The Next Grave Threat: Cybersecurity

Robert S. Mueller III had been director of the FBI for only a week when the Sept. 11 attacks occurred. The event prompted a major shift in the bureau’s focus. President George W. Bush asked Mueller not only to find out who perpetrated the crimes, but also to prevent future terrorist attacks. 

“We were not used to answering that question of, ‘What are you doing to prevent the next terrorist attack?’” Mueller said earlier this year in a keynote speech to IT leaders at CDW’s Managing Risk Summit in Washington, D.C. It prompted three changes at the bureau. 

The first was to reprioritize the FBI’s work. Counterterrorism took precedence over traditional FBI priorities such as investigating white-collar and organized crime. But, Mueller added, “We also knew very shortly after Sept. 11 that cyber was going to be the next threat on the block.” 

In fact, terrorism and cyber can be intertwined, he explained. “What has not happened, knock on wood, is the ability to organize a group of people and undertake a complicated, large-scale attack on the financial structure or the infrastructure, electrical grid or what have you in the United States,” he said. “But it’s just a matter of time.”

The second change was to train agents — and hire new ones with the right skills — to start thinking like intelligence officers. Putting together pieces to uncover and thwart a terrorist plot is different from gathering evidence to prosecute a bank robber. 

Finally, the agency had to learn to partner with other organizations. “It was absolutely essential that we break down those walls, those barriers, and begin to cooperate,” Mueller stressed. “I do not believe that we can confront and take care of cyber without the relationship of government services working closely with the private sector.”

That cooperation between the public and private sectors is an essential part of defense efforts to protect against cybersecurity threats that have evolved into a big business in their own right. It helps each side uncover strategies and tactics that can limit the effectiveness of cybercriminals.

Building a Public-Private Cyberdefense

In October 2014, Sony Pictures Entertainment was the victim of a massive cyberattack, purportedly by the North Korean government in retaliation for the film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong Un. 

It was the first time the military, law enforcement and the national security apparatus came together in the White House to address a cybercrime committed by a foreign actor against a corporation operating in the U.S., Mueller said. It illustrated the need to pull together partnerships between the public and private sectors. 

Some industry leaders have worried that getting involved with the FBI would be an intrusive process for their organizations, but such relationships can be mutually beneficial, Mueller said. 

The FBI operates 56 field offices across the country, each with a cybersquad responsible for developing relationships with business leaders in their territories. Because critical infrastructure and financial organizations are the most likely targets of terrorist attacks, the field offices focus on these industries. 

Establishing contacts between business and law enforcement ensures that organizations know whom to go to in the FBI, and vice versa. It also gives the FBI a head start in understanding organizations’ networks and business architectures. “We have to work with you if we’re to get that information and protect you,” Mueller said.

Weapons in the War on Cybercrime

Cybercrime is big business. A 2014 Rand study posits that cybercrime revenues outpaced the illegal drug trade, and a report from Juniper Research predicts that cybercrime will cost businesses more than $2 trillion by 2019. Michael Viscuso, co-founder and chief technology officer of endpoint security firm Carbon Black, hypothesizes that there may be as many as 1.4 million people involved in cybercrime. 

“This, in fact, is more than just a business,” Viscuso says. “It’s an economy.”

James Lyne, global head of security research at technology company Sophos, agrees that cybercrime is a sophisticated, organized business. “They have usable web pages, e-learning courses, documentation,” he says. 

Just like any industry, cybercrime is fueled by economics. Perpetrators look at the benefits of committing crimes and the potential cost of getting caught. If they can gain access to a victim’s online accounts by using a phishing scam, “all for the cost of a Big Mac,” the cost-benefit analysis makes sense, says Viscuso.

Organizations, however, can help hamper cybercriminals by making architectural changes to their infrastructures, he adds. These efforts can disrupt the cybereconomy by decreasing revenues and increasing costs. 

Viscuso cites the credit card industry as an example of how organizations can effectively implement such measures. Credit card companies have switched from fraud detection tools that scanned for suspicious behavior to solutions that identify anomalies and warn customers about them — but they didn’t stop there. They also triangulated where compromised cards were used and reissued new cards to customers who made purchases there, to prevent future fraudulent activity. The result: a huge drop in the price of a stolen credit card — from $300 to $5 — from 2007 to 2015, reflecting the value that such a card has for cybercriminals. 

Similarly, traditional scan-based anti-virus software has given way to more real-time, proactive solutions that combine prevention, detection and response to get ahead of the next wave of attacks, Viscuso says.

A Focused Defense

Mueller also spoke of the need for businesses to protect their “crown jewels” — their most valuable and sensitive data — as opposed to focusing solely on perimeter defense.  

Sadik Al-Abdulla, director of security solutions at CDW, stresses the need to segment networks to keep intruders from escalating attacks. This approach can reduce the damage that cybercriminals do, even if they succeed in breaching an organization’s perimeter defenses. Unfortunately, Al-Abdulla says, very few organizations — less than half of a percent of the thousands of networks on which his team has conducted security assessments — have implemented effective segmentation techniques.

“If you accept that breach is inevitable, all of the priorities change,” Al-Abdulla says. “You start moving from identify to detect, to respond, recover, and then play that out across networks, data and devices.”

Another critical step to effective defense is to practice good patch discipline. IT teams must make sure all their systems are up to date on the latest patches to ensure that every possible entry point that could be exploited by attackers is closed. For many organizations, this is a major challenge. 

“Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” Al-Abdulla says.

Mueller predicted that hackers will continue to develop effective tools, citing ransomware as an example of this evolution. He added that industry and government can find solutions to those threats by learning from one another. 

“I’m pretty optimistic,” he said. “I think, as a country, we will come up with a fix.”