Fighting the cyber war

How secure are IT and critical infrastructures against destructive and disruptive attacks?

Cyber attacks can disrupt all forms of secure systems and processes. These include, for example, missions and reputation, an organization’s – or a government’s critical assets such as data and physical property, and individuals who are part of or served by the organization. In some cases, these risks extend to the nation as a whole. We sought the opnions of experts in the battle against hackers and cyber criminals to find out what was most ast risk and what could be done to mitigate this.

Keith B. Alexander
The cyber world is an increasingly important domain. In 2000, 360 million people were on the Internet. Today, more than 2.3 billion people are connected. Last year, 107 trillion emails were sent, he added, and a sign of the times is that more than 500,000 apps exist for the iPhone and 280,000 for Android smartphones. This also presents a potential avenue of attack. We really need to be concerned about is when these transition from disruptive to destructive attacks — and I think those are coming. A destructive attack does not simply overload computers or networks — it destroys data or software, and systems must be replaced to return to the status quo. We have got to consider that those are going to happen. Deterring cyber attacks is more difficult than nuclear deterrence, noting that nation-states, cyber criminals, hackers, activists and terrorists all pose threats. So when you think about deterrence theory, you are not talking about just nation-onnation deterrence theory, but other non-nation-state actors, such as the financial sector or the power grid.
General Keith B. Alexander, USA, is the Commander, U.S. Cyber Command (USCYBERCOM) and Director, National Security Agency/ Chief, Central Security Service (NSA/CSS), Fort George G. Meade, MD. As Commander, USCYBERCOM, he is responsible for planning, coordinating and conducting operations.
Andrew Jones
Issues are emerging as we try to secure our information in a cloud environment when it is increasingly commonly that the devices that we are using to access the infrastructure are small mobile devices. It will look at the increasing levels of complexity that we will have to deal with in the future as welcome to rely more and more on the provision of services from third party suppliers. While Cloud computing is not a new concept, the level of uptake on the services has reached point where it can have a significant impact on both commercial and government organizations. At the same time the devices that we use to access the resources and data have increasingly moved to smaller, easily portable devices such as smartphones and tablets where, due to the diversity of applications and operating systems, there is an increased problem in providing an appropriate level of security. As the use of cloud computing by an increasingly mobile workforce continues to increase, the detection of security breaches and the implementation of effective protection and detection measures will become ever more complex and require additional resources.
Dr. Andy Jones, is Program Chair for the MSc. in Information Security at Khalifa University of Science, Technology and Research in Abu Dhabi, UAE, and an adjunct professor at Edith Cowan University in Perth and the University of South Australia.
Larry Ponemon
The average annual cost of cybercrime jumped 6 percent to $8.9 million in 2012, driven up by denial-of-service, malicious insiders and attacks on Websites. Companies suffered a large number of incidents every week, averaging 1.8 successful attacks each week. Every firm surveyed suffered a virus, worm or trojan attack, while 97 percent had to deal with other malware and 71 percent encountered a computer that had been compromised to become part of a botnet. Information loss and business disruption accounted for the greatest damage suffered by companies. Attacks have become both harder to detect and harder to clean up, and stealth is definitely a factor, but they are also more complex. In our research, we found companies focused on security intelligence—focusing on detecting attacks early—reduced the costs of cybercrime the greatest, nearly $1.7 million on average. Technologies used include security information and event management (SIEM) and intrusion prevention systems. Companies with access governance tools and systems required by compliance saved $1.6 million and $1.5 million, respectively.
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Ron Ross
The National Institute of Standards and Technology (NIST) has released cyber risk assessment guidelines aimed at critical infrastructure entities, law enforcement and the military with information they need to secure their organization’s information security and information technology infrastructures. We intend the new risk assessment guidance released on for leaders and executives at a variety of organizations, large and small, including financial institutions, health care providers, software developers, manufacturing companies, military planners and operators, and law enforcement groups. Risk assessments are an important tool for managers and with the increasing breadth and depth of cyber attacks on federal information systems and the U.S. critical infrastructure, risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyberrelated risks. Further, information technology risks include danger to the organization’s operations and its critical assets such as data, physical property and individuals.
Dr. Ron Ross is a senior computer scientist and Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security, testing and evaluation, and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project.
Vic Toews
Cyber security is an ongoing responsibility that needs to keep pace with evolving threats. That’s why the government of Canada is continuously working to enhance cyber security in Canada by identifying cyber threats and vulnerabilities, and by preparing for and responding to all types of cyber incidents to better protect Canada and Canadians. The government of Canada recognizes that protecting critical infrastructure from cyber threats is a global issue, and we treat it as such. We are working closely with our partners in the critical infrastructure sector and international allies to ensure we progress together. Our Government is committed to keeping Canada’s cyber systems secure and to protecting Canadians online. Cyber Security Awareness encourages each and every one of us to do our part to make sure that our online lives are kept safe and secure. The Get Cyber Safe campaign provides Canadians with the information they need to protect themselves and their families against online threats. This is a shared responsibility, and we all have a role to play in cyber security.
Vic Toews is Canada’s Minister of Public Safety. He was first elected to the House of Commons in 2000 and re-elected in 2004, 2006, 2008 and 2011. In February 2006, Vic Toews was appointed Minister of Justice and Attorney General of Canada and in January 2007, was named President of the Treasury Board.