In Budget 2015, the federal government earmarked $58 million over five years to further protect its essential cyber systems and critical infrastructure and pledged an additional $36.4 million over five years to support cyber systems operators as they deal with security threats. Cheri McGuire is vice president of Global Government Affairs and Cybersecurity Policy for Symantec. She recently spoke with Vanguard about the nature and growth of those threats.
What are the major cyber concerns for governments and defence and security agencies?
The biggest challenges are frankly not any different than what we see for commercial and citizens generally. The major trends are the growth in the attack surface and the different types of platforms and devices that are being used. In the mobile space over the last several years, we have seen year-over-year triple digit growth in malware and exploits that are being launched against different types of mobile devices. We expect that is going to continue.
With that we see much greater sophistication in the types of attacks and malware that are proliferating. And if the criminals, the hackers, aren’t very sophisticated, they can just go online and buy the tools, because many of them are easily available for purchase on the Darknet; you can rent a botnet for however much time you want; you can buy any type of personal information. All of those things are creating an expanding cyber threat environment.
Given that increase, what advice are you providing to governments?
A lot of the advice is around threat and security awareness and the appropriate protocols, and around the trends that we see coming down the road from an attack and from a security innovation perspective. We are also working with governments on information sharing. We want to make sure that privacy and civil liberties are protected, but we know it is helpful to everyone if we have a common picture of what the threat environment is so we can protect ourselves more effectively. So a lot of the conversations we are having with different governments around the world are around the notion of public-private partnerships for information sharing.
It seems we keep having the same conversation about improved information sharing. Is there progress?
We are still having that same conversation, but I do believe it has evolved quite a bit. Nine months ago we established a new information sharing organization called the Cyber Threat Alliance with Intel Security/McAfee, Palo Alto Networks and Fortinet. We are all competitors but we all have a common goal in protecting our customers and their data. We have been sharing across the security industry for 20 years but it was mostly at the signature-based level – antivirus. Security has progressed significantly from that. We are sharing at the next level, which includes things like botnet command and control servers, sophisticated malware – threats that we want to be able to share in a trusted environment. We have set up the platforms to share and keep information secure. And we have set up the protocols, meaning we have a very robust privacy policy. It is imperative we are protecting our customers’ privacy even as we are sharing this information.
Governments are being encouraged to move into the cloud. From a security standpoint, what are the implications?
The debate and the implications are about both the positive and the potential risks. The positive is that you get much greater efficiency for data storage and data growth. You potentially could get security scalability – you could get much faster proliferation of patches and security down to the device. You can also apply greater security to specific enclaves of data if you have appropriately categorized it.
On the downside, there is concern that if we put all of our information in one place and it gets hacked, then what happens. So you have to make sure you have best business practices in place: that you have redundancy, that you have built into your service agreements with your cloud providers appropriate security provisions and what they will do to protect your data. And then you have to have an audit ability to make sure those things are happening.
With breaches happening almost weekly, if not daily, are there keys to protection?
Studies have shown that basic security hygiene will help prevent a lot: strong passwords, data encryption, keeping your security software up to date, making sure your systems are patched, multi-factor authentication. These are things that any organization, and frankly any individual, can do. The Online Trust Alliance recently released a data breach guide…[and] found that 90 percent of the data breaches that are reported today could have been prevented by basic cyber hygiene best practices.
You can’t protect yourself from everything, but having a layered security approach that goes to policy, to access controls, to data prioritization, and to the people piece – building a culture of cyber security inside your organization and treating it just like you do physical security – is key.