What a way to wrap up a summer! On the one hand, we have various countries flexing nuclear muscles, a boom in cybercrimes that keeps escalating along with the rising tide of stock market success, all in stride with this past spring’s recent US Presidential Executive Order on Cybersecurity of Federal Networks and Critical Infrastructure. One can’t help but think if it is all related somehow? Like dominoes lined up to topple, one after the other. It could be…let’s take a look.
In a recent Forbes article around the cost of cybercrimes, Ariel Evans, an American Israeli cybersecurity expert, entrepreneur and business developer, shared her belief that, “…there are three major areas of growth in the next decade: cyber-risk, cyber-insurance and IoT security. Each of these three areas are green fields, and are the next level of assurance in cyber.” I would then contend that these are the three reasons everyone should all be paying attention to internal security infrastructure footprints now rather than later.
The First Domino
In the 2017 Thales Global Data Threat Report, more than half of the survey respondents indicated that they sometimes roll-out new technologies company-wide prior to having proper levels of internal security in place. WHAT? If that’s the case, it’s no wonder cybersecurity crimes and hacks are escalating at a rate never seen before.
And, if that data point is true, then it further bolster’s Evan’s postulate that not only is the evaluation of cyber-risk a greenfield, but the inability to gauge and control it a single point of imminent disaster. Hacking from Russia, China, even North Korea are of utmost concern. The mere thought that possibly more than half of today’s companies or government organizations are willing to risk public trust, privacy, revenues, public safety, etc., for whatever gain an ill-protected, early technology roll-out accomplishes is not only ludicrous, it’s frightening. Or, as Evans refers to it, “cybergeddon.”
As for cyber-insurance, like most other types of insurance, whatever you think you need…it’s not enough. As the Forbes article points out in relation to the recent hack of Target superstores, “Target had $100 million of cyber insurance and has over $450 million of loss…, which is estimated to total at $1 billion by the end of 2017.” Not enough, indeed. Hence, the need to not only be able to gauge your cyber-risk but control it by baking security measures (like PKI) into your infrastructure as you build it out, not try to bolt it on after the fact as you race down the hill.
Almost every industry is in rapid growth mode right now. eCommerce is exploding, as are related cloud and service provider related businesses. Data and associated financial transactions are transmitting globally at a frantic pace. It doesn’t take Adam Smith to figure out that, if technology infrastructures, the global business economy and stock markets continue this upward trajectory, they could be at cataclysmic cybercrime risk without proper security safeguards in place.
The Second, Third and Fourth Dominoes to Fall
There is inferred reference as to their “other” destructive capabilities in the latest Presidential Executive Order on Cybersecurity of Federal Networks and Critical Infrastructure, with recommendations that relate to what GlobalSign does, authentication, access control and identity management.
This particular executive order is really an extension of several previous US administrations’ admittedly long-unrealized efforts to strengthen critical infrastructure of both federal cyber-systems and those of the general public having to do with utilities, finance/commerce, transportation, health and safety. Administrations for years had been forewarned that malicious attempts to hack through cracks in these and related systems would jeopardize life and limb on a global scale. The last critical infrastructure bill was passed by the US House in 2015 but stalled in the Senate, and thus nothing was implemented. There is an updated 2017 replacement for that bill that is currently under new review in the House.
(ii) The executive branch has for too long accepted antiquated and difficult–to-defend IT.
May 11, 2017 - Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
We are still waiting for a doctrine that spells out upgrades to systems and processes for federal IT and other critical infrastructure. This new Presidential Executive Order is a revised attempt from the previous administration’s executive order to immediately do risk assessment (remember aforementioned cyber-risk?), catalog risk management strategies for implementation and identify cybersecurity measures to critical infrastructure for immediate remediation.
Other sections in the order identify and detail critical infrastructure of focus for cybersecurity renewal:
- Assessment of Electricity Disruption Incident Response Capabilities.
- Department of Defense Warfighting Capabilities and Industrial Base.
- Cybersecurity for the Nation.
- International Cooperation.
- Cybersecurity Workforce Development.
While this particular executive order does not indicate that solutions will be implemented immediately, it at least forces this administration to layout the plan for implementation within one year of its signing date, or May 11, 2018.
You’ll notice at the top of that bulleted list on the Executive Order is “Assessment of Electricity Disruption Incident Response Capabilities.” This refers to the US power grid being disrupted by sabotage, cybercrime or direct attack. Direct attack could be in the form of an electromagnetic pulse (EMP) launched by exploding a nuclear weapon just above the atmosphere of its intended target, or an even more targeted weapon now enclosable in a briefcase size, Intentional Electromagnetic Interference (IEMI). Experts agree that both of these potential attacks to the US power grid and subsequent critical infrastructure are in the capabilities of various adversaries to the US and NATO Alliance.
Here at GlobalSign, we have been hard at work for years with NIST and NAESB, helping to bring security standards up to date and remediation procedures into an everyday working process, not only for power utilities, but other critical infrastructure as well. These contributions on standards, tech tips and proactive PKI processes are available for anyone to implement in their own critical infrastructure, and are found in the whitepaper: "How PKI Secures Critical Infrastructure Networks against Advanced Attacks."
From cybercrime to sabotage, the tech-reliant global economy and protection of critical infrastructure no one wants to see all of these “dominoes,” so coincidentally lined up right now at this particular time in history, begin to fall one after another. Hopefully, we all see the risks and will take the appropriate actions. At a minimum, a cyber risk assessment of your critical PKI infrastructure is probably overdue, and we welcome a conversation with you.