Je suis Charlie – In Cyberspace
Sony of cyberattack fame is not French, nor as sympathetic as Charlie Hebdo and didn’t suffer a loss of human life in its (latest) breach. Otherwise, “Je suis Sony” might have rhymed just as well as #jesuischarlie.
– 2015-01-11_14-50-29_ILCE-6000_DSC03909
But Sony did suffer a vicious and punishing attack for releasing a light-hearted comedy film on a plot to assassinate Kim Jong-Un who – although not the religious icon portrayed in the pages of Hebdo – is basically the God-King of North Korea. Parallels in many things, but not the public response.
Sony didn’t get a million and a half people marching down the streets of Paris in a show of solidarity. (But maybe it should).
Although we may hiss and boo at Sony executives’ unkind emails about one of our favorite actresses – we should defend their right to send them in the name of privacy and freedom of speech. Just as we should defend their right to create a stupid movie.
Although no human lives were shed, the sacking of Sony was just one more episode in the ongoing tragedy of global Internet security dysfunction. As I wrote in Security Architects Partners New Year’s Eve post….
2014 was the year our trust in information collapsed. (But we haven’t counted the cost).
SecurityWeek cites Gartner data counting the cost of cybersecurity at over $76,000,000,000 per year. That’s about 6.1% of total IT spending for large global organizations, almost double what was required 5 years ago. Given Security Architect’s business, I guess I should like that. But I wish all the spending was more effective, that it could bring us closer to the dictionary definition of security as “freedom from danger, risk…” Unfortunately, 2014 and 2013 reaped a bumper crop of breaches, surpassing previous years.
Then there’s the damage estimates, such as McAfee’s “global cost of cybercrime” pegged “conservatively” at $375,000,000,000 per year. Overstated? Probably. But I would add that neither the $75 billion or the $375 billion fully factor in the personal costs on people trying to protect themselves, or the general costs of a state of increasing distrust or discomfort on personal well-being, productivity and the economy…
Without a “Je suis Sony” moment, are we at least making progress?
In Security Architect’s view, organizations and the security industry that supports them need to make progress in two main areas: deploying more effective security programs, and security data sharing between products and between companies in similar vertical industries.
Deploying more effective security programs
More effective security programs start at the top, with good security governance. Later this week, we will announce a webinar highlighting some of our research and thinking on the subject. Effective security programs also require a systematic, comprehensive approach to security that’s based on standards and based on science.
Through the industry, we see increasing numbers of organizations striving to improve governance and risk management, which are the starting points for an effective program. Our challenge is that attackers – not just a mammoth number of semi-organized cybercriminals, but also nation states larger than the biggest corporation or university – are also advancing. In addition to improving their own game, organizations on the defense have to play a team game, and a public opinion game.
Improving security data sharing
I’ve had a couple posts on the importance of security data sharing – between vendors, and between businesses in similar industries – as a way to improve defence effectiveness in the face of escalating attacks from the cybercrime underground and from nation states. Now security data sharing is back in the news. President Obama may propose, or Congress may propose, another attempt at legislation.
Legislation has failed before, but security data sharing continues to make progress. I’ve made the case for optimism in the context of the industrial control systems (ICS) industry: “You don’t need massive numbers of up-bound information feeds to dramatically improve all levels of situational awareness. In the financial industry, only 15% of financial institutions share their own information with others through the FS-ISAC, but virtually all utilize information shared with them. If only 1% of an ISAC’s members shared information, we’d have tremendous ICS insight into threats, vulnerabilities and practices. Insight we lack today. If 10% shared up-bound data, we’d be done.”
Conclusion
We haven’t had a “Je suis Charlie” moment in cyberspace yet, but we’ve had many “Je suis Sony” moments. For years, China was the “country that could not be named” when Western corporations complained of cyberattacks. But after Google, the New York Times and many others spoke up about economically- or politically-motivated attacks they’d faced, foreign appetite for high-technology manufacturing in China decreased. The U.S. indicted multiple Chinese generals said to be leading the hacking. The Chinese economy is slowing.
Similarly, revelations of rampant NSA spying exploits – including intentional weakening of trusted security protocols and backdoors into major social and telecommunications networks exacted a cost on the U.S. technology sector. Large technology companies are pushing hard for the U.S. government to respect their corporate privacy and their customers’ privacy.
Transparency is our friend.