“Over the last 11 years, our caseload has increased by 100 percent, which is itself a low estimate,” Venizelos said. “Cyber security is one of the biggest challenges our country is facing. We’re dealing with [threats]but we don’t always know where they are—we have IP addresses, but we don’t know who is behind the keyboard.”
The international nature of the conference, Venizelos said, indicates the scope of the task at hand.
Offering the keynote address was Sean Kanuck, national intelligence officer for cyber issues on the National Intelligence Council. A strategic analyst for the U.S. government on cyberspace matters, Kanuck argued that the most efficient way to identify and preempt cyber threats is to marshal the efforts of all those at risk.
“We can best understand the threat, understand our vulnerabilities, and help policy-makers by looking down the road and seeing problems that may lie in wait, and then engage with the private sector in the U.S. and globally . . . and seek joint solutions,” he said.
Kanuck outlined two types of cyber threats: computer network exploitations and computer network attacks. In network exploitations, cyber thieves gain unauthorized access to networks and steal information, but without altering data or denying access to it. As forms of theft or espionage, network exploitations are less serious than network attacks, which are forms of crime, terrorism, or military action. These can deny, disrupt, degrade, or destroy data networks and potentially harm devices, cripple infrastructure, or cause physical damage.
Understanding the different kinds of threats is crucial for mounting a response, Kanuck said, because each threat will yield a different consequence in how widespread its effects are—for instance, national versus regional in scope—and how long they last.
Responding efficiently to a threat also depends on where the threat is coming from. Countries with sophisticated technology, such as Russia and China, may have the ability to launch destructive network attacks but have minimal national interest in doing so. Cyber attacks from these countries tend to be for the purpose of espionage.
Other countries may have less technological capability, but might attempt attacks that have catastrophic, countrywide effects.
“You have to ask the questions: What are you trying to protect, from whom are you protecting it, and why?” Kanuck said. “Think about who you are defending against and what are their motivations, because that will matter in how you use your resources.”
The best move that the security community can make on the cyber battlefield, he said, is to work together and share information, especially with regard to recognizing cyber anomalies when they arise.
“If you want to notice possible malicious events . . . you need to first know what normal the traffic patterns and activities are,” he said. “[To do this,] we need to rely on and partner with academia, industry, and our foreign government partners and the academics and industry in those countries if we’re going to collectively find global solutions for long-term peace and prosperity.”
|The ICCS opening ceremony drew a standing-room-only crowd to McNally Amphitheatre at Fordham’s Lincoln Center campus.
Photo by Chris Taggart
Following Kanuck’s keynote, Ed Stroz, GSB ’79, founder and co-president of Stroz Friedberg security consulting firm, presented “Ten Lies my CIO Told Me,” a look at the state of corporate information security. Stroz said that a company’s culture and management practices put it at risk of a security breach much more than the company’s IT department.
Stroz singled out companies that take an “ignorance is bliss” approach or a “CYA” approach (cover your posterior), or those whose organizational structure creates “tunnel vision” between various departments on what constitutes a security need.
Corporations have to “assume that your security is compromised… and that the adversary always has the advantage,” Stroz said. It is critical to operate on the defensive, measuring the risk’s likelihood, the site vulnerability, and the potential impact of a breach.
While CIOs don’t actually lie, he said, they frequently offer limited or misinformation, such as: “If we had special technology device our security issues would disappear”; “We recently had a penetration test so we are not vulnerable”; “We don’t need policies or metrics”; “We can trust the local hires (in another country).”
“If you don’t take a risk-based approach, you are going to be hurt,” he said.
Later in the day attendees heard from a distinguished panel moderated by Preet Bharara, U.S. Attorney for the Southern District of New York. Panelists were Michael Chertoff, chairmnan and co-founder of Chertoff Group and former director of Homeland Security; Kevin Mandia, CEO of Mandiant; and Joseph Demarest Jr., assistant director of the FBI’s cyber division. Read the article here on Fordham’s home page.