Interview by: Sergei DeSilva-Ranasinghe.
In today’s rapidly changing world, cyber security has taken on a new meaning with increasingly pervasive and unprecedented acts of criminality and espionage aimed at the public and private sectors. According to Dr Paul Nielsen, Director and CEO of the reputed US-based Software Engineering Institute at Carnegie Mellon University, the public and private sectors worldwide urgently need to embrace new era of major change if they hope to withstand the increasing risks to cyber information and security systems.
Australian Security Magazine: In BOLD
Q: How seriously should the public and private sectors take the threats posed to cyber security today by individual hackers, organised crime, terrorist organisations and, increasingly, foreign governments?
Paul Nielsen: Very seriously. There have been several recent cases where cyber security failures have posed existential threats to private companies, and national governments have found their ability to maintain secrets seriously undermined. Recent examples involve WikiLeaks and HBGary, a private U.S. security company. The Stuxnet worm, which affected industrial control systems, has also been very notable. These incidents have resulted not strictly from problems with technology, but also by basic failures to manage the people and processes surrounding information technology.
The potential for data theft and disruption is very real and increasing. The SEI has seen significantly greater reporting of serious attacks and compromises over the past year. This may be partially due to new laws and regulations requiring certain types of attacks to be disclosed, as well as there being somewhat less stigma attached to victims of these attacks. An associated trend is that even the smallest of businesses are being impacted by criminal activity, such as theft of funds via the business’s online banking account.
However, while the problem is real, there has been a great deal of fear, uncertainty, and doubt that has been counterproductive. Information technology and complex systems have contributed greatly to quality of life around the world. What is needed is a better understanding of information and communication technology and management.
There are common examples of, for instance, companies purchasing US$300,000 technical security solutions without ever bothering to place a value on the protected information to begin with. At a national level this better understanding begins with basic questions: “What are the information and systems that we really must protect, how do we protect them, and what does that protection mean, not only from a strictly technological perspective but also from legal, social, and organisational perspectives?”
Q: How should, and can, the public and private sectors realistically respond to the threat posed to cyber security?
Paul Nielsen: Both the public and private sectors would benefit from enhancing not only their technological capability, but also their ability to manage security and resilience in a timely, proactive way. The best plan for response is one that minimizes the need for response. Too often, organisations institute security measures, only to find after a few months that risks, vulnerabilities, and threats have shifted around them. The first step is to understand what assets they have that need to be protected, and based on the value of those assets, develop plans and strategies for effectively protecting those assets.
However, the best preparations will not prevent all compromises. Organisations need to establish processes and technology to detect, respond, and recover from incidents and to prevent that type of attack from being successful in the future.
Government working, with industry, can help in the detection and response phases by sharing actionable information about new kinds of attacks and threats where there are not yet effective defences or response plans. Government can help facilitate this collaboration both by sharing unique information and analysis that government has, and by providing forums for industry collaboration where industry might not be able to do so itself (for example, because of antitrust laws or regulations). In some cases facilitating information exchange among industry itself may be more important than between government and industry. To that extent, governments have an important role to play in setting the legal climate and the rules of the road.
Government and industry working together then also have the ability to update best practice guidance based on the most recent threats and attacks. This best practice guidance is most effective when it includes both technical solutions and the business issues that provide guidance in making the necessary business decisions.
On a more strategic or general level, both government and the private sector should strive to reach understanding on a couple key points. Whether or not they actually do often involves the history, politics, or legal climate in a particular country. Governments should realise that in most cases the critical infrastructure and information they are concerned with are in private hands. This means that government action must be arrived at with advice and input from the private sector. The legislation that might look strong in the newspaper might not prove effective or even desirable in practice.
To read the full interview, make sure you subscribe now! Go to http://www.australiansecuritymagazine.com.au/subscribe/ and purchase either a 1 year or 3 year subscription today!