Around the world, cyber security is a huge problem with both Government and private industry struggling to defend against it. In the majority of countries companies, that are breached, face even greater penalties as they’re fined for ‘allowing’ the violation. This approach has proven only mildly successful since most firms game the system by weighing potential fines against the risk of a breach.
The UK recently released a new strategy document delineating a future approach towards cyber security. Capitol Hill is also pushing cyber-security legislation to the top of the agenda, and the Department of Defense has declared that real-life military retaliation can be a valid response to cyber-attacks. Meanwhile, the Der Spiegel news magazine reported recently that cyber-crime in Germany has reached an all-time high. All around the world, governments are facing the same challenge – building a national cyber-security strategy to protect their citizens.
Step One: Setting Priorities
Crafting such a strategy means focusing on three key areas: protecting government systems, protecting national infrastructure, and finally, establishing systems, controls and processes to help the private sector to operate safely in cyberspace. Along those lines, the strategy should incorporate the following activities:
1. Centralizing all outbound (especially Internet) communications of government organizations under a single authority. The authority’s responsibility should be two-fold: one, to create robust monitoring and attack detection capabilities. The capabilities should span all communication layers, and in particular, the application layer. Second, the authority should set security standards which bind any government-affiliated organizations when adding new public-facing connections.
2. Protecting national communication backbones against denial-of-service attacks. In particular:
• Ensuring enough internal redundancy.
• Maintaining enough redundancy with respect to out-of-country communication lines.
• Timely detection of various types of attacks (including, even, the physical tampering of communication lines).
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (e.g. traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems (either through pen-testing or exhaustive vulnerability assessment) should be performed. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a risk or at a worse security posture.
4. Performing hacker intelligence. Analyzing hacker activity- such as hacker tools, attack origins, and attractive targets- provides the authority to detect in a timely manner substantial attack campaigns against nation-based computers. Based on the data, the authority can also guide on the creation of proper defense mechanisms.
5. Creating processes and tools for analyzing information. Receiving data from the private sector, and especially network carriers, can enhance the data analyzed by the authority’s hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
Step Two: Refine Current Crime Laws
Cyber-crime legislation should be integrated with physical crime laws. For example, the US cyber-security proposal suggests applying RICO (the racketeering laws used to convict organized crime) to cyber-gangs. The government should embrace this initiative, but also to take it one step further by not restricting the crime origin. When RICO was first introduced, it did not specify the Internet since no one could have imagined its existence. Today, we cannot imagine what will be in two or more decades – let us prepare in advance.
Step Three: Apply Regulations to Businesses
The country should also ensure that citizens’ data - whether it is account numbers, health information or other Personal Identifying Information (PII) - is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. Compliance laws must all encompass more than just customer information. It should also take into account Intellectual Property (IP). The perpetrators of IP-theft are often business competitors and nation-states, and since the victimized companies will require the assistance of their country, they therefore should be obliged to adhere to compliance standards.
The US cyber-security proposal has taken a positive step by suggesting the standardization of the data breach notification process. The problem is that this proposal lacks specifics and should contain more details on implementing the actionable steps to protect data and the intellectual property. The importance of such laws and standards is difficult to overstate. If we look at the Payment Card Industry Data Security Standard (PCI DSS) as an example, studies have shown that businesses that have adopted PCI DSS have experienced a much lower rate of data breaches. Many US states in fact use PCI DSS as their de facto standard for their data privacy and security initiatives, simply because of its effectiveness and prescriptive nature. Countries, as a whole, can apply this model to all legislation on a nation-level.
Step Four: Apply the Above
We are beginning to see nations take the first steps in developing sound cyber-security strategies. Towards the end of last year, the European Network Security Agency (ENISA) performed their first pan-European cyber-exercise, which next year is slated to include the United States. Concerned with the growth of botnets, ENISA has also published recommendations on mitigating and preventing the threat of bots.
The collaboration of governments and the security community has also begun to garner more attention. A recent example of this cooperation was the takedown of the Coreflood botnet, a joint effort that involved federal agents and ISPs. The collaboration between government agencies and the private sector has proven to be successful. It is now our turn, as citizens, to ensure that the government will not abuse the authority that such a cyber-security strategy may give them. The takedown of Coreflood had allowed the feds to actively and directly communicate with infected computers. Yet, it has also shown the power that the federal agencies can have over our computing devices – at any point in time.