A secure cyberspace: Who’s responsible? report A secure cyberspace: Who’s responsible? “With a...

Roundtable report

A secure cyberspace: Who’s responsible?

“ With a huge increase in the number of internet-connected devices, industry and governments are both waking up to the reality that much of what is already out there is unsecured and readily hackable.” Paula Januszkiewicz, CEO of CQUREAcademy.com

http://www.verizonenterprise.com/

http://CQUREAcademy.com

Today’s threat landscape is troubling. The conference took place at a time when cybersecurity breaches have become mainstream news. Two distinct themes emerged in headlines and conference sessions alike: security vulnerabilities within the Internet of Things (IoT) , and the rise in state-sponsored cyberattacks.

In late 2016, IoT was riding high on a wave of consumer appetite and manufacturing enthusiasm when a high-profile attack made people think again. The Mirai botnet managed to recruit 100,000 endpoints to launch a wave of distributed denial-of-service (DDoS) attacks on domain name service (DNS) provider Dyn, taking down much of the internet across the East Coast of the US, including Twitter, Airbnb, Netflix, Reddit, and CNN.

At the conference, there was a lot of talk about state-sponsored cyberattacks. Speculation about Russia’s role in the 2016 US presidential election serves to highlight this growing threat, which seems particularly ominous to the Western world where systems are largely operated, managed, and secured by the private sector.

How we come together to overcome these challenges is of critical importance as the world becomes more connected digitally, but more divided in its world view.

Foreword

Paula Januszkiewicz, CEO of CQUREAcademy.com

At the 2017 RSA Conference, 43,000 people converged in San Francisco to share ideas about how to protect their valuable assets — and the internet as a whole — against malicious forces. Individuals from CEOs to high-school students came together to explore how they can keep people, data, and organizations safe, while protecting the internet as an open, trusted entity.

Roundtable report | 2


https://cqureacademy.com/


About the roundtable

The roundtable brought together senior security professionals from a broad range of backgrounds: from academia to law, government policy to security consultancy, and financial services to startups.

The selected attendees included:• Former advisors to the White

House, the Department of Homeland Security, the FBI, and the CIA

• Chairperson of the Internet Architecture Board

• Chairperson of the German IT Security Association

• Senior editor of the Journal of National Security Law & Policy

• Security advisor to Microsoft, who has access to a source code of Windows

Paula Januszkiewicz chaired the discussion, which centered around two topics that are never far from current headlines: the security of the Internet of Things, and the growing threat of state-sponsored cyberattacks.

Contents

Foreword


The internet of (insecure) things

State-sponsored cyberattacks

Contributed feature

Conclusions

About Verizon Enterprise Solutions

During the RSA Conference in San Francisco in 2017, Verizon Enterprise Solutions set up a roundtable dinner discussion where a panel of speakers could discuss the topics that matter most to the industry and society.


Foreword




Contributed feature

Conclusions


“ The market doesn’t price insecurity. If my Nest device gets hijacked and takes down your network, I don’t care at all.” Paul Rosenzweig, Founder, Red Branch Consulting


Contents





These devices were then deployed with their weak default passwords unchanged, leaving them open to anyone with an internet connection and the desire to do damage.

With a huge increase in the number of internet-connected devices, industry and governments are both waking up to the reality that much of what is already out there is unsecured and readily hackable.

The panel debated what should be done to make the devices more secure, with proposed solutions including certification, legislation, insurance,

making manufacturers liable, and better end-user education.

Professor Norbert Pohlmann from the Westphalia University of Applied Sciences Gelsenkirchen, advocates a more strategic approach to the architecture of IoT, arguing that the frameworks already exist. “If IoT is bringing all this innovation, why don’t we start with a new IT architecture? A security kernel with separation and isolation technology combined with intelligent cryptographic security mechanisms (TPM). This technology is available right now.”

Commentators and analysts have been warning of inherent security flaws in internet-connected devices for years. But these warnings went unheeded as consumers sought low costs and brands rushed to deliver products quickly to a hungry market.

Foreword




Contributed feature

Conclusions


Contents



Foreword




Contributed feature

Conclusions


Contents

Most agree that certification and legislation are not flexible enough to protect against an agile threat landscape. “Certification and regulation will always lag behind technical innovation,” says Professor Isaac Ben-Israel from Tel Aviv University. “Technological progress doesn’t fit the timescales of bureaucracy and legislation.” Erik Laykin, Managing Director of Duff and Phelps, agrees: “Certification is static, and we live in a world that is highly agile. By the time the White House comes out with a new rule, it’s too late; it’s obsolete.”

Incentives were also discussed. Davi Ottenheimer, President of flyingpenguin, stressed that it’s important to understand the incentives behind implementing secure practices. He gave the example of drone

deliveries dropping parcels in illegal locations and simply paying off fines each month because it’s still profitable to make deliveries that break the law.

Expecting the market to bear the cost of improved security is unrealistic, many contend. Founder of Red Branch Consulting Paul Rosenzweig says: “The market doesn’t price insecurity. If my Nest device gets hijacked and takes down your network, I don’t care at all. This is a perfect example of an externality that will never be built into the price of a product, and never will be, because nobody sees the benefit in it.”

A better approach would be to incentivize those manufacturers to improve security by making them liable for damage caused through vulnerabilities in software or hardware.

One president of a cybersecurity non-profit organization disagrees, however: “To talk about making software manufacturers liable doesn’t really work, unless there’s some sort of negligence standard. And I don’t think that negligence standards in the context of this environment work at all, because you can always find negligence after the fact.”

The internet of (insecure) things (continued)

“ Certification is static, and we live in a world that is highly agile.” Erik Laykin, Managing Director, Duff and Phelps



Foreword




Contributed feature

Conclusions


Contents

The question of attribution also arose. A thorny subject, which is close to many of the delegates’ hearts. “I cringe every time the attribution question comes up, because I automatically hear control over users, control over speech. Attribution and control, to me, go hand in hand. As a civil libertarian, I worry a great deal about that,” says Chris Calabrese, Vice President for Policy at the Center for Democracy & Technology, who then opened up the discussion by asking whether there are certain products and services where we should focus on attribution and others where we shouldn’t.

Finally, many agree that DDoS attacks are one of the less worrying attack types that IoT could lead to.

Professor Isaac Ben-Israel says: “DDoS attacks get media coverage that’s disproportional to the amount of damage they do. There are 2 million DDoS attacks in Israel a day. You never hear about them because the success rate is so low and they’re relatively simple to defend against.”

Much more worrying, many agreed, would be if a hacker managed to immobilize your car. Chris Calabrese speculates that most people would pay significant ransoms to regain control of the second most expensive thing they owned. And Erik Laykin points out that such an attack would pale in comparison to what a hacker could do to a car that was already in motion.

The internet of (insecure) things (continued)


Foreword




Contributed feature

Conclusions


Contents

“ If you’re looking for a commercial product to beat a state-sponsored attack, I don’t think you’re ever really going to be successful.” President of a cybersecurity non-profit organization

State-sponsored cyberattacks: Asymmetrical warfare




Foreword




Contributed feature

Conclusions


ContentsState-sponsored cyberattacks: Asymmetrical warfare (continued)

On the opening morning of the RSA Conference, Microsoft President and Chief Legal Officer Brad Smith called for a Digital Geneva Convention to protect civilians online in times of peace just as the Fourth Geneva Convention protects them in the physical world during times of war. Noting the North Korean attack on Sony in 2014 as a turning point, he remarked that we now see nation-state actors (NSAs) attacking civilian institutions in times of peace to achieve ideological aims.

Olaf Kolkman, Chief Internet Technology Officer at the Internet Society paints a

daunting picture: “If you look at what’s new in cyber warfare, for offense you need relatively small capabilities, while in defense you need incredibly big capabilities.

And the offensive capabilities are indeed state sponsored, while the private sector is mostly responsible for the defense. That’s completely different from what we had before. Things like attribution and cyber stability suddenly become very important. When it comes to nation-state actors, attribution is already difficult in the physical world.”

The roundtable delegates, many of whom have direct experience working for and with federal institutions to prevent and protect against cyberattacks, agree that we are living in uncertain times.



Foreword




Contributed feature

Conclusions


Contents

One Dutch delegate noted that the Netherlands — which already banned electronic voting in 2007 — has recently committed to counting all ballots by hand in its 2017 election.

“Doesn’t that depress you though?” responds Paul Rosenzweig. “That our answer to the threat is to go back to 1970?”

But the remaining delegates seem to share a pragmatic view of the West’s current ability to withstand attacks.

One says: “If you’re looking for a commercial product to beat a state-sponsored attack, I don’t think you’re ever really going to be successful. It’s

nice to talk about things like liability for software manufacturers, but the best science we’ve got says you can get to maybe 10 vulnerabilities per 10,000 lines of code, not 0 vulnerabilities.”

A senior security professional from the financial services industry sums up his approach: “Perhaps rather cynically, I assume I have nation-state actors on my network. I don’t worry about them. They’re not going to steal my money. I can’t defend against them, and if I did defend against them, they’d still be in my network, working out who’s transferring money to where. Of course, when the worry is that state actors also decide that they want to steal your money — it’s a hard question to address.”

State-sponsored cyberattacks: Asymmetrical warfare (continued)

“ Perhaps rather cynically, I assume I have nation-state actors on my network. I don’t worry about them.” Senior security professional from the financial services industry



Foreword




Contributed feature

Conclusions


Contents

Frank Ciluffo, Director of the Center for Cyber and Homeland Security at George Washington University, thinks that it’s unrealistic to expect private firms to hold the front line. “How many companies go into business thinking they’ll have to fend off a nation-state actor? But cyber’s only a small piece of what a nation’s going to throw at a company, so if you answer that piece of the puzzle, you’ve still only answered one piece of the puzzle. We’ve learned that the hard way.”

The consensus seems to be that cross-industry and state cooperation is required if Western institutions are to fend off NSAs. Frank Ciluffo adds that whereas technology will continue to change and evolve, human nature remains quite consistent. As much as the cyber challenge is about technology, it is

equally about people. And the threat also includes insiders, or traditional espionage, which nations can also direct toward companies.

Verizon’s Senior Risk Analyst Marc Spitler added that the cybersecurity industry needs to make it harder for attackers to advance from their initial foothold into an organization’s network. “There are many breaches that begin by exploiting weak configurations or using social techniques to install malware,” he says. “Once malware is installed on the initial system, attackers are more than happy to harvest additional, legitimate credentials to advance their attack as opposed to working on finding weaknesses in devices that they have to exploit to move on. I want to live in a world where we make hackers hack again!”

State-sponsored cyberattacks: Asymmetrical warfare (continued)



Foreword




Contributed feature

Conclusions


Contributed feature by:Contents

Internet of insecurity: Can industry solve it or is regulation required?

In the eyes of the Internet Society, both industry- and regulatory-led solutions are needed. But this answer comes with a warning that regulatory hammers such as banning unsecure devices are not going to be successful. Regulatory tools are likely to be more effective in creating the right environment for solutions to develop. We have to understand possible side effects before — as well as after — introducing rules and regulations.

Responsibility is not in the hands of any single institution.

Industry must take a leadership role in making security a business differentiator. Companies must create best practices. They must also be kept accountable by consumers, shareholders, and, as a final resort, governments.

Governments should translate societal expectations into boundary conditions that must be met by consumers and industry alike. Furthermore, policies that assign liability will be a factor in creating accountability. As will imposing serious fines when boundary conditions are not met.

This is what we mean by collaborative security — no single actor can offer a solution to the security challenge. And actions taken will have reactions across the ecosystem. So, technologists, civil society, and policymakers must find each other to understand the issues that face us and address them head on.

Olaf Kolkman, Chief Internet Technology Officer, The Internet Society


http://www.internetsociety.org/?gclid=CNz_v4vN-9ICFQmeGwodFTwGxQ


Foreword




Contributed feature

Conclusions


Conclusions

Similarly, nation-state actors are working their way through networks right now. Nobody quite knows to what extent, but it’s safe to assume that their impact is more profound than any official channel will admit.

With the odds stacked so unfavorably against the good guys, collaborative security is a crucial tool that industry, individuals, and governments can use to defend a free, open internet. But it is only effective if each actor assumes its responsibility.

Consumers must play their part by securing their own networks and

endpoints. Default admin passwords on routers and devices represent an open target for attackers and are exploited daily. It’s a five-minute job to secure the devices in one home, and if everyone takes that time, the attack potential across the whole internet is massively decreased. Consumers can also vote with their wallets by buying more secure products, forcing industry to react.

Industry can contribute by improving the quality of its code. During the cryptographers’ panel at the RSA Conference, Whitfield Diffie, one of the pioneers of public-key cryptography,

elicited a huge round of applause. He said that industry should redirect its efforts away from “interactive security” methods, like virus screening and fighting back, and towards developing better code and cryptography techniques.

Finally, governments can act by recognizing the urgency of the situation, understanding the complexities, and responding with well-informed policy to combat threats. In turn, this should incentivize consumers and industry to play their parts.

Some people might argue that we should never have connected so many weaponizable devices to the internet in the first place, and that the utility of “smart” fridges, toothbrushes, light bulbs and toasters is scant. However, IoT is here to stay, and it needs protecting.

Contents



Foreword




Contributed feature

Conclusions


About Verizon Enterprise SolutionsVerizon believes that technology should help organizations achieve more. We help businesses do exactly that daily — co-creating innovative connected products, rapidly and securely deploying apps in the cloud, managing employee-owned devices on a global scale, and deflecting sophisticated hacker attacks.

Advancing technologies, like cloud, machine to machine, and mobility, are making daily business interactions easier. But securing the networks they rely on is more difficult than ever. Today’s security starts with understanding threat and attack patterns — aggregated from multiple, global sources.

Verizon works with hundreds of organizations across the globe to help them better prepare for attacks, recognize threats and potential breaches, and respond quickly and accordingly.

Verizon’s security team has analyzed over 190,000 security incidents and 6,300 confirmed data breaches over a decade, providing insights into the risks enterprises face; much of which is contained in reports such as the Verizon Data Breach Investigations Report (DBIR) and Data Breach Digest (DBD). The security team can be contacted at [email protected].

Contents


mailto:dbir%40verizon.com?subject=Verizon%20Enterprise%20Solutions

A secure cyberspace: Who’s responsible? report A secure cyberspace: Who’s responsible? “With a...

Documents

Transcript of A secure cyberspace: Who’s responsible? report A secure cyberspace: Who’s responsible? “With a...