Many cybersecurity practitioners say, "forget the attacker, focus on the risk," but there is a growing consensus that the best way to combat cyber espionage is with political and economic responses.
One topic that was notable by its absence at this week’s RSA Conference in San Francisco was the widespread economic and military espionage being conducted by China. It’s not that the subject wasn’t mentioned, but it was just background and not news. Everyone in the security community accepted long ago that the Chinese are going online to steal intellectual property and other sensitive data.
The current mantra in security is that it is “when” and not “if” your IT systems will be breached, and two paths to cybersecurity are emerging. Although many cybersecurity practitioners say, “forget the attacker and focus on the risk,” there also is a growing consensus that sophisticated cyber espionage must be met with political and economic responses.
In his opening keynote at the conference, RSA’s executive chairman Art Coviello called for the speedy adoption of next-generation intelligence-based cybersecurity that would leverage big data by extracting meaning from growing masses of unstructured data.
“Collectively, we’re not winning,” he said of the growing threat from rival nations. “But we haven’t lost yet, either.”
Although attributing attacks is important, it is not necessary in defending systems, he said. What is necessary is automation to monitor conditions and activity on systems, and standards to enable analysis and correlation of data to recognize and identify threats. The assumption that breaches will occur means that priorities must shift from stopping penetration at a perimeter to dealing with bad actors who already are on the inside. Vendors on the showroom floor at the conference already are integrating big data analysis in their security offerings to help do this.
On the other hand, there is awareness that technology alone will not solve the problem and that government must take a hand in responding to attacks from nation states, although not necessarily militarily. Attributing a given attack to a specific individual or organization is not necessary, proponents say. When a problem has been going on for years, “everybody knows” who is behind it and that is enough for the diplomats and policy makers to take action.
In the case of China, there is a global acceptance that the nation is engaged in cyber espionage. But some set of international norms for behavior in cyberspace is needed to enable this type of pressure. China does not have to admit that it has been hacking our computers in order for diplomatic pressure and economic sanctions to have an impact on its behavior. Warnings that its behavior is outside the pale could be effective, once that pale is established.
This type of pressure would not work at cyber speed and does not eliminate the need for IT security, warned Jim Lewis, cybersecurity program director at the Center for Strategic and International Studies. “You really have to keep drilling on them,” he said. “This is a process that will take several years of constant pressure.”
Unfortunately that process has not yet really begun. “Most of our policy is aimed at stopping penetration,” a battle that recent history has shown we cannot win, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit. Focusing on defenses from the inside and dealing with the economic drivers for cyber espionage will require policy makers to have a technical understanding that they now lack.
Making a beginning in cyber diplomacy will require replacing some wonks with geeks, Borg said. Some of the Silicon Valley types will have to trade their t-shirts and sneakers for wingtips and ties on Capitol Hill. “Cybersecurity professionals should seize cyber policy,” he said.