Security expert Steve Durbin discusses nation-state espionage and the dangers lurking in cyberspace, and urges organizations to become cyber resilient.
By Jack Rosenberger
Cyberspace comes across as a forbidding, often dangerous and now-untrustworthy environment in Threat Horizon 2016, the new state-of-the-cybersecurity landscape report from the Information Security Forum. The annual report's purpose is to provide a forward-looking view of security threats and issues in cyberspace. The bleak cyber-world portrayed in "Threat Horizon 2016" is heavily colored by U.S. whistleblower Edward Snowden's revelations of massive cyber-surveillance by the American government, revelations which have consequently altered the trust equation between different parties (namely, individuals, businesses and governments). In terms of growing cyber-threats, the ISF warns organizations of the vulnerabilities posed by insecure third-party vendors, poorly designed mobile apps, vulnerable encryption tools and more. To protect themselves against these and other dire threats, CIOs need to create a cyber-resilient organization, a task which, given "the skills chasm" noted by the ISF, will be a discouraging challenge for many companies.
CIO Insight recently interviewed ISF Global Vice President Steve Durbin about the main themes of "Threat Horizon 2016," the dangers and risks posed by today's everyone-is-connected-to-everyone-else world, and how organizations can apply data analytics to information security problems.
What should CIOs be most concerned about in "Threat Horizon 2016"?
Steve Durbin: The first action for CIOs is to re-examine the assumptions their organization has made about the Internet and adapt their cyber resilience to this new paradigm. For example, one of the threats in our report describes how a key component of Internet security—encryption—may fail to hold up.
Second, an organization's resilience to the ongoing threats of operating in cyberspace must be reassessed regularly. Cybercriminals are still well ahead of information security professionals. The bad guys are getting better quicker, while the good guys often struggle to merely respond. Also, the cost of investigating, managing and containing incidents will rise as they grow more complex and as regulators’ demands increase. And the insider threat will continue to challenge organizations because people will remain the weakest link in information security.
Finally, it's highly unlikely that governments will tidy up the mess they have made before 2016, so organizations need to give immediate consideration to additional actions they may wish to take to counter possible impacts from the recent disclosures [by Edward Snowden].
How can enterprises mitigate nation-state espionage?
Organizations should reinforce basic information security arrangements. This means understanding what and where the most critical information assets are, their key vulnerabilities, and the main threats against them. Standards and controls should be in place to mitigate the associated risks to those critical assets.
Key steps include making sure the business is up-to-date with government activities in all jurisdictions in which it operates—and with government activities in other important jurisdictions such as outsourcing locations. Companies need to participate in threat intelligence-sharing forums and build relationships with other organizations within and across industry sectors. They also need to cultivate a culture of information risk management that builds information security capabilities within the organization and ensures appropriate information security knowledge and awareness exists across the enterprise.
What threat intelligence-sharing forums should enterprise CIOs be following? What are useful security resources they might not be aware of?
Many such forums exist, some are sector specific—banks and other financial institutions share a considerable amount of threat information, for instance—and others are led by industry independents, such as the ISF, which provide a secure collaborative environment for members to share issues of importance around cybersecurity and the evolving threat landscape. Also, vendors such as Symantec and Verizon provide insights through their threat reports. Finally, law enforcement and government agencies are very keen to be included in threat-sharing forums.
Why do you think the Balkanization of the Internet is a large threat? Only a few nations are trying to create geopolitical borders on the Internet.
Organizations will no longer be able to depend on a free and open Internet as governments attempt to govern their corners of the Internet. Nation-states have already attempted to introduce governance of the Internet via the International Telecommunications Union (ITU), the United Nations and the Internet Governance Forum. This has proved unsuccessful. In its place, though, governments and regional blocs will attempt to standardize these norms at national and regional levels.