has since retired from federal service to become president of services at security startup CroudStrike, said, “I believe the cyber threat is an existential one, meaning that a major cyber attack could potentially wipe out whole companies. It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately even kill people.
“Intrusions into corporate networks, personal computers, and government systems are occurring every single day by the thousands.”
While businesses are usually most concerned about disgruntled employees, pranksters, and criminal organizations, he said that businesses face cyber-threats from three primary groups: foreign intelligence services, criminal enterprises, and terrorist groups.
Of those, the first are generally the most capable and often interested in stealing company secrets that they can provide to their own industries. “One company that was recently the victim of an intrusion determined it had lost 10 years worth of research and development – valued at $1 billion – virtually overnight.”
Organized criminals are moving from the physical to the digital world and have “stolen hundreds of millions of dollars from the financial services sector and its customers. Their crimes … create a significant drain on our economy.”
Terrorists have so far been less prominent, but that does not mean they will remain that way. “As 9/11 taught us, we can’t assume that just because something hasn’t been done before, it isn’t a possible threat.” Terrorist organizations may lack the internal capability to do serious damage via cyber attack, “but the reality is that capability is available on the open market. “
And while most companies focus on short term events – the equivalent of a theft in the physical world – a major and less recognized danger is long-term penetration.
“In one of the most sophisticated and organized attacks on the financial sector, an international network of hackers obtained access to a financial corporation’s network and completely compromised its encryption,” Henry said. “They were inside the system for months doing reconnaissance, which enabled them to steal millions of dollars in less than 24 hours when they finally took overt action.”
In another exploit, an international cyber-criminal organization used an Automated Clearing House (ACH) wire transfer system to access online commercial banking accounts and distribute malicious software, stealing nearly $70 million.
And the threat, he said, is growing. The 2011 Norton Cybercrime Report estimated losses to total nearly $400 billion a year with more than one million people victimized daily. The Ponemon Institute reported that the number of attacks on companies in its survey increased 45% from the previous year and cost 70% more. And these studies only cover remote access attacks, not attacks through the suupply chain, those involving trusted employees, or proximity attacks on the network.
Overall, this paints a grim picture that should concern C-level executives more than it usually does. Fortunately businesses do not have to face these threats alone. The FBI, he said, has several programs to provide help including the National Cyber Investigative Joint Task Force (NCIJTF) coordinating the efforts of more than 20 government agencies. It also has partnered with private companies to provide information and prevent attacks before they happen and inform them of breaches in progress that they were not aware of. And it works closely with law enforcement worldwide to arrest cyber-criminals. In 2010 this resulted in 212 such arrests and the first extradition of cyber-criminals from Estonia to the United States.
Dealing with this threat, he said, starts with the basic risk equation: “Risk equals threat times vulnerability times consequence.” An effective risk reduction strategy involves a defense-in-depth designed to decrease all three elements of the exposure. Decreasing the growing threat involves police action to identify, arrest, and convict cyber-criminals. Decreasing vulnerability involves hardening corporate cyber-defenses and when possible taking valuable information off the network entirely. Managing the consequences involves minimizing the harm that a penetration can cause, perhaps by encrypting information and by developing plans to act swiftly when a penetration is identified.
“We must continue to push forward, because our adversaries are relentless,” Henry said. “Together we can turn the tide against them and bolster the security of our nation’s information, networks, and infrastructure.”