Cyber security 'failure' could result in next major terrorism attack
Compliance, standards, a shortage in IT security skills and budgets are reasons behind the 'failure' of cyber security, experts conclude at French information security conference
Criminals use new zero-day bug to 'target military and defence'
Severeal industry experts labelled cyber security as a ‘failure' and a ‘challenge' at a leading conference in Lille, France on Tuesday.
Speaking at the sixth International Forum on Cyber Security, a panel comprising futurologists, former police investigators, industry vendors and privacy advocates looked at the state of cyber security and the challenges facing CIOs, CISOs and other IT managers.
The topic was ‘Is cyber security a failure?' and the initial question drew a mixed reaction from the panel of experts; Marc Watin-Augouard, a former Inspector General of the Armed Police in France but now general of the 2S Gendarmerie Nationale, and ANSII director general Patrick Pailloux were more adamant than others that the answer to this question is ‘no'.
“Cyber security is always going to be built on respective failures; you always have to have failures to make for reliable cyber security,” said Watin-Augouard.
Pailloux, who heads the French national security agency ANSSI, compared the state of cyber security to 19th century medicine. “We are still progressing; it's exactly the same situation.” Jean-Michel Orozco, CEO of Cassidian Cybersecurity added that it is a “challenge” brought about by the growing number of digital devices and said that budgets and technological solutions will be key going forward.
Other experts at the annual convention were, however, more damming on the challenge ahead, at least in light of the growing number of attacks against governments and organisations like Target.
‘Snowden did more for cyber security than all of us in this room'
Asked, like the others, if cyber security was a failure, futurologist David Lacey of IOActive delivered the most damming statement. “Yes, it has failed at all levels,” said Lacey, mentioning compliance and regulations as two attributing factors.
Lacey, the former Director of Security and Risk Management for the Royal Mail Group, added that IT managers are not managing compliance appropriately, said that the regulation itself doesn't encourage technological innovation and branded the current cyber security standards in place as “old school”.
And with attackers able to change the method of their attack in a moment, Lacey said that businesses would ideally need to replace the “Deming loop” – a four-stage management method entailing ‘plan, do, check, act' and often used in business to continually improve processes and products -- with the "BOYD loop" (‘observe, orient, decide and act'), which is more often used by fighter pilots and special forces.
“There needs to be new attitudes, new skills and new technologies,” Lacey told the 3,000-strong conference audience. Should such changes be bypassed, the futurologist worries that the next big terrorism attack could well be in the cyber world.
“Nothing will change until there's a 9/11 incident in enterprise or society,” he added. His comments coincided with a new report from CrowdStrike, which has identified five state-sponsored espionage groups, including actors from China, Iran and Russia.
Jeremie Zimmermann, the outspoken co-founder of La Quadrature du Net, a citizen advocacy group fighting for rights online, was in similar agreement about the cyber security ‘failure' and said that turning this around will be reliant on involving citizens, especially in light of the scale of NSA and GCHQ surveillance.
“We've chosen the wrong path and forgotten a main perimeter – that the citizen is at the heart of cyber security,” he told the conference. “The trust has been broken now. Snowden did more for cyber security than all of us in this room.”
Zimmermann, a friend of WikiLeaks founder Julian Assange, took a quick poll of the room to discover who used products or services from Apple, Microsoft, Google or Facebook – companies that have been associated with the NSA scandal. On finding out that approximately 70 percent of the room did use these products or services, Zimmermann said: “You put your trust in those companies; you handed the keys to someone who looked pleasant, but they raided the fridge, slept with your wife and changed the locks.”
Standards, products and skills must change
Investigating the way forward for cyber security, the panel concluded that there needs to be improvements across the board, from appeasing people on privacy and surveillance and introducing newer technologies to finding ways to improve cyber security skills, standards and C-level understanding.
Lacey, though, urged companies to get away from the “mono-culture” where all companies use the same products.
“I don't think there are any best practises,” said Lacey. “Best practises create a mono attitude where everyone copies each other. There must be a greater choice of technologies”.
“There are going to be some spectacular attacks [in 2014] for political and criminal motives.”
Panellists also urged for a rethink on standards and compliance, with Jean-Michael Crozco and Lacey in particular keen for businesses to seek ways around compliance quicker in the event of a cyber crisis.
“On the issue of compliance, must there be times when the CEO is always informed?” questioned Crozco. “What matters to the CEO are the pennies and how much it's going to cost if they're under attack.” Lacey added that boards must also “trust” CIOs to push ahead with crisis response solutions even if it means “there are no guarantees on ROI”.
But the biggest concern for the experts was notably a lack of skills – an area that has been reported a lot on SCMagazineUK.com – and Lacey said that there is no easy fix.
“There's still a serious shortage in cyber security skills,” said Lacey, who later added that there was a 60 percent increase in cyber crime in the UK last year, costing the economy approximately £81 billion. “It's a special type of person [to be a cyber security professional] and they can't be manufactured.”
He noted too that the rewards are much higher in the criminal world, and pointed to the example of the ‘Iceman' in the US, a former security consultant who became a black hat. “It's a young man's game but there's a choice between crime and security,” he said.