Cyber crimes in the news recently have included the electronic looting of credit card information from large retail chains, and posting explicit or compromising celebrity photos lifted from supposedly secure accounts.
But cyber criminals are capable of acts rising to the level of terrorism, according to a panel of experts who spoke at the second annual Wisconsin Cyber Security Summit, held Oct. 8 at Marquette University in downtown Milwaukee.
“When you think about all the threats to our society … it’s not just threats from abroad,” said Gov. Scott Walker, noting that successful cyber attacks on government agencies and private enterprises such as power generating plants, financial institutions and communication networks could seriously disrupt daily life. “I don’t think any of us shouldn’t think that a terrorist wouldn’t shift gears. We have to be vigilant every day of the year.”
While technology has made industry more efficient and provided new opportunities to obtain or exchange information electronically, reliance on a cyber network exposes vulnerabilities that can be exploited.
“I’m saddened to say the message I have today is the same message I gave in 2001,” said William Pelgrin, the president and chief executive officer of the Center for Internet Security, and chairman of the Multi-State Information Sharing and Analysis Center (MS-ISAC). “There are two classes of cyber victims – those that know they have been attacked, and those that don’t.”
Pelgrin recommended five steps to “protect the perimeter” of data: Count – know what is connected and running on the network; Configure – install security settings to protect systems; Control – limit administrative privileges that can change or bypass security settings on the network; Patch – regularly update applications, software and operating systems; and Repeat – follow the previous four steps to regularly patrol the network.
“You cannot unwind the cyber from the physical,” he explained to the 233 summit attendees. “They are connected.”
The human element is a key variable in cyber security, in that programs, devices and networks do not upgrade or violate security policies on their own. David Cagigal, Wisconsin’s chief information officer, noted that common business and communication practices can jeopardize cyber security efforts. For example, informing employees about the new protocol for safeguarding the business network by e-mail is efficient, but the sender no longer controls the e-mail once it has been sent. Directing employees to review the new protocol at a secure website is a better practice.
“There’s no difference between your computer at work and your computer at home,” Cagigal said. “The vulnerabilities are the same.”
Though the early presenters focused on threats to data network security, Cagigal wanted to leave the audience with a positive note.
“We can do this,” he said.
Ronald Yearwood, a section chief in the FBI’s cyber division, offered a brief outline of some of the bad players in cyberspace. “Hacktivists,” for example, conduct cyber attacks in the name of political activism. Cyber criminals steal data that they can convert into profit or access to more information. Cyberterrorists seek to intimidate or coerce their victims through disruptive or destructive actions on behalf or in support of a terror group or a terror ideology.
“The only way to stop this kind of crime is through coordinated effort,” Yearwood explained. “Through partnering and collaboration, we will be able to protect our nation’s vital information.
“This problem is pervasive and advancing,” he continued. “The adversaries are innovative and capable. No agency can do this alone.”
Yearwood said cyber criminals succeed because they have no boundaries. He argued that the response to cyber criminals is to have the same boundary consideration – to go after every facet of cyber crime.
“The future holds threats that are global,” Yearwood warned. “We want to take the fight back to the enemy – we don’t want to just respond. We want to take back our cyber territory.”
Dan Lohrmann, a former cyber security official for the state of Michigan and now a security analyst for Security Mentoring, Inc., challenged conventional information technology and network security thinking.
“State government is not known to be the leading edge on technology,” he said – due, in part, to network security professionals resisting new or popular technology trends.
“Security pros are known as disablers,” he continued. “Stop saying ‘no’ – become an enabler.”
Lohrmann recounted his own career-threatening decision to tell the chief information officer of Michigan that installing a wireless network in all the conference rooms was out of the question due to the unsecure nature of such networks. The CIO replied that the Big Three automakers were using wi-fi in their corporate headquarters, so a solution to the security issues must have been available.
Then the CIO gave Lohrmann one week to figure it out.
Lohrmann urged network security professionals to stop being “no” men and become trusted advisors by building a different kind of network – with their colleagues outside of the IT or security departments. He also encouraged adhering to a cyber code of ethics, which he warned can degrade one click at a time.
Marcus Sachs, Verizon Communications’ national security policy vice president, spoke about measuring risk to data networks. Citing former Defense Secretary Donald Rumfeld’s famous “Unknown unknowns” press conference, Sachs said that focusing on the unknown reduces risks.
Four examples of “unknown unknowns” include unknown devices or applications, unknown data stored on the network, devices with unknown network connections, and assets with unknown accounts or network privilege.
“These four unknowns bite you in the rear,” Sachs said. “But now they are no longer the unknown, because you know.”
Cyber criminals have gotten to the point where they can break into networks in a matter of minutes or seconds, Sachs said – and the security breach may not be noticed for weeks or even months.
“There will always be risks you don’t know, but you want to make that area of risk smaller,” he said. “Spend your time and resources digging – that’s how you improve risk management.”
Israel is pursuing a wholistic cyber security initiative, said Rami Efrati, former head of the Civilian Division of Israel’s National Cyber Bureau. In addition to developing a robust government cyber security program and building information-sharing partnerships, civilian businesses are encouraged to develop strong cyber security practices as part of their license renewal.
“It is a process, and it is taking time,” Efrati said, “but it is beginning to work.”
Brig. Gen. John McCoy, deputy adjutant general for civil support, explained that the National Guard has a logical role in cyber security.
“We’re the governor’s first military responders in the event of a local disaster,” McCoy said. “Cyber is just an extension of that.”
Underscoring that, Walker appointed Maj. Gen. Don Dunbar, Wisconsin’s adjutant general, to serve as the senior state official for cyber security matters. The next update of the state’s Homeland Security plan will include a cyber security plan.
Dunbar said the goal of the state’s “Cyber Hygiene” campaign is to make complex ideas understandable. The five steps Pelgrin described – count, configure, control, patch and repeat – do that, and Dunbar called on the IT personnel and security professionals to spread the word.
“The goal is to be 100 percent protected,” Dunbar said. “While we may never achieve that, this is a great place to start. If we can get the citizens in Wisconsin to take these five steps, if we can get the businesses in Wisconsin to take these five steps, we can increase our [cyber security] posture.”