“Two critical pieces of the NIST framework are [to] detect malicious activity and respond to malicious activity,” Richard A. Clarke said at the 2014 RSA Conference held in San Francisco.
The former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the United States went on to say, “Many enterprises will now be liable to shareholder lawsuits,” if the are breached, while failing to comply with NIST standards, according to a cybersecurity expert who attended the summit.
“If you haven’t seen the NIST framework, you need to read it,” Clarke said. “If you think it’s too complicated and you don’t need to familiarize yourself with it, you are wrong. This framework has implications for you and your company.”
The recently discovered Heartbleed bug, which is a backdoor flaw in the OpenSSL cryptographic software library, amplifies the urgency of Richard Clarke’s words. We are all vulnerable, consumers and businesses alike.
The increasing frequency and sophistication of cyber attacks is straining enterprise resources, forcing businesses to refocus on the high-impact threats with enterprise risk implications. The recently published NIST Framework is a modest beginning to encourage better IT hygiene, while promoting information sharing between industry and government.
Cybersecurity as an Enterprise Priority
The prospects of real cybersecurity legislation still need to be fleshed out more, especially with the likes of the Heartbleed bug being so widespread and pervasive. Still, there are some old tools that can be retasked to address the legal consequences of cyberterrorism.
Most attacks can be managed by cybersecurity awareness, compliance, and best practices —responsible IT hygiene. That accounts for 80 percent of the breaches. But Advanced Persistent Threats (APT), perpetrated by nation states and criminal organizations, exploit energy, financial, transportation, healthcare and national defense systems. They cannot be handled easily or their consequences contained. They come from well trained, financed, highly motivated adversaries. Worse, most of the tools hackers use are available online.
Heartbleed was a simple exploit, a code written by a German programmer, who has since expressed regret, but noted the error itself was “quite trivial.”
Imagine if he was a state-sponsored hacker bent on afflicting as much damage as possible or using such vulnerabilities as ransomware to extort money like a pirate. This poses unique risk with financial and intellectual property losses, the sentiment of public and shareholder confidence, while presenting significant legal exposure.
What can industry and government do?
Government leaders and pioneering companies have rediscovered old solutions that hold promise in managing cyber risk.
One tool is the 12-year-old SAFETY Act that designates and certifies Qualified Anti-Terrorism Technologies (QATT). That can reduce the exposure to legal liabilities. Few know about it. Why? Corporations originally adopted the SAFETY Act for protection against nuclear or chemical attacks, but a couple of pioneering companies have applied it to cyberspace, where the new wars are being fought.
Under the Department of Homeland Security’s Science and Technology Directorate, the SAFETY Act’s mission is to “support anti-terrorism technologies by fostering the Effective Technologies Act of 2002.” Born out of 9/11, it offers a clear path for enterprises to contain legal risk with the financial and reputation costs they incur.
Retasking Old Tools for Cybersecurity
One such thought leader is Direct Computer Resources, Inc. (DCR), based in New Jersey.
DCR was one of the early adopters of the SAFETY Act for Information Privacy technology. During the late 1970s, DCR defined the application development testing market with its obfuscation software, DataVantageGlobal®.
“We see new interest in protecting vulnerable information when we describe the legal protections available by using our SAFETY Act, QATT designated technology,” said Joe Buonomo, CEO of DCR.
Products need to protect the enterprise, third parties, and client data during vulnerable transition operations. That includes testing new software, combining dissimilar systems during M&A activity, and the migration of cloud and big data implementations.
Organizations adopt the cloud to realize significant cost savings, both in the ownership of data center assets and the labor associated with operation and maintenance. Some enterprises have been uncertain by the cloud’s security and reliability, since the IT space is shared with myriad anonymous users.
The most immediate vulnerability in cloud adoption is transition. The porting and testing databases from one implementation to another, third parties managing transfers, and the personnel and operating procedures for testing and verifying numerous situations where information assets may be leaked or altered. SAFETY Act protections can mitigate some of that risk if used properly.
DHS Weighs In
According to Bruce Davidson, Director of the Office of SAFETY Act Implementation (OSAI), Science and Technology, Department of Homeland Security (DHS), “In the aftermath of the 9/11 attacks, the private sector expressed considerable reluctance to deploy security technologies in civilian settings due to concerns over potential liability risks in the event those deployments were impacted by an act of terrorism. As the private sector owns and operates most of the nation’s critical infrastructure and key resources, this reluctance created the potential for under-investment in necessary security technologies and capabilities. As the Safety Act and the implementing regulations focus on the importance of incentivizing the deployment of effective anti-terrorism technologies, the (DHS) has taken special care to implement the Program in a balanced, merit-based manner.”
Industry and government are striving to contain financial consequences with insurance and reserves. They can handle reputation risk with prudent disclosures and a public relations cyber response plan.
Why not leverage QATT solutions and deploy the coverage of the SAFETY Act?
Enterprises need to “think differently” about cyber risk. Sure keeping the status quo is a choice. But as Richard Clarke stated at the cybersecurity summit, the legal consequences following the reputation dent of a data breach might be too much to bear.
Why invite that outcome?