NEW YORK, NY – Bloomberg Cybersecurity Conference — Mentioning Pearl Harbor conjures up images of death, destruction and dread, making it a popular metaphor for conveying the devastation that could be caused by a major cyber attack. But there may be a more accurate allegory from World War II – the Japanese invasion of Singapore.
“Singapore (was) a British colony at the time,” explained Cedric Leighton, founder and CEO of Leighton Associates and a former military intelligence officer. “Guess what happened? The Japanese came in through the Malaysian Peninsula using bicycles – think (computer) virus…They got to Singapore. They were able to take Singapore because their guns were pointed in the wrong direction.”
After all, he added, the Japanese only intended to bomb Pearl Harbor, not hit it and stay.
Regardless of the metaphor, Leighton and other panelists agreed at the Bloomberg Cybersecurity Conference Thursday, addressing cybersecurity challenges requires a multi-faceted approach.
“Cyberspace is not civilized,” said panelist Tom Kellermann, vice president of cyber security for Trend Micro. “If you as a multi-national corporation get hacked, you’ve have got a one in one hundredth chance the FBI is going to successfully investigate that.”
“Only you can save you,” he added.
In part, prevention means understanding the convergence of technologies, he said.
“If I hack your phones, I can control your physical reality as well. I’m tracking you, I turn the microphone on when you’re in a sensitive meeting…the physical manifestation of my cyber presence,” Kellermann said.
Assuming that security will break down, organizations must also think in terms of limiting the damage hackers can do once they break in, he said.
“I can make sure that when you break into my house you break into my basement and you are stuck with my Rottweilers,” Kellermann said.
The adoption of cloud computing services has also changed the way companies need to think about the security landscape, by broadening the attack surface and introducing liability issues. Service level agreements, he explained, now have to be examined for more than just uptime and downtime. Consideration also needs to be given to third-party risks, he said.
“We need to understand that there are new critical infrastructures within critical infrastructures that provide an ephemeral landscape that must be secured,” Kellermann said.
Prevention also means improving application security and securing embedded technology, noted fellow panelist Jeff Snyder, vice president of cyber programs at Raytheon. But it also means fighting insider threats.
“WikiLeaks is the elephant in the room for a lot of people who deal with classified information,” Leighton said.
“That guy, the suspect, had a security clearance…(organizations) need to take into account that they may pass the initial screening, but there may be other issues – whether they are psychological issues, whether they are financial issues, whether they are vulnerability blackmail issues – these are all human realities. The social reality of this kind of behavior is age old, but it becomes…even more important when you can obtain access to so much sensitive data because of your insider knowledge, your insider credentials.”
Organizations also need to do a better job of identifying just what assets are critical and understanding what is in their IT environment, said panelist Christopher Valentino, director of contract research and development, cyber intelligence division for Northrop Grumman Information Systems. An enterprise can’t protect what it can’t see, he said.
“It’s not a lost cause,” Leighton said, adding it’s important for organizations to “fight back.”
“You don’t do it by brandishing a gun or shooting up a town or anything like that,” he said. “What you do is you develop smart security procedures, you understand what they are doing…you do the things that make it harder for them to do what they are trying to do to you.”