It’s not unusual for cybersecurity vendors to time new product announcements and major initiatives to coincide with the RSA Security Conference. Similarly, major threat reports, such as Mandiant’s APT1 Report, are often released to gain maximum exposure at RSA. But now it seems the White House has gotten into the act with its release of the Cybersecurity Executive Order, or so the conspiracy theorists would argue. In any case, February was a busy month for cybersecurity, and attendance figures at RSA seem to suggest that we are once again seeing a resurgence in interest for all things cybersecurity after a decline, which, admittedly, was attributed as much to macroeconomic conditions as interest in cybersecurity. Nonetheless, the message is clear that spending, hiring, and executive-level attention are all trained on cybersecurity. In fact, in his State of Union, President Obama actually devoted a few lines to the topic in what could be a first for that forum.
But of course that’s just the good news. The bad news is that the reason cybersecurity has gotten a lot of attention is because attacks are up and our ability to thwart them is not. We’re like police officers welcoming a crime wave for all the overtime and job security it provides. But unfortunately, things don’t always work that way. Rising crime, like rising cyber compromises, do not always generate greater demand for protection services. Because crime and cyberattacks frequently destroy wealth, there is less money available to fund ever greater legions of tools and personnel to fight a battle that we’re losing. If we don’t prove our worth, businesses may choose to simply retrench and take fewer business risks and consequently generate less economic growth for our economy. If you know that your intellectual property is just going to get stolen, what’s the point of generating it in the first place? More important for this column, we’re seeing the steady drumbeat of warnings about risks to our critical infrastructure on almost a daily basis. Just this week, the Director of National Intelligence released his annual intelligence assessment placing cyberattacks ahead of terrorism as a greater threat to critical infrastructure in the United States.
What that leaves us with is how to solve this growing quagmire. For those that attended the RSA Conference or listened to various government threat briefings, the clear message seems to be that stopping advanced threats from compromising our infrastructure is not likely to be successful. Instead, we are being told to improve our situational awareness to effectively stop the bleeding, to detect compromises in a mere week or month rather than a year or longer as is typical today. The good news for critical infrastructure is that this is nothing new. Power grids, telecommunication networks, pipelines, and water systems were never meant to escape major storms, tornados, hurricanes, brush fires, or earthquakes. Instead, resilience and recovery always remained high priorities. In theory, power grids are supposed to isolate the damage without cascading to other parts of the system. Oil pipelines are designed to have outlets to relieve excess pressure. In the same way, the cybersecurity message of containment is a particularly valuable one to critical infrastructure. Asset owners need to know how they will respond when, and not if, they are compromised, and they need the visibility to know exactly what is happening. Answering those questions and preparing for those contingencies will do more to protect our critical infrastructure than devoting endless hours to comprehensive cybersecurity frameworks that are outdated from the moment they are released.