CrowdStrike CRO: NIST Framework, Vulnerability Mitigation Do Not Create Adequate Cybersecurity

On a day jam-packed with high-profile cybersecurity hearings and events in Washington, one expert witness strayed from the usual endorsements of government and corporate party lines to suggest that the cybersecurity strategies embraced by most organizations might actually harm security. Speaking at a hearing held today by the Senate Homeland Security and Government Affairs Committee, CrowdStrike Chief Risk Officer Steven Chabinsky (appearing in a personal capacity) said that the recent cybersecurity framework produced by the National Institute of Standards and Technology (NIST), while improving cybersecurity, "will not result in adequate security of our infrastructure and for our country."

Although praising the framework as a true public-private partnership, Chabinsky said that "improving our security posture requires that we reconsider our efforts rather than simply redouble them." Advocating that U.S. organizations align their cybersecurity efforts more with the strategies used in the physical world, Chabinsky said "we must ensure that our cybersecurity strategies focus on not preventing more intrusions but on more quickly detecting them and mitigating harm."

Specifically Chabinsky, previously a long-time FBI cyber intelligence leader, advocated a shift away from a "vulnerability mitigation" mindset, which he likened to protecting a building by constructing a twenty-foot brick wall around it (only to have the intruder buy a 30-foot ladder as a consequence), to one that focuses on instant detection, attribution, threat response, and recovery while in parallel locating and penalizing bad actors.  "We take reasonable precautions to lock our doors and windows, but we do not spend an endless amount of resources in hopes of becoming impervious to crime."

The growing focus on vulnerability mitigation can lead to decreasing economic returns, or worse, negative returns.  For example, using the analogy of the brick wall, stepped-up vulnerability mitigation might cause the intruder to use powerful explosives instead of buying a ladder. "Our current cyber strategy has had the unintended consequence of proliferating a greater quantity and quality of attack methods thereby escalating the problem and placing more of our infrastructure at greater risk," Chabinsky said.

Threat deterrence would improve if we blame the offenders rather than the victims for not having adequate vulnerability protection.  "It is my hope for the future that the blame for, and the costs of, cybercrime will fall more squarely on the offenders than on the victims, that in doing so we will achieve greater threat deterrence, and that businesses and consumers will benefit from improved, sustained cybersecurity at lower costs," he concluded in his written testimony.

ACLU Technologist: Algorithm to Protect Phone Calls Has Long Been Broken

(Washington, DC)  The algorithm used to protect phone calls is broken and government officials refuse to acknowledge this vulnerability because law enforcement exploits it for their own purposes, ACLU’s Principal Technologist Christopher Soghoian said yesterday.  Speaking at a Carnegie Mellon University forum held here, Soghoian said “it’s been known that the algorithm used to protect our phone calls has been broken. We’re still using that algorithm today.”

“Everyone’s communication is going over the wire in unencrypted form or very weak encrypted form,” which makes anyone who purchases certain equipment –including foreign governments--capable of listening to private calls, Soghoian said. What makes the problem more urgent now is that the easily-purchased equipment needed to eavesdrop on phone calls has plummeted in price over recent years from over $100,000 ten years ago to as low as $1,200 today.

This vulnerability in the phone system has not been acknowledged by either phone companies or the federal government because law enforcement relies on this security hole to eavesdrop on targets. “We haven’t seen any government officials warn the public,” Soghoian said. “The reason for this is that law enforcement is actively exploiting this system.”

This situation is a classic example of where “the offense and defense conflict” in cybersecurity practices and policies in the U.S. according to Soghoian. “You cannot have a system that is easy to spy on that is secure.”

Cybercrime has become the single most pressing cybersecurity problem because of the difficulties in identifying and prosecuting cyber criminals across the globe, Jody Westby, CEO of Global Cyber Risk said. “Cybercrime today has become the perfect crime” because criminals are seldom caught, arrested or jailed due to the lack of harmonized cybercrime laws around the world. “We have a situation where cybercrime has no borders but law enforcement does.”

Internet Security Alliance CEO Larry Clinton agreed.  “The attack team is getting better and better all the time.”

The rapid technological change that has moved the U.S. from a service economy to an information economy has fostered cyber insecurity for the time being, Matt Scholl, Deputy Chief of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST) said. “We have not caught up with the consequences of this change in technology.”

The cybersecurity framework released by NIST last month could change the cybersecurity calculus, Earl Crane, Senior Principal of the Promontory Financial Group, said.  “We’re already seeing the impact of the framework where organizations are already adopting the framework and using it.”

A shortage of cybersecurity experts exist, David Brumley, engineering professor at Carnegie Mellon, said, but even with more experts, the U.S. will be outnumbered by countries such as China.  “We need more cyber experts but more security experts are not enough.[W]e’re going to be outnumbered. What are you going to do when there are more of them than there are of you?”

Cybersecurity Stocks Climbed 9% During First Two Months of 2014

With the glaring spotlight placed on cybersecurity breaches during the second half of 2013, I started tracking cybersecurity-related stocks traded on the big exchanges with the assumption that the companies I chose to follow would have a very robust 2014.  So far my assumption has proven to be true.

Of the 13 (mostly pure-play) publicly traded cybersecurity companies I've followed (see table below), only three experienced declines during the first two months of the year, with most gaining double digit boosts between the close on January 3 and the close on February 28.  I created a cybersecurity stock index to see just how well this group of companies performed on the whole in comparison to the broader market.

Based on this index, the cybersecurity companies advanced 9% during the first two months of 2014, more than twice the growth in the Nasdaq Index, four times the performance of S&P Index and almost ten times the rise in the Dow Jones Industrial Average.

And if this week is any indication, cybersecurity-related companies are poised for even bigger gains - two of the newest cybersecurity players on Wall Street soared today - next-gen threat protection company Fireye (NASDAQ: FEYE) soared 8.44% today to close at 95.63 while firewall provider Barracuda Networks jumped 9.29% to close at 38.48.

Stay tuned as I periodically update the trends.

Former Vice Admiral, NSA Director McConnell: 100% Certainty Cyber Attacks Will Occur

(Washington, DC)  Former Navy Vice Admiral, NSA Director and US Director of National Intelligence Mike McConnell said today that the probability of a destructive cyber attack is 100% and that without good information sharing between government and industry the loss of lives and damage to property could be high. "In my mind, there is 100% certainty that cyber attacks will occur," McConnell said at the EnergyBiz Forum on Securing Power here.

Repeating the growing mantra of current and former top government officials that Congress needs to pass a cybersecurity bill, McConnell said "we are a nation with a strategic vulnerability and we have the information to deal with the vulnerability and we must share information between the government and private sector.  [I]f we don't share [information] and share it frequently, we are going to have a major loss of life and damage of property.

"We need legislation that forces the government to provide classified information to the private sector," he stressed.  However, "it should be sanitized to make information of value available to you."

In terms of the most vulnerable critical infrastructure likely to experience a cyber attack, "I would probably choose banking or power and I would choose the hottest part of the summer or the coldest part of the winter," McConnell said. "Just imagine being in New York City in the middle of the summer with no power."

Twitter Delicious Facebook Digg Stumbleupon Favorites More