The panel was moderated by Steve Robinson, general manger of IBM security solutions, who kept the lively discussion going by examining subjects close to the heart of any IT security professional.
The topic of nation-state cyberattacks may be all “gloom and doom” joked Robinson, but this is the sort of thing that is really happening almost every day.
Far from the notion of a dark room of foreign hackers looking to make headlines by bringing down the power grid or a company’s computer network, state-sponsored cyberattacks tend to be more stealth-like, and with good reason.
“A patient, organizational attack can be very well hidden”, said Jack Danahy, a senior security executive with IBM. “The evidence of its existence can be spread over a very long period of time, and until it does something, the behavioral evidence is lacking as well”.
“It calls to us to be a little bit more diligent in terms of the way that we understand the way these systems operate, and the way we construct them from the beginning”, he added.
But Kristin Lovejoy, the VP of strategy at IBM Security Solutions, said this debate requires further clarification, as she poked back at Danahy’s comments.
She believes that nation-state actors who engage in cyberattacks are not, at this point, really looking to destroy a particular nation’s critical assets. “It’s more [about] intelligence gathering”, Lovejoy replied. Destruction could be their object, she acknowledged, but the real security threat currently lies in simple information gathering.
In his response, Danahy said he makes no assumptions about the intentions of foreign actors in relation to cybersecurity incidents, highlighting the information-gathering malware that was discovered earlier this year within the US electrical grid. “All I know is that there is something there that shouldn’t be.”
The conversation then shifted directly to cloud security and, primarily, the reasons why organizations have been hesitant to embrace cloud solutions due to security concerns.
“The fear weighing on cloud is: ‘If I can’t see it, then I can’t control it’ ,” said Jason Medeiros, VP of hosting at American Well Systems – an IBM customer. It really comes down the trust you have in your particular third-party cloud provider he insisted.
“You have to look at your data, and what are their requirements” added Linda Betz, CISO at IBM. “Highly regulated data is probably going to be the last set that will ever go to the cloud.”
Danahy, however, looks at the effect of cloud computing on security from a different perspective. “I think the cloud has been really good for security” he noted. “We’re hearing people asking [security] questions before they roll out new applications that are going to be in the cloud”.
“I think that the cloud discussion, and the way that people are thinking about implementing secure hosted services in the cloud has been really good for the security community. And my hope is that we see somewhat of a whiplash, and some of the hard requirements that we are putting forth on cloud-related services come back internally and help us do a better job building stuff we’re going to host ourselves.”