Cyberspace offers enormous opportunities and benefits through increased innovation, collaboration, productivity, competitiveness and engagement. But hardly a day goes by without news of a new cyber threat, or actual data breach, arising from ‘malspace’ – an online environment inhabited by hacker groups, criminal organizations, espionage units, and terrorist groups. The big question for governments, enterprises and individuals alike is how can this growing cyber threat be countered without losing the huge benefits of internet-based trade, commerce and communication?
When you consider that some 80% of growth in business-to-consumer markets is coming from internet-based channels, and nearly all business-to-business transactions are done electronically, it’s clear that cybersecurity ought to be top of most chief executives’ agendas. Of course, it’s not just commerce that is shifting to the internet: increasing volumes of government business, national infrastructure management, and everyday social interaction are being conducted online.
Cyberspace is constantly evolving and presenting new opportunities, as the desire of businesses to quickly adopt new technologies – using the internet to open new channels and adopting cloud services, for instance – provides enormous opportunity, but also brings unforeseen risks and unintended consequences that can have a potentially negative impact.
There is often pressure from within organizations to adopt social networking channels like Twitter and Facebook for communications with customers and other stakeholders. But opening up these channels is a double-edged sword that can expose an organization to increased risk – particularly of permanently damaged reputation – when something goes wrong.
With cyberspace so critical to everything from supply chain management to customer engagement, holding back adoption or disconnecting from cyberspace altogether are simply not feasible. Yet the commercial, reputational and financial risks that go with a cyberspace presence are real and growing.
An Attractive New Hunting Ground
Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists who are motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks.
Part of the attraction of online crime is its anonymity: the risk of getting caught in the act of committing a cybercrime is much less than that of a ‘real-world’ crime. It is relatively simple to hide where and by whom the crime is being committed. On top of this, there is the challenge of differing laws and regulations across jurisdictions, which makes prosecuting cybercrime a thorny issue.
In addition, cycle times are shortening and the potential rewards are growing for successful attackers. Cybercriminals worldwide are increasingly organized and professional in their approach. They innovate just as business does, and the financial rewards grow in line with increasing business use of cyberspace. Cybercriminals now have access to powerful tools and expertise for identifying, targeting, and attacking their victims.
All the benefits that cyberspace brings to legitimate organizations – collaboration and innovation, faster development of new technology, global connectivity – are also available to attackers. Every hacker group, criminal organization and espionage unit in the world has access to highly effective and evolving capabilities. With unprecedented opportunities for collaboration, there is now an entire malspace ecosystem, complete with marketplaces for buying and selling the tools and expertise needed to target and execute attacks.
All this makes it imperative for governments and enterprises to build up cyber resilience. But how can this best be achieved?
A Proportional, Broad-based Approach
Cyber attacks may be hard to predict or prevent, but the way in which organizations respond to attacks is critical to long-term success against cybercrime.
The ISF believes a proportional approach to building cyber resilience is required that balances the need to protect organizations and individuals with the need to enable free, legitimate trade and communications. There is little value in implementing draconian laws, or engaging in a tit-for-tat cyber ‘arms race’ with the inhabitants of the malspace.
We have seen a number of initiatives recently proposed by governments around the world for tackling cyber threats. The UK government’s allocation of £650m in additional funding toward protecting key infrastructure and defense assets against cyber attacks by encouraging collaboration between intelligence agencies, academia and business seems a sensible strategy.
In Europe, national government approaches to cybercrime will soon be overlaid with EU-wide cooperation, with the announcement by the European Commission (EC) of plans to create a European cybercrime center, operating under the auspices of Europol. This European center will provide a cooperation hub for defending an internet that is free, open and safe, focusing initially on illegal online activities carried out by organized crime groups. The center will warn EU member states of major cybercrime threats and alert them of weaknesses in their online defenses, as well as identify organized networks and prominent offenders operating in cyberspace.
However, opposition from civil rights campaigners in the US to Congress’ proposed Cyber Intelligence Sharing and Protection Act (CISPA) demonstrates how fine the line is between acting in defense of people’s rights and freedoms, and being seen as a threat to them. Under the CISPA proposal, private companies and the government would be able to share any information directly related to a vulnerability of – or threat to – a computer network.
As tempting as it might seem, treating cyber warfare as analogous to conventional warfare – where the threat of retaliation is deemed enough of a deterrent to prevent a major cyber attack on national infrastructure – is almost certainly a loosing strategy. The stakes are too high, and the consequences of retaliation are too unpredictable for such a policy to be effective.
The harsh reality is that this is probably an unwinnable ‘war’, given the increasing sophistication and pace of change in cyber attacks. If we could apply all the best-practice security controls, the incidence of successful attacks would decline, but some cyber attacks will still succeed. What is achievable, however, is to prepare an effective response to the inevitable attacks so that their effect is minimized.
From Cybersecurity to Cyber Resilience
Cyber threats are not just an issue for the information security function: they require the involvement of every discipline within an organization, and its partners and stakeholders. A coordinated, collaborative approach is needed, lead by senior business leaders – preferably the chief executive or chief operating officer – certainly a board member. Organizations need to coordinate with customers, suppliers, investors, the media and other stakeholders; formulating a resilient response allows organizations to prepare for events that are impossible to predict.
This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.
By reacting quickly and positively to a cyber attack, organizations can not only minimize reputational damage, they could potentially turn the situation into a positive one, if the reaction is seen as honest and sensitive to the best interests of customers and stakeholders.
One key element of building cyber resilience is to establish a governance framework with board-level buy-in for monitoring cyber activities – including monitoring partner collaboration, and the risks and obligations in cyber space. Organizations should have a process for analyzing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.
In addition, organizations should apply the same partnering approach internally – sharing knowledge and best practice across business units and functional groups.
In the drive to become cyber resilient, organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include other risks, such as those to reputation and customer channels, all the while recognizing the unintended business consequences from activity in cyberspace.
Establishing more robust cybersecurity alone is not enough either. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of risks in cyberspace is outpacing this approach, and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, because organizations will be subject to cyber attacks regardless of best efforts to protect themselves.
Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack. The concept of intelligence sharing and partnering – both within an organization and outside – forms the foundation for the Information Security Forum (ISF) Cyber Resilience Framework, part of the ‘Cyber Security Strategies’ report.
By adopting a realistic, broad-based, collaborative approach to cybersecurity and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond appropriately.
Michael de Crespigny is CEO of the Information Security Forum (ISF), an independent, not-for-profit association of leading organizations from around the world. His mission for the ISF is to help business leaders understand what they need to do from an information security perspective to keep their businesses safe. Prior to joining the ISF, the London-based de Crespigny was a partner with PwC. He joined the ISF in January 2010 as COO/CFO, reporting to then-CEO Howard Schmidt. He was named CEO in July 2010, following Schmidt’s appointment as President Obama’s cybersecurity co-coordinator. |