It is widely known that cyber criminals are normally one step ahead of the governments and authorities protecting their countries. It is this theme that sets the stage for day two of the Cyber Defence Summit, which has been organized by Oman’s National Computer Emergency Readiness Team (OCERT), on behalf of the Information Technology Authority (ITA), and in cooperation with ITU-IMPACT and Naseba. The two-day summit taking place at the Grand Hyatt Hotel Muscat, opened on Monday, 2 April 2012, and concluded yesterday.
Following the short welcome address by the conference Chairperson, Marco Obiso, CyberSecurity Coordinator with the International Telecommunication Union (ITU), the opening keynote speaker took to the stage. Speaking to a large attentive audience, Shawn Henry, Former Executive Assistant Director, Criminal, Cyber, Response and Services Branch, with the Federal Bureau of Investigation (FBI), addressed the issue of adopting intelligent and sophisticated discussion that focuses on prevention rather than cure, and how we can work together more effectively to stay one step ahead of criminals.
In his keynote, Mr. Henry spoke of the urgency of this issue, saying that some businesses having undergone cyber-attacks suddenly cease doing business. Breaching networks and stealing data is of great concern. In one example highlighted, one company network was breached and the company lost over 10 years of research and data overnight, to the tune of one billion dollars.
Such cyber criminals live in the virtual world and rarely, if ever, even meet in person. This creates a drain on the economy. Cybercrime is cheaper, easier and faster, and ultimately, more lucrative with less risk. Most focus on remote access attacks, but also it is important to consider the threat of the insider. As well, data being lost is one part; data that is being changed and, this is crucial especially when you consider the data used to help run critical infrastructure.
When asked to comment on what measures could be taken to discover, identify and remove cyber threat actors, Mr. Henry emphasized a 3 pronged model that should be implemented. He said, “We need to be proactive; not sitting back and playing defense all the time. For private sector I think that means to hunting on the network all the time, looking on the network for information or indicators it’s been breached, because many companies have already been breached. When I was with the FBI, many times my people showed up on site and we were telling companies that their company networks have been breached, based on intelligence that we had been able to collect elsewhere. They did not know; had no idea, for months at a time, that their network had been breached.
Mr. Henry continued, “So being proactive and then predictive. Once you are being proactive, you are collecting intelligence. And, by knowing who the adversary is, you start to learn about what they are going to attack, how they are going to attack it and you learn about their tactics, techniques and procedures.
“And then that helps you to become preventative, because once you know what their tactics are, you can change some of your tactics and can remediate your network or mitigate the threat in advance by eliminating the vulnerability. That’s the three Ps: proactive, predictive and preventative. All of that comes down to intelligence, you’ve got to use intelligence to do all of those things and you’ve got to share intelligence among other partners. Partnership, that’s the 4th P,” he continued.
When asked about the human factor, as a critical component of cyber defence, Mr. Shawn Henry had this to say, “Technology is a piece, but at the end of the day, its humans and people that are involved. Human beings are a weakness often times; human beings who unwittingly open up ports on computers and introduce vulnerabilities to networks unwittingly, or wittingly. And at the end of the day, when you’ve got to do attribution and you want to mitigate the threat, you’ve got to identify the human beings involved.
“And then there are many different ways you can then mitigate that threat; it all comes down to identifying the human beings. So the human nature of this is so very important. Also from the preventative side, the sharing side, the partnership side, you’ve got to develop relationships with people – people to people, it’s not computer to computer, it’s person to person. And it’s different countries and companies. People have to have a sense of trust and develop a level of interaction that allows them to work together in collaboration.”
When queried if people listening are listening to him, as he talks to people about this from around the world, Mr. Henry said, “I’ve tried to talk to the leadership of organizations about this, because as I said earlier, if the leadership of organizations doesn’t get it, its people are not going to pay attention. If the CEO of the corporation doesn’t understand, if the head of an agency doesn’t understand and they don’t promote this, other people are not going to step up and take it seriously. If the boss doesn’t think it is important, then people are not going to take it seriously. So I want to get to the organizations at the CEO level or the CIO level, at the leadership, at the executives in organizations. I want to get to corporate counsel, general counsels and organizations so that they understand what the liability is. If you can raise the situational awareness at the executive leadership of orgs, you will get a much better response and have a much more secure organization.”
Concluding his presentation, Mr. Henry pointed out that when people think of cyber-attacks, most users are concerned with what data was taken. He says that they should be more concerned with what may have been left behind. Leaving the audience with a final comment, in his opinion, “The current system may be inadequate, but it is too late for us to disconnect now. The lack of resilience is an economic and security risk.”