Basic HTML Version
32
new unique malicious web domains in 2012.
Large-scale web-based attacks seek to destroy
infrastructure, not make money, and those
web-based attacks are up by over a third in just
a year. Over 600,000 identities are exposed
per network breach. Unfortunately, U.S.-based
sites and servers are the center of attraction;
the U.S. hosts 2/3 of the global spear phishing
sites and over a third of the world’s botnet
C+C servers. The newest technologies, from
NFC to location-based capabilities, act like a
lightning rod for cybercriminals. “Server side
polymorphism” (where code is mutated from
the server) is now occurring at unprecedented
levels. The number of phishing sites spoofing
social media sites is up 125% in a year. This will
only get worse.
Most unfortunately, we also have government
actors able to fund the modern day equivalent
of a nuclear arms race. Single tier traditional
perimeter security systems are today’s
“Maginot line.” Industrial control systems that
control chemical facilities and public utilities
have blurred the lines between cyber and
physical security. Networks that control our
financial markets and hospitals are vulnerable.
Tier V and VI attackers (the most dangerous
and sophisticated) have redefined “fat tail” risk
not just for the financial system, but for the
U.S. economy as a whole.
The Digital Age of Cyber-Security Partnerships:
Today, amidst these challenges, we simply
must explore new public-private partnerships.
Let me throw out a few examples and ideas.
First, we need to profoundly expand R&D
partnerships to explore cyber-security
challenges; think RAND in the 1950s and 60s.
This will of course require new conceptual
frameworks for who to bring inside the tent
and who should be left out … the lines are more
difficult to draw than they have ever been in
the past. As Thomas Harrington, Citi’s Chief
Information Security Officer, says, we have to
redefine the “circles of trust.” These circles of
trust must increasingly be built between U.S.
government entities and select private sector
teams. However, they will need to be extended
across borders, methodically and carefully, to
allies and friends in both the public and private
sectors.
As governments work together with the private
sector on protecting citizen and consumer
identities, multifactor identity security
(including biometrics), data analytics, and
device identification will replace passwords.
The framework for identity protection in the
future will require more intense cooperation
between governments, financial institutions
and regulators.
As is the case in the sphere of natural
disasters, we need resilience and redundancy
testing and metrics in order to successfully
respond to these challenges. We should
systematically develop national core financial
enterprise resilience with the same vigor that
we fight physical wars and protect our nuclear
capability. There should be little doubt that
a cyber-driven collapse of financial markets
would have grave psychological and real,
sustained economic consequences.
A critically important “old world” tool in this
new war will be cyber war gaming. An excellent
example of public-private cooperation in
this area is the work that has been done
between the securities industry and the DHS
Science and Technology Division to develop
technologically compatible ways to mimic
cyber attacks on global capital markets.
However, it is important to note, that as cyber
war games are being used across industries to
stress test vulnerabilities, unfortunately, the
“red teams” are still winning.
Data analytics is another area for increased
partnership: Cooperation in the area of big
data analytics that for example will allow a
further move away from manual intrusion
detection to analytics that detect intrusion
from within networks is vital. This area is often
a highly classified arena. Exploring ways to
Today,
amidst these
challenges,
we simply
must explore
new public-
private
partnerships.