My opinion of corporate IT security is similar to that of Michael C. Ruettgers’ attitude to EMC’s products the day he started at EMC. Bloomberg business told the story well: “It was 1988, and the data storage company was reeling from quality control problems that caused its products to crash without warning. Ruettgers had been brought in to fix the mess. Calling a morning meeting that first day, he took out a pile of airsickness bags from his briefcase and placed one in front of each seat around the conference table. As the group filed in, the sturdy six-footer stood with his arms folded. Then, raising one of the paper bags in his hand, he delivered his opening remarks: “The quality of our products makes me want to puke.”
Why you shouldn’t be cheating your customers
The quality of EMC products has since improved but it was a gargantuan effort and a major strategic turn-around for the company. I remember another similar moment after RSA Security got hacked in 2011 when Art Coviello, their CEO, stood up at the RSA Conference and announced that we would all have to accept intruders inside the perimeter fence. Many organisations felt cheated.
They had been paying vast amounts of money to these very companies who said they could keep attackers outside the doors – now they were admitting defeat – and many thought it was just because of the public relations disaster RSA Security found itself in. Ironically the RSA Security brand, like an inscrutable hacker, has disappeared inside the EMC / Dell brand.
As Bruce Schneier, the renowned security expert wrote at the time: “Security is all about trust, and when trust is lost there is no security. User’s of SecurID trusted RSA Data Security, Inc. to protect the secrets necessary to secure that system. To the extent they did not, the company has lost its customers’ trust.
Now, four years after that data breach and a with litany of further hacks to their names major questions are being asked by the United Kingdom’s spy bosses about the efficacy of cyber security against the hackers.
In a startling, bald statement and as blunt as any Michael Ruettgers made, Robert Hannigan, director of GCHQ and the United Kingdom’s spy boss said last week: “It is time to take a hard look at whether the international market for cyber security is working sufficiently well… something is not quite right here. Standards are not yet as high as they need to be.”
And don’t let me get started on SCADA systems
The problem GCHQ is addressing is that a destructive attack such as the Sony Pictures 2014 attack could serve up critical damage to a corporate – or a utility or power plant which are notoriously easy to hack into given the antiquated nature of their supervisory control and data acquisition systems (SCADA) systems.
They are so antiquated that most users desperately try to avoid connecting them to the internet. And, Dell says: “Because companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” Dell said in its report. “As a result, other industrial companies within the space might not even know a SCADA threat exists until they are targeted themselves.”
Yet, according to Dell’s annual threat report, cyber attacks on SCADA systems discovered by Dell doubled in 2014 from 91,676 in 2012 to 163,228 in 2013 and climbed to a frightening 675,186 in 2014.
GCHQ can help us to protect our national critical infrastructure but if a major corporate’s network went down they would be on their own. Talk Talk was lucky – it was only partially hacked. But a revamped Stuxnet could provide us with a much bigger headache. The security industry has to start spending some of its cash on some really imaginative defences or we will be in a very sorry state if our real enemies get the courage to come after us big time. Yet the money being spent of cyber defences is astronomical. And we are not getting value for our tax dollars.
Our international security efforts have been boundless if you measure them by the vast amounts of money wasted
Analysts at Gartner estimate that Worldwide spending on information security reached $71.1 billion in 2014, an increase of 7.9 percent over 2013, with the data loss prevention segment recording the fastest growth at 18.9 percent. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion.
According to Gartner, the increasing adoption of mobile, cloud, social and information (often interacting together) will drive use of new security technology and services through 2016.
“This Nexus of Forces is impacting security in terms of new vulnerabilities,” said Gartner research director Lawrence Pingree. “It is also creating new opportunities to improve effectiveness, particularly as a result of better understanding security threats by using contextual information and other security intelligence.”
Since the Twin Towers attacks on 9/11 our international efforts to increase security have been boundless if you judge them by the amounts of money spent. The USA has spent $649bn between 2001 and 2011 on security. The 2016 cyber security budget has $479.8 million for Network Security Deployment, including the EINSTEIN3 Accelerated program which enables DHS to detect malicious traffic targeting federal (non-Department of Defense) networks and prevent malicious traffic from harming those networks.
The budget has $102.6 million for the Continuous Diagnostics and Mitigation program which provides hardware, software, and services designed to support activities that strengthen the operational security of federal (non-Department of Defense) networks and $5.1 million for the CyberSkills Management Support Initiative. This initiative is intended to bolster DHS’s ability to develop and maintain a robust cybersecurity workforce.
A United Kingdom citizen is fighting extradition for the biggest attack on US Govt
That’s a lot of defence dollars – but it didn’t stop the biggest breach in USA Government history this year when 21.5m people had their personal information, including social security numbers and fingerprints stolen.
United Kingdom resident Lauri Love is currently in an extradition battle after being accused of hacking into the US army, NASA, the federal reserve and the environmental protection agency.
In the United Kingdom the ’austerity’ Chancellor has announced he has just ‘found’ an additional £1.9bn from the UK’s bare larders to spend on cyber-security threats.
EMC dug itself out of a big hole and is now re-inventing itself under the Dell umbrella. Mr Pingree at Gartner seems to think we can do it. I wonder if Mike Reuttgers can be persuaded out of retirement?