Cyber incidents are on the rise, with nearly 100 percent of
Forbes Global 2000 companies reporting breaches within the
last 18 months. With the emphasis placed on new and emerging technologies, corporate America has become an attractive
target for cyber criminals.
Contrary to rising domestic and international accusations
and mistrust of U.S. government cyber programs, prompted by
media attention to NSA contractor Edward Snowden and the
NSA surveillance program, the U.S., by policy, does not engage
in economic espionage. By contrast, most other nations do. We
have all heard news reports of nation-state sponsored cyber
activities, targeting U.S. public and private sector organizations,
allegedly from China and Iran.
It is further alleged that Iran, in retaliation for the Stuxnet
incident in 2010 responsible for setting back their nuclear ambitions, has recruited the largest army of hackers on the planet.
According to Vice Admiral Mike McConnell, former NSA and
DNI Director, speaking at the Bloomberg Cybersecurity Conference in October 2013, it is estimated that over 200 nations
have an active cyber intelligence capability.
Cyber tools, used for computer network exploitation, can
also be used for cyber attacks. These capabilities are cheap and
are being built by the thousands. The alarming reality is that
most U.S. corporations have been penetrated and in most if not
all cases malware has been installed and hidden within their
networks, with data either currently being “exfiltrated,” or with
an ability to do so remotely and at will.
It is estimated that over the next 10 years, if these clandestine operations against U.S. corporations continue, there will
be serious consequences to our free market economy. Our
market-leading, competitive advantage in research and development and world class innovations could be greatly reduced,
potentially hurting our ability to compete globally.
We believe that the answer to combatting this threat is focused around the concept of precognitive capabilities, a holistic
approach utilizing both artificially-intelligent technologies and
top industry cyber professionals, with a laser focus on predicting, preventing, and persisting against cyber incidents.
An ethical hacker was recently quoted, “Given enough time
and resources, I have always been able to breach my target. I
The fact is that much of this low-hanging fruit can be elim-
inated with the 80-20 rule. About 80 percent of cyber breaches
can be prevented with the application of industry security best
practices. It’s the remaining 20 percent that cause C-level execu-
tives (especially those from Target and Neiman Marcus) to lose
sleep at night.
The alarming reality is that regardless of how diligent any
organizations’ IT department is at reaching compliance with security best practices, it is impossible to eliminate all vulnerabili-ties. I equate it to the legend of the Dutch boy plugging the hole
in the dike with his finger, in an effort to hold back the Atlantic
Ocean. You plug one hole only to find ten more.
So, what’s there to do and where to begin? We can no longer
afford to wait for a breach to occur before we respond. We must
predict and prevent—educate, train, and employ security best
practices so that when the adversary strikes we are ready. The
following is a simple list that, if applied, is guaranteed to reduce
K Develop a security and risk-assessment strategy
K Implement the strategy
K Establish a security baseline, aligned with best practices
K Identify security gaps
K Prioritize findings
K Develop and implement a mitigation strategy
K Continuously monitor network assets
But to stop there would be a mistake; we must persist. It has
been said more than once that the solution is less technical and
much more philosophical and political. Cyber security is not
a once-and-done IT project. It is an ongoing effort with newly
evolving threats that we must anticipate and adapt to overcome.
I encourage those of us that have been in the fight for many
years to not grow weary and continue to look for ways to find common ground for reaching collaboration between public, private,
and international communities, with the realization that cyber
security is a journey, not a destination … it never ends. ITA
Carlos Fernandes is Salient’s director of the Cyber Security Center of Excellence. He can be reached via email at
Combatting Cyber Threats:
Predict, Prevent, Persist
U.S. companies have become a target for hackers across the world.
By Carlos Fernandes