Security pros not ready for attacks, still don't want government regs
- By William Jackson
- Apr 25, 2012
Security professionals believe cyberattacks are coming, but they aren’t sure what to do about them and don’t want government involved in protecting them, according to a recent survey by security company Bit9.
Two-thirds of those surveyed believe they will be the targets of cyberattacks in the next six months, and most say their current security is inadequate but they do not think government regulation will improve it. Implementing best practices and better security policies is the best way to improve security, most said. But left to their own devices, they have not yet done this.
“There is a general skepticism born from experience that government regulation does not result in security,” said Bit9 CTO Harry Sverdlove. “The things they can do to improve this are the things that are in their power.”
Major cyberattack on US ‘inevitable,’ experts tell Congress
Which is the bigger threat, missiles or hackers?
Sverdlove said the current situation is most likely the result of a lack of motivation and frustration from overwork and an insufficient budget. “There is nothing in their infrastructures that was as adequately protected as it should be,” he said.
Currently, the Federal Information Security Management Act requires federal IT systems to meet basic security requirements and the National Institute of Standards and Technology has developed a comprehensive set of standards and guidelines for compliance. But aside from a few specific groups such as government contractors, there is little government regulation of IT security for privately owned systems and networks.
A number of bills have been introduced in Congress that would empower the Homeland Security Department to set basic security requirements for designated critical infrastructure, but passage during this session appears unlikely. Several cybersecurity bills scheduled for votes this week in the House do not include this provision.
The Bit9 report is based on a survey of 1,861 professionals around the world, but predominately in the United States. Of the respondents, 285 — or 15 percent — were in government. Although the company makes no claims of the statistical relevance of the study, Sverdlove said he thinks it is “pretty well representative.”
Sixty-four percent of the respondents expect they will be the targets of cyberattacks in the next six months, and 61 percent say that hacktivists are most likely to be the culprits. But the attacks they fear most are more sophisticated than those typically employed by groups such as Anonymous in their high-profile breaches.
Forty-five percent said they are most worried about malware such as Trojan horses, rootkits, worms and viruses, and another 16 percent said they fear spear phishing attacks directed at high-value targets.
A combination of spear phishing and sophisticated malware has been responsible for some of the most damaging attacks in recent years. This potent cocktail has been responsible for the breach at RSA, the Security Division of EMC, that resulted in the theft of information about the company’s SecurID token product that was later used in an attempt to breach defense contractor Lockheed Martin. Similar attacks also breached several Energy Department national laboratories and other organizations.
Government professionals see the threat landscape a little differently. They fear nation-states as the most likely adversaries by a wide margin, 72 percent, with hacktivists coming in second at about 65 percent.
This makes sense, since governments are likely to hold the most sensitive geopolitical and military data, Sverdlove said. But he pointed out that some nations appear to be aggressively targeting civilian assets and commercial intellectual property as well, and that industry awareness of this threat is lagging.
Most of the respondents favored greater public disclosure of cybersecurity breaches, with 48 percent in favor of reporting breaches when they occur and describing the information compromised. A surprising 29 percent also favored disclosing how the breach occurred. Only 6 percent said nothing should be publicly released.
The bright spot in the survey was the high awareness among professionals of the threats they are facing, Sverdlove said. Their challenge now is to focus finite resources on the most pressing threats. “There is never an endgame,” he said.
William Jackson is freelance writer and the author of the CyberEye blog.