O Brave New World, That Has Such People In't

Head: The Challenges of Cyber Security

Dek: We're losing billions and are vulnerable to 'a digital Pearl Harbor.' Experts offer their opinions on how to combat cyber threats.

"O brave new world, that has such people in't."

Neither Shakespeare, who coined the phrase in The Tempest, nor Aldous Huxley, who borrowed it for his futuristic novel, imagined hacktivists, spearphishers, or digital terrorists and organized crime lords. But cyber criminals are top of the mind for CEOs of companies ranging from The New York Times to Coca-Cola. They've wrecked havoc on law firms, financial houses, universities, Internet security companies and such government agencies asthe CIA, DOJ and Department of Homeland Security. They represent an internationalthreat, originating from every nook and cranny on the map. "We are losing money, we are losing data, we are losing ideas," said FBI Director Robert Mueller in the Spring of 2012. "Together we must find a way to stop the bleeding."

An expert panel sponsored by ColumbiaUniversity'sRichardPaulRichmanCenter for Business, Law, and Public Policy, recentlyaddressed"Cyber Threats and Cyber Security." What they said was both terrifying--by some accounts international businesses are losing more than $1 trillion a year to digital crimes--and oddly reassuring--diligent organizations can pull from an arsenal of both simple fixes and sophisticated analytics in the war against computer invasion.

A Four-Pronged Threat

But don't get comfortable. The panelists agreed:It's not a question of whether computers will be hacked, but when. And even with precautions, both finding the culprits and stopping the damage is problematic at best. Solving security challengesamount totackling what Brendan Hannigan, General Manager of IBM's Security Systems Division, calls"a complex, four-dimensional puzzle."

Problem 1: The Criminals Have Changed

To get a handle on cyber crime, the panelists said, we must understand the evolvingnature of the threats. In the 1990s, cyber crime was personified by the "I love you" bug, which swept through Microsoft's system to bring down thousands of computers whose users clicked on the eponymous email. The threat was malicious and ubiquitous. But once identified, technicians devised a security patch to spurn similar invasions in the future.

"In the past--meaning five years ago--hackers were crafting attacks against broad targets. Their intent was notoriety," observedHannigan, whose division consults with global organizations to install cyber defenses. Recent assaults have a more specific intent: to steal information from a particular organization, create denial of service, disrupt a business or threaten national security. Because these sophisticated attacks hide among reams of computer code, the threats often go undetected. "Our customers biggest worry concerns attacks that they don't know about," said Hannigan. And, since they are written for a specific target, they have no common, easy fix once discovered.

Problem 2: Digital Technology Is Evolvingat a Breakneck Pace

Today's criminals have multiple points of entry: Not just PCs, but also datacenters, laptops, mobile devices and the cloud. A multinational company may have tens of thousands of apps on its computers. From any of these points, malware can spread throughout a system to reach the criminal's intended target, which may be the storage bin for a company's intellectual property secrets or where customer credit card information is collated. Judith H. Germano, head of the District of New Jersey's Economic Crimes Unit, U.S. Attorney's Office, talked about "drive-by downloads": "You just have to walk by a table in a crowded restaurant and [criminals] can take info off your phone."

Problem 3: Data Is Liquid

The increase in transactional online commerce has been exponential, meaning sensitive consumer data can be gleamed from countless sources, or hackers can piggyback on legitimate interchanges. What's more, "In the past, data was structured," held in spreadsheets or locked away as official information, observed Hannigan. The rise of "unstructured" data, found in email, social media, Twitter feeds--and whatever new form of communication next crops up--has given criminals a much broader and deeper pool to fish in.

Problem 4: Connectivity Puts Us All at Risk

Hackers denied access through a company's front door have a host of back-door options: Employees, customers, outsourcers, suppliers, consultants. Beyond the company's own site, individual employees or customers may have visited any number of danger spots that lets criminals in. Germano noted that attacks on small businesses (which may link to larger suppliers or customers) have more than doubled over the past year. "Companies want to be friendly, but they have to make a business decision: Are vendors' systems safe? Customers' systems?" she asked. "Hackers take the path of least resistance. Why would they blow through the wall of a safe if they can just open a window?"

Constructing a Wider Moat

Some high-tech counter weapons are available to protect against cybercrime, with more on the horizon. Hannigan talked about high-powered behavioral analytic technology that captures business processes and triggers on unusual activity, such as recurring codes or connections to unexpected sources, such as a finance feed to a single PC in Bulgaria.

He also pointed out that large cloud services may build in more protections than small companies and individuals dealing with sensitive information can afford. "Look for external providers with expertise wrapped around applications," he advised an audience member worried about his small business' security.

But the first--and often most effective--step is vigilance. Citing a PricewaterhouseCoopers survey released last September, Germano noted that "only 8% of companies say they have an overall information security strategy plan in place." At the same time, more than 70% of respondents are confident that their security is effective. "We need to question that level of confidence," she said, going on to list several simple fixes:

• Get the CEO involved. Rather than silo security within the IT department, an organization-wide plan needs to be led from the top to assure the attention that cyber security warrants.
• Extend security training throughout the company. "If a company has 50,000 employees, it needs to think about data security with 50,000 people," said Germano.
• Erect firewalls and pigeon-hole information on a "need to know" basis.
• Beef up password protection by requiring less predictable codes and storing employee and customer information in an encrypted fashion.
• Monitor emails. All of them.

The Legislation Conundrum(s)

In February, President Barack Obama signed an executive order that calls on government officials to create cyber risk standards. With a particular nod to private companies that control critical infrastructure, he encouraged sharing of information and private sector adoption of the standards.

But mandatory participation requires legislation since an executive order carries zero weight in the private sector. Citing last year's Congressional failure to pass laws aimed at cyber attacks, Columbia law professor Matthew Waxman is pessimistic regarding effective legislation any time soon.

In outlining obstacles to cyber laws, Waxman pointed out that some challenges are generic to all governments, such as the borderless nature of cyber attacks and the fast-evolving technology that could quickly make legislation obsolete or inadequate.

Other challenges are unique to particular countries. Concentrating on the U.S., Waxman worried that the nation's critical infrastructure, including telecommunications and utilities, is run privately. In our anti-regulatory political culture, expect "resistance to solutions labeled as regulatory," he predicted. Similarly, "Americans are especially sensitive about civil liberties and distrust giving government access to their data."

And, given the borderless features of the Internet and global reach of multinational businesses that have to deal with multiple legal regimes, any effective legislation will require international coordination. Since global interests are not necessarily aligned, Waxman expects coordination to bethorny. For example,while the U.S.wants to protect the free flow of information, other countries, including China, worry about containing political content.

The panelists feared a digital 9/11 or Pearl Harboris plausible, and agreed it could be the spark that leads to legislation. Yet they all suspected that laws arenot the final answer--or even offer the first line of defense. "The borderless features of cyberspace, and the empowerment that the Internet gives individuals and non-state groups may suggest that nations are not the key actors to focus on," said Waxman.

Instead,they look for solutions inways the public and private sectors cooperate. Rather than more traditional regulation, said Waxman, "addressing the challenges may require some new forms of government."