A groundbreaking study reveals that cyberattacks are becoming more severe, and security managers, while concerned, lack the tools to combat the threat.
Recent months have seen news about the global cyberthreat environment go from bad to worse. In January, search engine megalith Google announced that it might cease operations in China after it discovered that the government had hacked into Google servers, apparently seeking the company’s source code. Soon thereafter, the Christian Science Monitor reported similar attacks, also originating in China, against three major U.S. oil companies—ConocoPhillips, ExxonMobil, and Marathon—seeking company data on bid values and locations of oil discoveries. In all four cases, attackers sought the companies’ “crown jewels,” the Monitor wrote.
The incidents underscored the recent findings of an unprecedented study in which tech security firm McAfee, working with Washington, D.C.’s Center for Strategic and International Studies (CSIS), surveyed IT professionals from 600 companies in 14 countries. Their findings: attacks are growing not only in severity but also in volume, and to a shocking degree. Meanwhile security efforts, already inadequate, have been compromised by economic recession and resulting funding cuts.
Adam Rice, chief security officer of India’s Tata Communications and a participant in the survey, called the findings “troubling but not very surprising.”
“Security has continuously moved toward being worse and not better,” Rice said, speaking at a CSIS panel discussion on the survey’s findings. “And given the reactive approach to cybersecurity and threats, that trend will probably continue.”
Among respondents, 60 percent reported theft-of-service attacks; 29 percent reported multiple large-scale denial-of-service (DoS) attacks, with two-thirds of them saying that those DoS attacks had an operational impact. One in five, reported attack-related extortion attempts. Asked to forecast major attacks—defined as causing 24-hour operational shut-downs, company failure, or loss of life—40 percent said they expected one in the coming year.
“It was really quite remarkable, when you gave people anonymity, how seriously they took the threat and how many very serious attacks they reported,” said Stewart Baker, a former Department of Homeland Security and National Security Agency (NSA) official, who led the study.
Some of the survey’s most unsettling revelations came from companies that run supervisory control and data acquisition (SCADA) and industrial control systems (ICS), both of which are types of control software used to manage processes in operations that run the gamut from manufacturing to public works such as sewage or drinking water treatment.
Among SCADA and ICS operators, 77 percent reported that those systems were “connected to an IP network or the Internet,” despite what investigators called “widespread acknowledgement about the risks involved.” While those connections aid monitoring of widely distributed systems, multiple experts told CSIS that SCADA and ICS systems should be separated from the Internet by what practitioners call an “air gap.” Attacks on SCADA systems were most common to the oil and gas sector, according to the report.
Respondents expressed skepticism about the effectiveness of government regulation but also reported that it boosts security slightly. Rice said that he and his peers badly need threat information from governments, but he added that in the case of the United States, information sharing is a one-way street. The FBI, for example, declines Tata’s requests, because threat data is classified to protect sources and methods.
“We have meetings we go to; they’re very nice. We smile at each other, and I don’t take away any actionable intelligence,” Rice said.
Government regulation and patch management are reactive and will not work against major attacks, Rice said, adding that government must work with major ISPs to identify threats and “stop the traffic in the cloud. And when I talk about the cloud, I’m talking about the core, with the tier-one providers, who do have the ability to see almost all of this traffic.”
One of the study’s findings was not news to members of the security industry: “Security specialists from several sectors said that making the business case for cybersecurity remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solution.”
Rice told investigators that a good business case rests with one issue above all others: the bottom line. He is quoted in the report as saying that a CSO can best demonstrate usefulness to the rest of the executive team by identifying the tie between security and revenue, explaining how a dollar spent can potentially save millions.
Rice made another familiar argument. Acording to the report, he told investigators that if the CSO doesn’t report to the top executive, he’s likely not as effective as he needs to be.
Of those companies surveyed, 77 percent had a chief information security officer (CISO), and of them, 46 percent reported directly to the CEO, according to the report.