Security expert Steve Durbin discusses nation-state espionage and the dangers lurking in cyberspace, and urges organizations to become cyber resilient.
World leaders will use the rhetoric of "local" or "closed" Internets to bolster public trust, but this will further erode organizations' confidence in a free and open Internet. For example, an increasing number of democratic states are calling for either local Internets or formal Internet governance. Germany has stated its desire for a local Internet shielded from foreign intelligence services, and Brazil has led the rally for the United Nations to take a more active role in Internet governance.
Enterprises will have to operate in an increasingly complex regulatory landscape, particularly across borders, as national governments enact legislation and regulation to control their perceived corners of the Internet.
Regarding the unintended consequences of nation-states policing the Internet, what are the most likely types of incidents we'll see in 2014?
Conflicting official involvement in cyberspace will create the threat of collateral damage and have unforeseen implications and consequences for all organizations that are reliant on it. Varying government regulations and legislation will restrict activities whether or not an organization is the intended target.
Governments’ draconian implementation of these different regulations and legislation will lead to operational disruptions in organizations' supply chains. Those affected will have little recourse because of a lack of legal clarity in cyberspace.
Two high-profile examples where businesses were taken offline or the availability of their information was seriously compromised as a result of official intervention include the U.S. government's 2012 shutdown of the file-sharing site MegaUpload, which meant that almost 11 million legitimate files were blocked, and Groklaw, which halted operations in 2013, citing the potential for government pressure as making the Internet a less desirable place to do business.
This threat is inherently random. There is no way to know when it might affect an organization, if at all. This randomness underlines the need for organizations to build their resilience and implement proportional security measures in the event that it materializes.
How can enterprises reduce the vulnerabilities posed by third-party service providers? What's a good action plan you've observed?
Supply chain management is more difficult when service providers are key targets for cybercriminals. It requires more stringent due diligence and explicit contracts. Otherwise, you can expect disruptions and information loss.
Information security specialists should work closely with those in charge of contracting for third-party services to conduct thorough due diligence on potential arrangements. It is imperative that organizations have robust business continuity plans in place to boost both resilience and senior management’s confidence in the functions' abilities.
Advice for building this resilience includes identifying critical information assets and where they are located; identifying critical suppliers and ensuring the ability to continue operations is in place in the event their business is disrupted; fostering strong working relationships with service providers with the aim of becoming partners; being clear on what contracts are in place for what services; understanding clearly which legal jurisdictions govern the organization's information; and working with procurement or other business units responsible for contract management to ensure information security arrangements are included in contracts.
Your advice about using encryption now that it appears that encryption isn't the fail-safe tool that we'd believed it was.
Ironically, the reaction to the NSA revelations has been to boost reliance on encryption—the default approach to Internet security. But encryption will fail to live up to expectations due to weak implementation practices and governmental attempts to undermine it via backdoors in the software.
The failure of encryption is important as all organizations rely on it in cyberspace. It is therefore vital to understand that this threat is on the horizon, and no organization is immune. However, the information security function can prepare by taking the following actions: Classify information and know where the sensitive information assets are to understand where the organization faces the most risks to consider the full information life cycle; identify current cryptographic solutions used across the organization and determine a strategy for improving their implementation; work under the assumption that the potential exists for all encryption to be broken and assess risks to assets under this scenario; and critically assess commercial encryption software and hardware, given the revelations of back doors.