Outcomes in security tend to be about data loss; stolen pharmaceutical formulas, jet fighter blueprints, patient records, credit card numbers etc. All of these come with a great cost to the victim and make for sexy headlines. But far too little is dissected and analyzed about service disruptions.
TJX may have lost more than 45 million credit card numbers in what was the largest data breach at the time in 2007. Yet relatively few stopped shopping and using credit and debit cards at the retail chain, and its stock price never truly suffered. The same scenario played out for the hundreds of other data breaches resulting in the loss of payment card information.
But what happens when you cannot access your online bank account, Amazon.com, or a city government portal to renew your driver’s license or pay your property taxes because hackers with a cause have taken it down with a denial-of-service attack? Or worse, what happens if the lights go out, or the water stops running because state-funded crime group takes down a utility on behalf of an unfriendly country?
Disruptions to critical services can have a dangerous impact on public safety and the long-term economic viability of a country, and shouldn’t be fluffed off because it’s largely the domain of the truly unsexy networking infrastructure world.
RSA Security executive chairman Art Coviello addressed disruption during a media event at the company’s Bedford, Ma., headquarters yesterday. He said he urges his customers to treat bad metaphors such as Cyber Pearl Harbor as useless rhetoric because they don’t advance the understanding of critical issues.
“It’s difficult to do a destructive attack online,” Coviello said. “Even the attack on Iran (Stuxnet) required some level of manual intervention to pull that off; you couldn’t do it remotely. You don’t have to have destruction to have a serious problem. If an attack is successful enough, you can have disruption with significant financial consequences that result in a loss of confidence that is out of proportion with the financial loss in question.”
Coviello pointed to the recent DDoS attacks against a number of major U.S. financial institutions. The attacks are a perfect storm of forces conspiring to interrupt and disrupt services critical to the lifestyle we’re used to in the U.S. Hacktivists have stepped to the fore and claimed responsibility to the attacks in retaliation, they say for a series of movie trailers they deem offensive to Muslims.
Many in the security community question the veracity of those claims, but nonetheless, there are skilled, well-resourced hackers out there capable of firing unprecedented levels of traffic simultaneously to a number of banking services. The attacks result in intermittent outages and disruption of services to consumers, and increased costs to the banks to mitigate the attacks.
Coviello suggested the security industry needs to flip its spending paradigm on its head. Right now he estimates anywhere from 70 percent to 80 percent of budget is dedicated to prevention technologies, while the rest is devoted to detection and incident response. RSA, of course, has a vested interest in saying so given its product offerings, but the industry as a whole has been preaching better detection for some time now. Service disruptions such as the banking DDoS attacks coupled with nation-state espionage campaigns such as Flame, Red October and Duqu could force the shift Coviello is talking about. The U.S. legislature also needs to advance the discussion, Coviello said, with laws that focus on outcomes rather than prescribing behavior and spending.
“I think California SB 1386 is a great model; I have an outcome and I have to go public and let them know they’re vulnerable,” Coviello said. “It’s not about humiliating companies, it’s about getting companies to do the right thing in the first place. That bill did more than anything to move the retail industry in the right direction—health care and others too. Tell me what’s wrong with that?”
Coviello said RSA’s threat researchers have seen evidence of cybercriminal gangs collaborating and coordinating attacks, and even rogue nations sub-contracting attacks to criminal enterprises. With data moving at unprecedented rates on more platforms than ever, IT organizations, especially those in smaller companies, are going to be overrun without a renewed focus on preventing disruptions alongside the focus on data protection. And they’ll need help from the government, whether it’s in the form of new laws or a presidential executive order.
“Governments continue to fiddle while Rome is burning and will not pass legislation,” he said. “We can’t get privacy guys to understand the threat is real without thinking people are just out to trample on privacy. And on the other side, you’ve got those who are anti-regulation, even if the regulations are focused on outcomes. All of this paralyzes government’s ability to help.”
Art Coviello image via bocek.kevin‘s Flickr photostream, Creative Commons.