By Ben Rothke
Session description: Effectively preventing cyberespionage is a massive undertaking. But if you don’t undertake it, attackers will potentially overtake your business.
Last month at the RSA Conference, I lead a P2P session on countering cyberespionage. At the outset, I defined cyberespionage as the use of computers or networks to gain illicit access to data, programs or systems.
Not long after the conference ended came word of the Vault 7 hack, where documents and software from the CIA were made public. As I write this, the CIA hack sounds like a textbook case of cyberespionage, where an internal contractor was the perpetrator. And the victim firm was left heavily embarrassed and shaken.
In the session, the 25 attendees from various industries (none seemingly though from the government sector) had 50 minutes to identify the key issues and think of high-level ways to address and fix the problem.
As people started interacting; the difficulty of the situation and its ensuring challenges quickly presented itself. One of the two key challenges acknowledged were the difficulty in quantifying who the adversary truly is. A number of attendees also readily admitted that they didn’t have a clear handle on who exactly their adversaries were. Another key factor identified is that many firms also don’t have a handle on where all of their data stores are.
The inability to know who an adversary is, combined with the uncertainty about where all of the data is, sets up a perfect storm where cyberespionage flourishes. And often flourishes for month or years without being monitored by the very firms that are being attacked.
In under an hour, we identified over 20 areas that must be considered when developing a formal cyberespionage program. These included a wide set of domains from data classification, security awareness training, to cloud due diligence, incident response and more. The underlying message is that dealing with cyberespionage requires not just the information security department, but just about every department in an organization.
One of the key takeaways was that in order for an organization to make a cyberespionage defense program work, it’s imperative that they truly know and understand their business. It sounds counterintuitive as first, but far too many firms don’t really know themselves from an information security perspective. That is why they are so easily blindsided and fall victims to cyberespionage attacks.
As the session came to an end, it was eminently clear that there is no quick fix for the problem. While there were over 700 vendors just a few hundred yards away on the expo floor, there are no appliances or software that can singlehandedly be used to fix the problem.
Dealing with cyberespionage is a multifaceted issue that will take time to address. But everyone went home knowing that it was one of the key tasks that they realize must be at the top of their 2017 information security priority list.