The Next Grave Threat: Cybersecurity
Former FBI Director Mueller puts cybersecurity on par with terrorism as a top attack vector.
Robert S. Mueller III had been director of the FBI for only a week when the Sept. 11 attacks occurred. The event prompted a major shift in the bureau’s focus. President George W. Bush asked Mueller not only to find out who perpetrated the crimes, but also to prevent future terrorist attacks.
“We were not used to answering that question of, ‘What are you doing to prevent the next terrorist attack?’” Mueller said earlier this year in a keynote speech to IT leaders at CDW’s Managing Risk Summit in Washington, D.C. It prompted three changes at the bureau.
The first was to reprioritize the FBI’s work. Counterterrorism took precedence over traditional FBI priorities such as investigating white-collar and organized crime. But, Mueller added, “We also knew very shortly after Sept. 11 that cyber was going to be the next threat on the block.”
In fact, terrorism and cyber can be intertwined, he explained. “What has not happened, knock on wood, is the ability to organize a group of people and undertake a complicated, large-scale attack on the financial structure or the infrastructure, electrical grid or what have you in the United States,” he said. “But it’s just a matter of time.”
The second change was to train agents — and hire new ones with the right skills — to start thinking like intelligence officers. Putting together pieces to uncover and thwart a terrorist plot is different from gathering evidence to prosecute a bank robber.
Finally, the agency had to learn to partner with other organizations. “It was absolutely essential that we break down those walls, those barriers, and begin to cooperate,” Mueller stressed. “I do not believe that we can confront and take care of cyber without the relationship of government services working closely with the private sector.”
That cooperation between the public and private sectors is an essential part of defense efforts to protect against cybersecurity threats that have evolved into a big business in their own right. It helps each side uncover strategies and tactics that can limit the effectiveness of cybercriminals.
Leading the Battle
A critical lesson Robert S. Mueller III learned as director of the FBI is the importance of building a strong infrastructure. Legacy systems, he said, can serve as a gateway for intruders.
“When I came on board, our IT was a mess,” he recalled. The bureau had a contract to replace its aging infrastructure, and the hardware portion of the project went smoothly. Implementing a new software package to handle the agency’s data, however, was disastrous, Mueller said.
The problem was that he delegated the technology projects to the bureau’s CIO without taking a leadership role. “The lesson, to me, was when it comes to IT and you’re running an organization,” he said, “you’d better ask the hard questions, and they’d better come from the top.”
Leaders also need trusted deputies to advise them, Mueller said. He met at least quarterly with the FBI’s CISO to discuss incursions into the bureau’s networks and the need to prevent hacks.
But, he added, “You can’t delegate protecting your institution from hackers. You have to be engaged yourself.”
Building a Public-Private Cyberdefense
In October 2014, Sony Pictures Entertainment was the victim of a massive cyberattack, purportedly by the North Korean government in retaliation for the film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong Un.
It was the first time the military, law enforcement and the national security apparatus came together in the White House to address a cybercrime committed by a foreign actor against a corporation operating in the U.S., Mueller said. It illustrated the need to pull together partnerships between the public and private sectors.
Some industry leaders have worried that getting involved with the FBI would be an intrusive process for their organizations, but such relationships can be mutually beneficial, Mueller said.
The FBI operates 56 field offices across the country, each with a cybersquad responsible for developing relationships with business leaders in their territories. Because critical infrastructure and financial organizations are the most likely targets of terrorist attacks, the field offices focus on these industries.
Establishing contacts between business and law enforcement ensures that organizations know whom to go to in the FBI, and vice versa. It also gives the FBI a head start in understanding organizations’ networks and business architectures. “We have to work with you if we’re to get that information and protect you,” Mueller said.
Weapons in the War on Cybercrime
Cybercrime is big business. A 2014 Rand study posits that cybercrime revenues outpaced the illegal drug trade, and a report from Juniper Research predicts that cybercrime will cost businesses more than $2 trillion by 2019. Michael Viscuso, co-founder and chief technology officer of endpoint security firm Carbon Black, hypothesizes that there may be as many as 1.4 million people involved in cybercrime.
“This, in fact, is more than just a business,” Viscuso says. “It’s an economy.”
James Lyne, global head of security research at technology company Sophos, agrees that cybercrime is a sophisticated, organized business. “They have usable web pages, e-learning courses, documentation,” he says.
Just like any industry, cybercrime is fueled by economics. Perpetrators look at the benefits of committing crimes and the potential cost of getting caught. If they can gain access to a victim’s online accounts by using a phishing scam, “all for the cost of a Big Mac,” the cost-benefit analysis makes sense, says Viscuso.
Organizations, however, can help hamper cybercriminals by making architectural changes to their infrastructures, he adds. These efforts can disrupt the cybereconomy by decreasing revenues and increasing costs.
Viscuso cites the credit card industry as an example of how organizations can effectively implement such measures. Credit card companies have switched from fraud detection tools that scanned for suspicious behavior to solutions that identify anomalies and warn customers about them — but they didn’t stop there. They also triangulated where compromised cards were used and reissued new cards to customers who made purchases there, to prevent future fraudulent activity. The result: a huge drop in the price of a stolen credit card — from $300 to $5 — from 2007 to 2015, reflecting the value that such a card has for cybercriminals.
Similarly, traditional scan-based anti-virus software has given way to more real-time, proactive solutions that combine prevention, detection and response to get ahead of the next wave of attacks, Viscuso says.
Cybercrime cuts across almost all of the FBI’s work, said former director Robert S. Mueller III. But five threat vectors guide the bureau’s cyberefforts. They are:
- Protecting democracy from those who want to undercut it in the U.S. or Europe. “What the Russians are doing is a huge threat,” said Mueller, adding that such cyberthreats to democracy are, in a sense, “more devastating than terrorist attacks — the one-offs that you currently have in the United States.”
- Guarding against inside threats, such as National Security Agency leaker Edward Snowden or documents published by WikiLeaks.
- Addressing wiper malware, which cleaned out data on a huge number of servers and drives in the 2014 Sony hack.
- Reducing the impact of ransomware. “We have not seen the last of that,” said Mueller.
- Identifying and preventing acts of terrorism.
A Focused Defense
Mueller also spoke of the need for businesses to protect their “crown jewels” — their most valuable and sensitive data — as opposed to focusing solely on perimeter defense.
Sadik Al-Abdulla, director of security solutions at CDW, stresses the need to segment networks to keep intruders from escalating attacks. This approach can reduce the damage that cybercriminals do, even if they succeed in breaching an organization’s perimeter defenses. Unfortunately, Al-Abdulla says, very few organizations — less than half of a percent of the thousands of networks on which his team has conducted security assessments — have implemented effective segmentation techniques.
“If you accept that breach is inevitable, all of the priorities change,” Al-Abdulla says. “You start moving from identify to detect, to respond, recover, and then play that out across networks, data and devices.”
Another critical step to effective defense is to practice good patch discipline. IT teams must make sure all their systems are up to date on the latest patches to ensure that every possible entry point that could be exploited by attackers is closed. For many organizations, this is a major challenge.
“Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” Al-Abdulla says.
Mueller predicted that hackers will continue to develop effective tools, citing ransomware as an example of this evolution. He added that industry and government can find solutions to those threats by learning from one another.
“I’m pretty optimistic,” he said. “I think, as a country, we will come up with a fix.”
CDW solutions and services can help you manage the risks that your organization faces