Cybersecurity: Time for public and private sectors to step up
By Benjamin Cher March 8, 2016
- Clarity needed from the public sector, participation needed from the private sector
- Information sharing will be key, new models are available for more effective sharing
IN today’s hyper-connected world, cybercriminals can now bring an element of physical danger to their activities by targeting critical infrastructure like power grids, nuclear plants and transportation systems.
The good news is that neither the public nor the private sector is taking this lying down, but the bad news is that much more needs to be done to secure such infrastructure.
“There’s been a lot of effort on information sharing, but one of the big pieces that were necessary was legislation,” said Mike Brown, vice president and general manager of the Global Public Sector business at cybersecurity firm RSA, a division of EMC Corp.
And that legislation became a reality last December when President Barack Obama and US Congress signed the Cyber Security Information Sharing Act, he told Digital News Asia (DNA) on the sidelines of the recent RSA Conference 2016 in San Francisco.
“That’s a big deal, because one of the things that private sector organisations wanted was liability relief – they wanted to make sure they were not going to be held liable for action or information they would be sharing,” he added.
While the new law might be an example for other countries too, Brown stressed that the technical details of information-sharing need to be ironed out.
“The public sector, the United States in particular, is now working on processes, procedures, and technical information to allow the bilateral sharing of information between private and public sector, which will take some time.
“It is now important for the private sector to step up, as some of the things they asked for have been provided, but I still think there’s a lot more to do,” he said.
The whole idea is to have real-time, actionable intelligence that can be used to prevent attacks, or to mitigate them as they happen, he added.
The new threat landscape was brought into stark relief last December when cybercriminals were able to hack into a Ukrainian power plant to cause a blackout affecting hundreds of homes, according to EndGadget.
In the old days, the power grid had an ‘air-gap’ and was not directly connected to the Internet. Those days are over.
“What we are talking about now is a combination of industrial control systems and the IoT (Internet of Things),” said Brown (pic).
“The case in the Ukraine is what we have been talking about – the potential and the threat,” he added.
Now the critical infrastructure sectors are paying more attention to these threats, but for the private sector to participate more fully in this process, they would need clarity from the public sector.
Brown took part in a panel discussion at RSA Conference 2016 which also had representatives from the White House, the Department of Homeland Security, and the Federal Bureau of Investigation (FBI).
The discussion revolved around incident response, and about roles and responsibilities.
“We need clarity about that too – many in the private sector think it is the Government’s role to protect a private sector infrastructure, which is not going to take place,” he said.
However, the public sector has done well in building a framework for the private sector to understand the risks and build a roadmap to mitigate and manage these risks. according to Brown.
“The US Government, working with the private sector, approached this from an international perspective, and the result was the NIST Cybersecurity Framework,” he said.
Unveiled in February 2014, the framework gathers existing global standards and practices to help organisations understand, communicate, and manage their cyber risks, according to the White House.
“For organisations that don’t know where to start, the framework provides a roadmap. For organisations with more advanced cybersecurity, the framework offers a way to better communicate with their CEOs (chief executive officers) and with suppliers about management of cyber risks.
“Organisations outside the United States may also wish use the framework to support their own cybersecurity efforts,” it added.
“That’s a way to help the private sector understand what their risks are, have a common taxonomy, determine what their status is, and build a roadmap,” Brown declared.
“It would be good if regulators were using the same framework to assess the risks associated with these industries.
“Working hand-in-hand, the private and public sectors can come up with mechanisms to help raise the level of security and do that self-assessment,” he added.
While there has been increased talk about the new critical infrastructure threats, the only real measure is when cash is laid down, Brown argued.
“It is a choice that folks have to make – I think more leaders recognise the fact that they cannot wait.
“If you put all of your resources into a prevention strategy, you will be unsuccessful – you don’t know when you are going to be targeted, what the threat vector is going to be, what the time frame is like, and your attack surface is going to be continually increasing with the IoT,” he added.
And it is not enough to have a good mix of prevention, detection and response measures – you also need the right tools.
“It really is about having the right tools and capabilities, including people, that allow you to have the visibility and the ability to detect and respond when abnormal things happen,” said Brown.
“The focus that I see the community and end-users are moving towards is recognising that they have to understand their infrastructure,” he said.
The concept now is not just about recovery, but ‘resiliency.’
“If we are successful, as organisations individually or working together, we will be able to understand risk and prioritise resources, moving from just recovery to resiliency,” said Brown.
That resiliency can come from partnerships or an internal structure which allows for a “seamless change of operations” that ensures “the customer is not affected by anything that occurs at the organisation,” he added.
Benjamin Cher reporting from the RSA Security Conference in San Francisco, at the invitation of RSA. All editorials are independent.
Previous Instalment: Cybersecurity industry facing AI, privacy and trust issues: RSA president
Critical infrastructure: A clear and present danger
New EY centre to tackle critical infrastructure security
Threats targeting critical infrastructures: Frost
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.