Hacker organizations like Anonymous and LulSec are waging a worldwide cyberwar. These new combatants are highly sophisticated and have emerged as a true threat so quickly that it is understandable why many organizations remain vulnerable.
But according to a new report from Chatham House, the UK’s critical infrastructure providers actually do understand the gravity of the threat and are very concerned about what it means for their operations — they just have chosen to do little about it.
“Many of the organizations surveyed in the course of this project have developed an attitude to cyber security that is fundamentally contradictory. In most cases, they declared themselves to be aware of cyber security threats. Yet these same organizations were willing, for a variety of resource and other reasons, to accept an unexpectedly high level of risk in this area. In several cases it was even decided that cyber risk should be managed at arm’s length from the executive authority and responsibility of the board and senior management. Paradoxically, therefore, in these organizations a heightened perception of cyber security risk is being met with diminished resources and interest.”
It gets worse.
While the weak response by critical infrastructure providers is clearly presenting a risk to national security in the United Kingdom, governments aren’t helping. Those who should be leading the charge on raising security aren’t doing enough to help those they serve keep up with the threat, say the providers.
There was a perception among those interviewed (which include 100 larges businesses and banks) for the study that “the national response mechanism is for the most part fractured and incoherent” and that there is “little sense either of governmental vision and leadership, or of responsibility and engagement” with critical infrastructure providers. Those providers also note that better information sharing could help them considerably in preparing their defenses, but so far the UK government is “more willing to solicit information than to divulge it.”
Of course, the responsibility to mitigate this threat is not solely a public responsibility. These companies must take it upon themselves to safeguard their own operations. As the report notes, however, “this will only be achieved to the extent that board members are themselves more aware of the opportunities and threats presented by cyberspace.”
It must start at the top.
But unbelievably, the report notes that some companies have “deliberately pushed [the threat] below the boardroom level in order to remove a complex and baffling problem from sight.”
To be fair, some organizations are responding better than others. But they are the exception not the rule. “The results were varied,” said study co-author Dave Clemente on a Chatham House podcast. “Some organizations have a fairly nuanced view of cybersecurity — it comes up on their board agendas on a regular basis. And others don’t. Others respond only when something unpleasant happens to them or a competitor, and then they have to do something very quickly. Something must be done. Money is thrown at the problem. And often it produces an over-reation [that’s] not very well thought-through.”
In talking about the risk to infrastructure providers, Clemente highlighted the cyberattack that Anoynmous launched against Sony, shutting down its popular online video game platform, the PlayStation Network, for more than weeks and exposed the personal info of tens of millions of users.
The company was criticized for having outdated security software that did not adequately protect the PSN from hackers when they broke in. Security experts knew Sony was running outdated versions of the Apache Web server software that did not have a firewall installed. The company said hackers were able to breach the PSN and steal sensitive data while the company was fending off denial of service attacks from Anonymous, an online hacker group that typically takes up politically charged causes.
Hackers also hit a number of other high-profile companies like defense contractor Lockheed Martin and Bethesda Softworks, another game publisher. The number of hacking attacks has given network providers like Sony a new set of challenges when building security for company networks.
Clemente says that the hacker intrusion cost Sony $171 million.
That’s a large sum that should help any large company take notice. But he also notes that while these types of cyber threats are “substantial in a monetary sense but there’s also reputational damage as well.”
Incidentally, Tim Schaaff, a top Sony executive, told Games Beat that the attack a “great experience, really good time … Though I wouldn’t like to do it again.”
At first blush, that seems like a ridiculous position. But perhaps we can all learn a little bit from the PlayStation Network breach. Take this quote from Schaaff that further elaborates on his view.
“A determined hacker will get you, the question is how you build your life so you’re able to cope with those things,” he said.
Of course prevention and fool-proof network security is the ultimate goal. But it is increasingly hard to achieve. As the Chatham study shows, the leap forward in sophistication of today’s hackers means that most companies are now playing catch-up — both technologically and in terms of understanding the nature of the threat.
In the interim, many companies can and will be hit.
Know that. And start game-planning a response. Perhaps going forward, conducting emergency, tabletop drills for cyberdisasters will be as beneficial in preparing for the real thing as emergency drills for natural disasters are today.
Companies that have money and reputations to lose would be silly not to be developing strategies to this threat. And those organizations tasked with providing the nation with critical infrastructure? Well, if they do not improve their defenses soon, “silly” will start looking a lot more like “negligent.”
(For more on cyberthreat whos, whats, whens, wheres, whys and and hows, stay tuned for our upcoming October issue of Risk Management magazine. We have an 8-page feature detailing the nature of the threat — and ways to combat it. )