Cybersecurity requires stealth, patience and resources on a global scale

We must monitor cyber-criminal connections to follow attackers back to their source and have mechanisms − technical or legal − to stop them resuming their activities elsewhere says Neil Campbell.

Cybersecurity requires stealth, patience and resources on a global scale
Cybersecurity requires stealth, patience and resources on a global scale

Today's cyber-criminals are more focused and organised, devoting months, even years, to gaining intelligence on business weakness, and their efforts typically culminate in a burst of targeted activity over a short period of time. Unfortunately, by not collaborating and sharing information on attacks in an open and proactive way, the business community has been allowing the bad guys to ‘divide and conquer'. The time has now come to step up the level of information sharing.

We know that while the internet drives innovation and economic productivity, it also brings new threats. We need to be able to control these in order to take advantage of the benefits. A piecemeal approach to security is no longer tenable. Indeed, remediation of a raft of recent cyber-incidents could be achieved more speedily if business, government and the ICT and security industry were sharing information more openly and proactively.  Take for example how a recent attack on a group of 30 banks resulted in the theft of near US$1 billion (£650 million). Cybercriminals had been lurking on the banks' networks for over a year, gaining a deep understanding of their processes and systems.  Then, the attack was executed extremely rapidly and was almost impossible to detect. A traditional bank robber – wearing a black mask and brandishing a weapon – wouldn't net more than a fraction of what today's cyber-criminals can.

In his January State of the Nation address, President Obama called on Congress to pass broad legislation to bolster cyber-security across the government and private industry, in a move to counter the escalating threat of high profile data breaches.  There can be little doubt that President Obama's public declaration that current measures are lacking, and his pledge of several billion dollars towards improving Internet security, indicate that we've reached a tipping point.

In recent years a variety of measures have been implemented in an effort to stem the tide of cyber-crime. Computer emergency response teams (CERTs) – co-sponsored by governments, academia, and the security industry – have been stationed around the world to help organisations respond to cyber-crime emergencies. Equally, traditional law enforcement has played an active role in ‘policing' the internet on behalf of business and government. And, in areas of critical infrastructure such as electricity and water supply, governments have put in place – and fund – mandatory audits and security controls.

Since Obama's statements, there's been much debate about how players in the ICT security industry can and should play a role in advancing the war on cybercrime. Some believe that industry vendors need to be more forthcoming about sharing their data instead of trying to convert it into sales opportunities. While the industry has set up its own forums, these are generally focused on exchanging information on specific types of data − like malware – and are therefore not very effective in creating a unified data set. Additionally, many vendors don't ‘clean' the data they share, which makes it less useful.

Perhaps the greatest shortcoming is that those who analyse the data do so from a technical point of view, rather than taking an integrated political, social, and technical approach. The industry needs to gain more insight regarding who is launching attacks and how they're going about it.

The first step we need to take is to monitor all networks – or at least at the public exposure points – of today's cyber-criminals and make that information visible. Only then can we identify the nature of the attack, where it originated, when it took place, where it moved to, and exactly what the attackers were after. We need to collect information about attacks in a forum that's continuously updated and, in turn, communicate this to each other in a strategic way.

Once that's in place, we must make a point of monitoring connections to follow attackers back to their source. And most importantly, we must have mechanisms − technical or legal − to stop cyber-criminals from resuming their activities elsewhere. Right now, none of this exists, so attackers are free to exploit the gaps. 

The internet offers a collective pool of different, individual networks that can be harnessed to fight against criminal activity. Ultimately, it's one thing to have a call to action – it's another to take action.

Contributed by Neil Campbell, group general manager, Security Business Unit, Dimension Data