Case Studies

Obama on cyber

by Mark Rowe

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So US President Barack Obama told Congress in the annual ‘state of the union’ address on January 20.

He said: “We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

For the speech in full visit whitehouse.gov.

Meanwhile in a visit to Washington, UK Prime Minister David Cameron agreed with Barack Obama on cyber-security cooperation. The two countries propose to increase threat information sharing and conduct joint cyber-security and network defence exercises. For details visit – http://www.whitehouse.gov/the-press-office/2015/01/16/fact-sheet-us-united-kingdom-cybersecurity-cooperation.

For the two leaders’ joint press conference click here.

The authorities point out that the US Computer Emergency Readiness Team (US-CERT) and CERT-UK collaborate on computer network defence.

Comments

Richard Horne, cyber security partner at the audit firm PwC said: “As the Prime Minister and US President point out, cyber attacks are a real threat to all businesses. In the digital world we now live in, all businesses rely on processes and data that is stored electronically. Protecting that data and those processes is fundamental, and now a core part of business management.

“In helping global businesses build their defences and respond to breaches, we see the impact that a breach can have on a company that is unprepared. However, it is not an unmanageable risk; whilst attacks are becoming more sophisticated, so too are defences. With focused investment, preparation and the right skills companies can defend themselves by both preventing the vast majority of breaches, and reacting rapidly and appropriately when incidents do happen.

“The financial costs of not acting can be crippling. The average cost of an organisation’s worst security breach is rising significantly year on year. For small organisations, the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million. Due to the global nature of cyber risk, collaboration between the UK and the US is paramount to combatting the threat.”

Darren Anstee, Director of Solutions Architects at Arbor Networks, said: “Anything that focuses organisations on their incident handling processes and capabilities is a good thing, as the more these are used and tested the better our people and processes – and thus our defensive capabilities – become. Unfortunately determined, well-resourced and persistent attackers will usually find some way in to an organisation – what is becoming increasingly important is how quickly our tools and processes allow us to detect a threat and contain the problem when this happens.”

Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “Following hot on the heels of one of the worst years for data breaches, the US and UK are clearly upping the ante when it comes to enforcing stricter security measures – and rightly so. With the majority of their critical national infrastructure running on connected networks, these industries cannot afford to take any liberties. The last couple of years have shown it really is a case of when, not if, they will be targeted, and by using the most sophisticated techniques, the US and UK crime agencies will, without doubt, be able to expose any existing weaknesses. Businesses will no longer be able to cross their fingers and hope that their ill thought-out or inadequate security strategies will be sufficient.

“The sharing of intelligence between MI5, GCHQ and the FBI will be key in this programme’s success. While, in the UK, we have seen the Waking Shark exercise and the Bank of England employee ethical hackers to test its infrastructure in recent years, it is only worthwhile if the lessons learned are acted upon and shared with a wider audience. It doesn’t matter which industry you are in, or which country you live, it’s still us against the bad guys.

“The problem that we are still seeing in many industries is that far too many are still failing to take a proactive approach to cyber security. This is simply not good enough at a time when major breaches are hitting our headlines on a daily basis. Businesses need to be constantly prepared for an attack and any of those in this programme who aren’t doing this should expect to be exposed. The only way to ensure they have the best possible chance of keeping today’s sophisticated threats out is through 24/7 monitoring of all network activity, which needs to begin now, not as a mere afterthought. Any industry that underestimates the importance of continuous monitoring will ultimately regret that decision – and by then, it may be too late.”

Dwayne Melancon, CTO of the IT security product company Tripwire, said: ”If the US government were to do one thing in 2015 that would make a significant difference in our cybersecurity preparedness it would be to create a standard of due care that would allow companies to objectively evaluate their current cybersecurity investments and make strategic decisions about how to improve them. The problem is that the expectations of what is ‘enough’ cybersecurity protection are very vaguely defined. In other words, there is no way for any organisation to determine if their investments in cybersecurity will be deemed ‘sufficient’ to protect sensitive business and customer data.

“Furthermore, many organizations throw their hands up in frustration because they don’t know where to start, and don’t have cybersecurity expertise of their own. Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions? None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source. This means that it’s difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven’t been breached to accurately assess business risks.”

And Clinton Karr, senior security strategist at Bomium said: “During the State of the Union address, President Obama raised the issue of cyber-security, remarking that “no foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets.” CSOs must be encouraged that the challenges and dilemmas of the security industry have reached a mainstream audience. Savvy CSOs will leverage Obama’s remarks to underscore the importance of cyber security initiatives to board members and executives that may otherwise be disinclined to support their budgets and investments. However, President Obama has already come under criticism from organizations that are concerned sweeping cyber security legislation may be too easily abused; therefore, it is imperative that technology is the driving force behind improved cyber security and not just new policy and legislation.

“Cyber security is a bi-partisan issue. If a foreign nation attacks United States computer systems or network infrastructure, then it becomes an issue of national sovereignty. Republicans and Democrats alike must agree that securing our networks and intellectual property is of the utmost importance and must be willing to reach across the aisle to find common ground.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing