Some Things Haven’t Changed… But Some Have!

On the recent spate of cyber attacks at RSA, Lockheed Martin and Google, Cyber Security Czar Howard Schmidt argued, “[these attacks] followed a very standard method of operation that people have used for 20-odd years.”

Howard is right in that the specific attack vectors aren’t new.  The RSA breach started with an Adobe email attachment.  Most of the numerous Sony breaches appear to be coding and administration problems with application servers.  Even Stuxnet, arguably the most sophisticated cyber malware, spread by USB sticks and operating system vulnerabilities.  None of these attack vectors are new.  Many involve an element of social engineering: tricking people to run afoul of the policies imposed by the security hawks in the CSO’s office.

But a few important things have changed.

The classic quantitative definition of Risk is (Probability of Loss) x (Consequences of Loss).  Reducing Risk is all about reducing Probability, Consequences, or both.  Let’s look at each of these terms.

Probability is a function of several factors: let’s categorize into Threats and Vulnerabilities.  New Orleans is Vulnerable to Hurricanes, so the Probability of a Hurricane is higher there than in, say, Chicago, where we don’t worry about hurricanes so much.  Threat is proportional to Value in that high value systems experience greater and more sophisticated Threats.  Banks are subject to a higher Threat than tennis ball manufacturers because, as Willie Sutton said, “that’s where the money is.”  Value can also be expressed as political gain, embarrassing or disadvantaging one’s rivals, or just plain sport.  Increase Vulnerabilities, Value, or Threats and you’ll increase the Probability of attacks.

I argue that Risk is increasing because Value and Consequence are increasing.  The monetary value, concentration, and portability of data have increased dramatically in the past decade.   Never before in the history of the world have decades and hundreds of millions of dollars worth of R&D been able to fit into someone’s pocket as they walk out the front door.  Yet the amount of data that can fit on a USB stick, iPod, or mobile phone is mind-boggling; and one individual can carry in their pocket what just 10 years ago would have taken a wagon… and 20 years ago would have taken a forklift.  The amount of damage that can be done quickly represents a seismic shift in the way we must view the protection of information.  No one is clearer on this than the State Department after their experience with WikiLeaks.  One disgruntled individual exfiltrated millions of pages of secrets on a USB drive.  This would be impossible only 20 years ago in the “Xerox-and-stuff-it-in-your-pants” age of espionage.

As Value increases, the Threats become more sophisticated.  The attackers are evolving from curious adolescents to sophisticated organized crime syndicates and nation-states.  This is an important occurrence as the sophisticated actors have both realized the immense value of cyber-related activities to achieve their objectives, and acquired the technical skills necessary to execute increasingly sophisticated attacks.  Moreover, highly sophisticated but non-financially motivated actors like Anonymous and LulzSec that have mounted successful attacks on the Central Intelligence Agency, Sony, and even an organization near and dear to my heart: the Atlanta Chapter of the FBI’s InfraGard Program.

The Bottom Line: Business leaders must recognize that IT systems have rapidly become the lifeblood of nearly every business.  These systems – and the data they contain – are extremely valuable and must not be treated casually.  Business executives and IT managers need to understand the value of the data in their systems, understand the threats, and construct security programs accordingly.