Andrea Danti - Fotolia
Last month, a cyber-intelligence startup drew attention for one of the most compelling big data visualizations I've seen: A map of global cyberattacks, occurring in real time.
Created by Norse Corp., the map depicts a world lit up by a blaze of color-coded streaks signifying the different attack types and their country of origin. Norse calls the visualization the "Norse Live Attack Map." It is a mesmerizing rendering of the clear and present danger of cyberwar.
But the visualization is incomplete. The traced attacks are monitored by Norse through its honeypot infrastructure, decoy systems and servers that are set up to attract attacks such as distributed denial of service attacks. Let's face it, if spotting all cyberattacks were that easy, securing the enterprise would be a lot simpler. As CIOs and CISOs are keenly aware from strategies such as BlackPOS (the malware that gave Target Corp. a black eye), there are insidious and well-funded attacks that are difficult to spot in real time.
"If you look at the things behind the BlackPOS, the attacks on retailers, it's organized crime," said Udi Mokady, CEO and co-founder of CyberArk Software Inc., an information security company that specializes in protecting a company's privileged accounts. "We always think about organized crime as people who are selling stuff in the street, but these are guys who employ developers."
I had a chance to talk with Mokady and his CMO, John Worrall, on a recent visit to CyberArk's offices in Newton, Massachusetts. There, the executives told me about a security sea change they've witnessed in CIOs and CISOs over the last two years from keeping the bad guys out to accepting the fact that "advanced attackers are making it in," Mokady said. "The pendulum has kind of swung toward the bad guys in the last few years."
That's partly because the cyber-warrior job is lucrative, supported by a "fully evolved sub-economy," Worrall explained. "It's a whole multimillion dollar underground ecosystem or economy, and it's all segmented, just like you would see with traditional suppliers, distributors, manufacturers," he said.
Cyberwar concerns on Capitol Hill
I wasn't the only visitor at CyberArk that day. Massachusetts Congressman Joe Kennedy, a fresh face up on Capitol Hill, also stopped by. Kennedy said cyberthreats represent a growing concern for elected government officials, in particular, younger members of Congress. "If it's going to happen to Target and to eBay, and they're making fairly substantial investments in these type of protections, then it can happen to plenty of other, smaller players," he said, adding that cyberattacks are an issue he and his cohorts will be dealing with for as long as they're in office.
And that's worrisome. When it comes to IT security, government is better known for enacting regulations, such as the Sarbanes-Oxley Act, legislation that was long in the making and long in implementing. While regulatory standards are needed in order to push that cyberthreat pendulum back in favor of businesses and government, government and businesses will have to keep pace with the agility of cyberattackers, Kennedy said. "Our intelligence apparatus is aware of a number of these threats, certainly more and more businesses are now, but the scope of the threat is evolving rapidly and getting more sophisticated," he said.
If mandates and regulatory compliance aren't the answer (precisely because they give attackers insights into what businesses are doing in terms of security), how can Washington respond? Answering that question isn't going to be easy, Kennedy said, given the federal government's deliberate pace, even in the best of times. "And I think one could argue we're not exactly in those at the moment."
Potential for government/business partnerships
So what is to be done? Education is key. Kennedy believes getting students -- even fifth- and sixth-graders -- "excited about the prospect of programming" will be important for the government's ability to field a robust defense against cyberattacks. But he also wants to figure out how to incent business and communities "to do this on their own." Incentives might be supported by government, but they shouldn't be designed by it, he said. Instead, he believes technology experts should play an instrumental role in figuring out what the right incentives are for their businesses and communities.
To get this citizen effort going, Kennedy is developing an incubator of his own that leverages IT expertise in his district, beginning with the folks from CyberArk. It's not a bad place to start. Co-founded by Mokady and Alon N. Cohen in 1999, the company was started in Israel, long recognized as a hotbed of IT expertise. The biggest tech companies -- from Oracle to IBM to Apple -- all have a presence there, but it isn't just mega-vendors that are taking advantage of Israel's tech smarts. For years, the country has been referred to as a "startup nation" and "Silicon Wadi" (which loosely translates to "valley" in Hebrew). And many of these startups specialize in cybersecurity -- sometimes with American backing. Just last month, Microsoft announced it would be partnering with Jerusalem Venture Partners in opening a cybersecurity accelerator in Israel. The investment no doubt will pay off, given the business demand for cybersecurity tools.
"If you're a bank in Israel, you're bombarded with any sort of attack under the sun from anybody," Mokady said. "And so there is a need, basically, to develop protective measures and also offensive measures."
Mokady needed no convincing from Congressman Kennedy that government and businesses should work together to "get ahead of the pendulum." He said he has seen the partnership flourish in Israel, where the government's technological incubator program has been around since the 1990s. Mokady referred to it as a "kind of a magic program." "The government says you have to find private investors, but once you do, it'll match and provide even more -- something like two-thirds of the money -- just to get startups going in this space," he said.
Kennedy believes building a federally backed cybersecurity business incubator in the United States would be "challenging." "Given the financial situation we're in, we can't do earmarks and we can't do incubators," he said. But he is pushing ahead on the state level.
Meantime, a picture is worth 1,000 words. Feel free to forward the Norse Live Attack Map to your local representatives. Spend a few minutes monitoring the map yourself on this holiday weekend, and maybe ask what you can do for the government to foster cybersecurity. After all, the risk is real and rising, because, at the moment, there's not much to lose and plenty to gain.
As Mokady said, "It's much easier to rob a bank in your pajamas at home than to risk getting a bullet."
- Facing Third Party Risk Realities –RiskRecon
- Third-Party Security Risk Management Playbook –RiskRecon
- Third-Party Cyber Risk: 8 Key Considerations –RiskRecon
- Creating a Compliance Culture: Best Practices –SearchSecurity.com