THE DIGITAL AGET H E D E F I N I T I V E C Y B E R S E C U R I T Y G U I D E

F O R D I R E C TO R S A N D O F F I C E R S

Download the entire guide and

follow the conversation at

SecurityRoundtable.org

1 ■

Internet Security Alliance – Larry Clinton, CEO

The evolving cyberthreat and an architecture for addressing it

According to the Pentagon’s 2015 Annual Report, “The military’s computer networks can be compromised by low to meddling skilled attacks. Military systems do not have a suffi ciently robust security posture to repel sus-tained attacks. The development of advanced cyber tech-niques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a posi-tion to degrade DOD missions when and if they choose.”

If the cyber systems of the world’s most sophisticated and best funded armed forces can be compromised by “low to meddling skilled attacks,” how safe can we expect discount retailers, movie studios, or any other corporate or public systems to be?

That is not even the bad news.

■ Things are getting much worse: Three reasons1. The system is getting weaker.The bad news is that the cyber systems that have become the underpinning of virtually all of aspects of life in the digital age are becoming increasing less secure. There are multiple reasons for this distressing trend. First, the sys-tem is getting technologically weaker. Virtually no one writes code or develops “apps” from scratch. We are still relying on many of the core protocols designed in the 1970s and 80s. These protocols were designed to be “open,” not secure. Now the attacking community is going back through these core elements of the Internet and discovering still new vulnerabilities. So as new func-tionalities come online, their own vulnerabilities are sim-ply added to the existing and expanding vulnerabilities they are built upon. The reality is that the fabric of the Internet is riddled with holes, and as we continue to stretch that fabric, it is becoming increasingly less secure.

Additionally, vulnerabilities in many open source codes, widely in use for years, are becoming increasingly apparent and being exploited by modern “zero-day”

■ 2

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

new access points to large amounts of data resulting from the explosion in the number of mobile devices vastly increases the challeng-es to securing cyberspace.

However, the rise in use of mobile devices pales in comparison to the coming Internet of Things (IoT). The IoT, embedded comput-ing devices with Internet connections, embraces a wide range of devices, including home security systems, cars, smart TVs, and security cameras. Like the bring-your-own-device (BYOD) phenomenon, the coming of the IoT further undermines the overall secu-rity of the system by dramatically increasing the vectors, making every new employee’s internet-connected device, upon upgrade, a potential threat vector.

2. The bad guys are getting better.Just after the turn of the century, the NSA coined a new term, the “APT,” which stood for the advanced persistent threat. The APT referred to ultrasophisticated cyberattack methods being practiced by advanced nation-state actors. These attacks were char-acterized by their targeted nature, often focused on specifi c people instead of networks, their continued and evolving nature, and their clever social engineering tactics. These were not “hackers” and “script kiddies.” These were pros for whom cyberat-tacks were their day job.

They were also characterized by their ability to compromise virtually any target they selected. APTs routinely compromised all anti-virus intrusion detection and best practices. They made perimeter defense obsolete.

Now these same attack methods, once practiced only by sophisticated nation-states, are widely in use by common criminals. Whereas a few years ago these attacks were confi ned to nations and the Defense Industrial Complex, they now permeate virtually all economic sectors.

The APT now stands for the average persis-tent threat.

The increasing professionalism and sophistication of the attack community is fueled by the enormous profi ts cyberattacks

attacks, and the patching system we have relied on to remediate the system can’t keep pace. Huge vulnerabilities such as Heartbleed and Shellshock have existed within open source code for years only to be revealed recently when scrutinized by fresh eyes.

Within hours of the Heartbleed vulnerabil-ity becoming public in 2014, there was a surge of attackers stepping up to exploit it. The attackers exploiting the vulnerability were much faster than the vendors could patch it. This is a growing trend. In 2014 it took 204 days, 22 days, and 52 days to patch the top three zero-day vulnerabilities. In 2013 it took only four days for patches to arrive. Even more disturbing is that the top fi ve zero-day attacks in 2014 were actively used for a com-bined 295 days before patches were available.

Moreover, because almost no one builds from scratch anymore, the rate of adoption for open source programming as a core com-ponent of new software greatly exceeds the vetting process for many applications. As the code gets altered into new apps, the risks continue to multiply. In 2015 Symantec esti-mates there are now more than a million malicious apps in existence. In fast-moving, early stage industry, developers have a strong incentive to offer new functionality and features, but data protection and priva-cy policies tend to be a lesser priority.

The risks created by the core of the system becoming intrinsically weaker is being fur-ther magnifi ed by the explosion of access points to the system, many with little or no security built into their development. Some analysts are already asserting that there are more mobile devices than there are people on the earth. If that is not yet literally true, it will shortly be.

It is now common for individuals to have multiple mobile devices and use them inter-changeably for work and leisure often with-out substantial security settings. Although this certainly poses a risk of data being stolen directly from smartphones, the greater con-cern is that mobile devices are increasingly conduits to the cloud, which holds increasing amounts of valuable data. The number of

3 ■

THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

corporate growth, innovation, and profi ta-bility also undermine cybersecurity.

Technologies such as VOIP or cloud com-puting bring tremendous cost effi ciencies but dramatically complicate security. Effi cient, even necessary, business practices such as the use of long supply chains and BYOD are also economically attractive but extremely prob-lematic from a security perspective.

Corporate boards are faced with the conundrum of needing to use technology to grow and maintain their enterprises without risking the corporate crown jewels or hard-won public faith in the bargain. In addition, the fears and potential losses from cyber events tend to be speculative and future ori-ented, whereas most corporate leaders (as well as the citizen investors who have their 401(k)s tied up in the stock market) tend to make their decisions with an eye toward the next quarter or two.

The national security equationFinally, from the national security perspec-tive, Internet economics are also complicated. This economic puzzle is important to solve because multiple independent studies indi-cate that the number one problem with securing critical infrastructure from cyberat-tack is economic. As the 2014 National Infrastructure Protection Plan makes clear, the public and private sectors have aligned, but not identical, perspective on cybersecu-rity based on their differing, and legally mandated, roles and obligations.

The private sector is legally required to invest to maximize shareholder value. Although shareholder value is enhanced to some degree by security investment, gener-ally security is considered a cost center in the corporate world. As with most corporate investments, security is a mater of cost ben-efi t for the private sector. What this trans-lates to is that the private sector may legiti-mately judge that there is a level of security that goes beyond their commercial interest and hence their legally mandated obligation to their shareholders. An example is the common case of pilfering in many retail stores, wherein the owner may be aware

are generating—routinely estimated in the hundreds of billions of dollars and growing. It is now apparent that attackers are not going to rely on reusing the same old meth-ods. Instead, like any smart, successful, and growing enterprise, they are investing in R&D and personnel acquisition. They are seeking to grow their business, including fi nding new vulnerabilities in older infra-structures and thus widening the surface available for attack.

3. The economics of cybersecurity favor the attackers.Cyberattacks are relatively cheap and easy to access. Virtually anyone can do an Internet search and fi nd vendors to purchase attack methods for a comparatively small invest-ment. The attacker’s business plans are expansive with extremely generous profi t margins. Multiple reports suggest hundreds of billions of dollars in criminal cyber reve-nue each year. They can use virtually identi-cal attack methods against multiple targets. The vast interconnection of the system allows attackers to exploit weaker links who have permitted access to more attractive targets, and their “market” is accessible to them worldwide.

Meanwhile, cyber defense tends to be almost inherently a generation behind the attackers, as anticipating the method and point of attack is extremely diffi cult. From a business investment perspective it is hard to show return on investment (ROI) to attacks that are prevented, making ade-quate funding a challenge. Moreover, law enforcement is almost nonexistent—we successfully prosecute less than 2% of cyber criminals, so there is little to discourage the attackers from being bold. Furthermore, as we have already illustrated, notwithstand-ing consumers tend to prefer utility and function over security, which provides a disincentive for investors to enhance devic-es with added security, which often slows or limits utility.

This little-understood imbalance of the economic incentives is exacerbated by the fact that many of the technologies and busi-ness practices that have recently driven

■ 4

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

the Department of Homeland Security (DHS) be given authority to set minimum standards for cybersecurity over the private sector. Subsequently two bills were offered in the Senate, one by the Chairman of the Senate Commerce Committee, Senator Jay Rockefeller (D-WV) with Senator Olympia Snow (R-ME) and separately by Senate Homeland Security Chairman Joe Lieberman (D-CN) and Senator Susan Collins (R-ME). Both bills largely followed the Obama para-digm of DHS setting regulatory mandates for the private sector with substantial penal-ties available for noncompliance.

Despite strong backing from the Senate Majority Leader Harry Reid and much of the military establishment, the bills could not get out of committee. Even though Reid exercised his parliamentary power to control the Senate agenda, there was not enough support to even get the bills to the fl oor for consideration, let alone vote on it.

There was certainly industry opposition to these bills, but what killed them was the bipartisan realization that the traditional reg-ulatory model was an ill fi t for cybersecurity. Government agencies’ ability to craft regula-tions that could keep up with cyberthreats was highly questionable. Early efforts to apply traditional regulation to cyberspace, such as HIPAA in the health-care industry, had not generated success. Indeed health care is widely considered one of the least cyber secure of all critical infrastructures.

However, with cyber systems becoming increasingly ubiquitous and insecure threat-ening economic development and national security, there was obvious need for an affi rmative and effective approach. The non-regulatory, collaborative model selected largely followed the “social contract” para-digm previously promoted by industry gov-ernment analysts.

The social contract approachIn 2013 President Obama reversed course 180 degrees. In an executive order on cybersecurity the president abandoned the government-centric regulatory approach

that 5% of his inventory is “walking out the back door” every month. The reason he doesn’t hire more guards or put up more cameras or other security measures is that the cost benefi t presumably suggests it will cost him 6% to do so, and hence the better business decision is to tolerate this level of insecurity.

Government doesn’t have that luxury. The government is charged with providing for the common defense. Surely, they have economic considerations with respect to security; however, they are also mandated to a higher level of security largely irrespective of cost to provide for national security, con-sumer protection, privacy, and other non-economic considerations.

In the Internet space, government and industry are using the same networks. This means the two users of the systems have dif-fering security requirements—both legiti-mate and backed by lawful authority. Moreover, requiring greater cybersecurity spending, beyond commercial interest as suggested by some, could run afoul of other government interests such as promoting innovation, competitiveness, and job growth in a world economy (presumably not follow-ing U.S.-based requirements).

Finally, the presumption that requiring increased security spending by commercial entities up to the government risk tolerance is in the corporate self-interest is complicat-ed by the data that have emerged after highly publicized cyber breaches. One year after the Target breach, which would pre-sumably damage the company’s image prof-itability and reputation, Target’s stock price was up 22%, suggesting such predictions were incorrect. Similarly, 6 months after the high-profi le cyberattacks on Sony (the sec-ond high-profi le cyberattack for Sony in a few years), Sony’s stock price was up 26%.

■ Some good news: Enlightened policy working in partnership

Traditional regulatory efforts failIn 2012 President Obama offered a legisla-tive proposal to Congress suggesting that

5 ■

THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

telephone service at affordable rates, govern-ment would guarantee the investment pri-vate industry would make in building and providing the service. This agreement ensured enough funds to build, maintain, and upgrade the system plus make a reason-able rate of return on the investment. Thus were born the privately owned public utili-ties and the rate of return regulation system.

The result was that the U.S. quickly built out the electric and communications systems for the expanding nation, which were gener-ally considered the best in the world. Some have argued this decision was foundational to the U.S.'s rapid expansion and develop-ment, which turned it from a relatively minor power in the early part of the twenti-eth century to the world’s dominant super-power less than a generation later.

Although the Obama social contract approach to cybersecurity has different terms than that of previous infrastructure development, the paradigm is similar. Similar modifi cations of the incentive model are also in use in other areas of the economy, such as environment, agriculture, and trans-portation, but this is the fi rst application in the cybersecurity fi eld.

Although it is in its formative stages, at this point early indications for the social con-tract approach are positive. The cybersecuri-ty framework development process conduct-ed by the National Institute of Standards and Technology (NIST) has been completed and received virtually unanimous praise. In an exceedingly rare development, the Obama approach to cybersecurity closely tracks with that outlined by the House Republican Task Force on Cyber Security. Bipartisan bills using liability incentives, instead of govern-ment mandates, are moving through Congress, and additional incentive programs are under development.

■ ConclusionThe cybersecurity problem is extremely serious and becoming more so. An inher-ently insecure system is becoming weaker. The attack community is becoming more

embodied in his previous legislative pro-posals and the Senate bills. Instead, he sug-gested a public private partnership—a social contract—that would address the technical as well as economic issues that are precluding the development of a cyber sys-tem that can become sustainably secure. In this new partnership, industry and govern-ment would work together to identify a framework of standards and practices wor-thy of industry based on cyber risk assess-ments conducted by the companies. The president ordered that the framework be voluntary, prioritized, and cost effective. If there were an economic gap between what ought to be done and what would be accomplished through normal market mechanisms, a set of market incentives would be developed to promote voluntary adoption of the framework. Although industry that operates under regulatory systems would remain subject to regulatory authority, no new regulatory authority for cybersecurity would be part of the system. Instead, a partnership system based on vol-untary use of consensus standards and practices and reinforced through market incentives would be built.

The cyber social contract model has sub-stantial precedent in the history of infra-structure development in the United States. In the early twentieth century the innovative technologies were telephony and electricity transport. Initially the private companies that provided these technologies, because of natural economies, served primarily high-density and affl uent markets. Policy makers of the era quickly realized that there was a broader social good that would be served by having universal service of these services but also realized that building out that infra-structure would be costly and uneconomic either for industry or government.

Instead of government taking over the process or mandating that industry make uneconomic investment, the policy makers designed a modern social contract with industry. If industry would build out the networks and provide universal electric and

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 6 SecurityRoundtable.org

sophisticated and enjoys massive economic incentives over the defender community. Traditional government methods to fi ght criminal activity have not matured to address the threat and may be inappropri-ate to meet the dynamic nature of this uniquely twenty-fi rst century problem. Fortunately, at least the U.S. government

seems to have developed a consensus strat-egy to better leverage public and private resources to combat cyberthreats without excessively compromising other critical social needs. Although there are some ini-tial signs of progress, the road to creating a sustainably secure cyber system will be long and diffi cult.

7 ■

THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

Internet Security Alliance2500 Wilson BoulevardArlington, Virginia 22201Tel +1 703 907 7090Web www.isalliance.org

LARRY CLINTONPresidentEmail lclinton@isalliance.org

Larry Clinton is President of the Internet Security Alliance (ISA). He is the primary author of ISA’s “Cyber Social Contract,” which articulates a market-based approach to securing cyber space. In 2011 the House leadership GOP Task Force on cybersecurity embraced this approach. In 2012 President Obama abandoned his previous regulatory-based approach in favor of the ISA Social Contract model. The ISA document is the fi rst and most often referenced source in the President’s “The Cyber Space Policy Review.” He is also the primary author of the Cyber Security Handbook for corporate boards published by the National Association of Corporate Directors (NACD) in 2014. In 2015 Mr. Clinton was named one of the nation’s 100 most infl uential persons in the fi eld of corporate governance by NACD. He has published widely on various cybersecu-rity topics and testifi es regularly before Congress and other government agencies including the NATO Center for Cyber Excellence.