The Consequences of Privatizing the Cyber Cold War
Security | Mar 17, 2017
This week, the U.S. Justice Department announced indictments of two Russian spies in connection with the heist of 500 million Yahoo user accounts in 2014. Indictments were also levied against two known criminal hackers in the same case.
These indictments mark the first U.S. criminal charges ever filed against Russian government officials related to cybercrime and hacking. The justice department had previously filed charges against five Chinese military hackers in 2014, and it imposed additional sanctions against North Korea after the Sony Hack.
Why file charges?
Following the indictment of the Chinese military hackers almost three years ago, the U.S. saw a reduction in hostile cyber activity and, in 2015, a pledge from China not to conduct cyber-espionage against American companies. Filing charges can be a deterrent even though, in most cases, those charged are citizens of non-extradition nations and will never face a court.
But those charged can (and do) slip up and travel to countries with extradition treaties in place. This was the case for one of the two hackers charged in the Yahoo case, Karim Baratov. Baratov, a Canadian citizen born in Kazakhstan, was arrested in Canada after the indictments came down. So, while they won’t come close to wiping out high-level hacks, indictments have probably helped a bit.
Privatizing cyber warfare is making security more challenging
What this new indictment, especially when combined with the recent “Vault 7” WikiLeaks release, really highlights is the increased dependence of governments on private contractors and/or cybercriminals to conduct operations.
The privatization of state-sponsored hacking is already having profound effects on the cybersecurity community. Perhaps most concerning, the rapid proliferation of new technologies and tactics is now at a point where cybercriminals are approaching a level of sophistication once reserved only for state-backed operations.
The conversation is moving from cybersecurity to a higher order of need: privacy and safety
Most cybercrime today is financially motivated and targets traditional “endpoints” – connected devices like computers, laptops, and servers. When the target is corporate data, companies have developed programs that include cybersecurity software, cyber insurance, and more to deal with risk and protect their systems. Programs such as no-fault policies for identity theft help insulate consumers, to a large extent, from the impact of cybercrime. This is one reason that there is no great public outcry when it comes to cybersecurity. Yet.
However, the new generation of connected devices may change all of that.
The universe of vulnerable devices is moving beyond traditional endpoints to “edgepoints.” An edgepoint is defined as a connected device that 1) lives on the edge of a corporate network where it is inherently less secure, 2) can make decisions (i.e. a connected car that can change lanes), and 3) does not communicate often with the central network. Edgepoints include everything from mobile devices, to connected TVs, cars, watches, and even pace makers and power plants.
When ransomware targets the power grid or a heart monitor in an operating room, the need is of an altogether higher order – the fear is now about safety. When malware turns your TV or baby monitor into a listening device, the issue is personal privacy. As devices change, and the nature of attacks change, the pressure for better security should grow as well.
So, what comes next?
The benefits for business and consumers ensure that the universe of connected devices will continue to grow. To protect these devices, major shifts are already underway in the cybersecurity space.
First, most have begun to smartly abandon the notion that anyone can prevent all breaches. The growing number and sophistication of cyberattacks ensures that at least some will be successful. Realizing this, organizations are shifting their focus – and spending – to rapid detection and response. But there’s still a long way to go: today’s average breach goes undetected for more than 100 days. However, with the right detection and response tools and strategy, businesses can reduce the time elapsed for attack detection by 90% or more. By stopping the bad guys more quickly, organizations reduce the risk of major impact.
Second, security needs to be a critical element at the device development level. Many of the “smart” devices on the market today, like smart TVs, have little-to-no built-in security. If security is not placed at the core of development for these new edgepoints, then we all face a much greater risk of a cybercrime event with significant public safety consequences.
Patrick Dennis is the President and Chief Executive Officer for Guidance Software, directing the company’s strategy and operations worldwide. Before joining Guidance Software, Patrick served as Senior Vice President and Chief Operating Officer of EMC’s Cloud Management Division, where he enabled enterprise IT groups to make hybrid-cloud computing a meaningful part of IT strategy, and was responsible for long-range planning, mergers, and acquisitions, and divisional strategy.
For more information on how the Guidance Software Forensic Security Suite can help your organization proactively defend against the most advanced threats, contact us at experts@Guid.com or visit www.guidancesoftware.com.