Thousands of times each day, government and private sector information systems across the United States are probed and hacked by terrorist groups, criminals, foreign government organizations or individuals with malicious intent. These cyber attackers are able to steal sensitive information, impacting the lives of many and the reputation, security and operational capabilities of the organization whose data has been stolen. Each day it seems we learn of another breach at a retail outlet, bank, healthcare facility or government agency—each day it seems we learn that our financial or even physical security may be threatened by these cyber attacks. Each day it seems we wring our hands seeking solutions to a situation that some call the most significant threat to our national, economic and individual security.
Amazingly, there are still business executives and government officials who are seemingly unaware or unconcerned about this growing threat. They question whether it is something that requires their attention. For those whose credit cards, credit history or bank accounts have been hacked, the threat is very real. For those companies whose trade secrets have been stolen and their brand compromised, the threat is real. For those in the federal government whose job it is to protect this nation, the threat is real. Yet, for most of the general public and many corporate officials there is a lack of awareness—or worse, lack of concern, regarding this growing problem.
We truly have entered the digital age, and the physical and cyber worlds have become inextricably interlinked. Our security, economic competitiveness and financial integrity rely on our being able to embrace cutting edge communication and information sharing technologies, accessing and sharing tremendous amounts of information more rapidly and with more people then ever before. Social media, the Internet, wireless broadband, have improved our ability to bank, shop, communicate and compete. Yet at the same time these same tools have placed at risk our ability to safeguard our most sensitive information.
For the corporate CEO the fact that their corporate information system is at risk should be a top concern. Theft of trade secrets and other data can impact the company’s ability to compete and result in massive costs as the company seeks to address the damage incurred through a data breach. A major breach will hurt a company’s brand by creating fear among its customers, partners and vendors, damaging the company’s reputation and customer loyalty, adversely impacting revenue.
Take the experience late last year of the retail giant Target. Russian hackers accessed the company’s Point-of-Sale system, acquiring almost 100 million customers’ credit/debit card numbers, names and addresses. That is almost one-third of the U.S. population effected. The breach eventually led to the company’s CEO resigning in May, by which point the company’s stock was down 15 percent year-over-year.
Also in May, the U.S. government indicted five members of the Chinese military, charging them with hacking into the computer systems of five well-known American companies in an attempt to steal trade secrets.
Then just last month, on July 24, the European Central Bank announced it had been hacked, losing unencrypted customer email addresses, street addresses and phone numbers.
The Intelligence Community, Federal Bureau of Investigation and Department of Homeland Security all expect these types of attacks to continue. And while some corporate boards of directors are requiring companies to place cyber security at the top of the priority list, it is more often the case that most businesses are either ill-prepared or under-protected to deal with this risk. Our inadequate efforts to protect our networked nation was highlighted on Tuesday, July 22, when the original 9/11 Commission members released a new paper: “Reflections on the Tenth Anniversary of the 9/11 Commission Report.” Within that document, under the heading “Cyber readiness lags far behind the threat,” Commission members summarized our national vulnerability in stark language: “The senior leaders with whom we spoke are uniformly alarmed by the cyber threat to the country.” One former agency head said, “We are at September 10th levels in terms of cyber preparedness.” American companies’ most-sensitive patented technologies and intellectual property, U.S. universities’ research and development, and the nation’s defense capabilities and critical infrastructure, are all under cyber-attack. Former National Security Agency Director General Keith Alexander has described the ongoing cyber theft of American intellectual property as “The greatest transfer of wealth in history.” One lesson of the 9/11 story is that, as a nation, Americans did not awaken to the gravity of the terrorist threat until it was too late. History may be repeating itself in the cyber realm.
We need to ramp up our efforts to protect government and private sector information systems and not rely on security concepts that are out of date. Some believe that if they have robust anti-virus software and a strong firewall they are safe. That just isn’t the case. It takes more than a high wall around your system to protect it. We have learned the hard way that cyber-attackers are committed, competent, and often well resourced. The fact is they will find a way to breach the wall around a network. As numerous headlines have made clear, firewalls and other security approaches that rely on preventing access to a system by an intruder can and will fail leaving open access to the information contained within.
So what do we do?
Government and corporate entities must consider a holistic approach to cyber security, an approach that focuses on both preventing inappropriate access and protecting the data contained within. As in the physical world, security in the cyber world requires a “layered approach”, and those layers must start at the very endpoints on which the organization’s valuable data is created, stored and used. Data protection must take place at the device level, on each and every device used by employees to perform their work.
When it comes to securing vital data there is no room to compromise. While organizations spend billions of dollars annually setting up firewalls and other security measures to protect their networks from outside forces, all those efforts are for naught if sensitive data is stored and transmitted in an unprotected or under-protected manner.
Network security should focus on protecting the data itself—if possible at the device level—as soon as it’s created, and keep it protected over the course of its entire lifecycle. Encryption combined with digital rights management (DRM) has proven successful at ensuring only authorized users are able to read protected data. Encrypted information remains secure as it rests on devices and servers, and as it travels from one point to another along any transmission medium. Should a firewall be compromised, encrypted data remains useless to all but those authorized to view it. Working in concert with encryption is DRM, which allows the creator of materials (documents, presentations, etc.) to protect those by restricting how others may interact with them. For example, when DRM is used, materials may be viewed but not sent to any other recipients, or printing of the protected materials may be prohibited. There are many ways DRM allows for the control of protected materials.
The optimal encryption solution will also support the most popular operating systems and devices used by professionals today. The solution should be transparent to the user, requiring no arduous procedures for encrypting data, and it must make use of proven encryption algorithms.
Hackers have raised the stakes and we must respond. Our critical infrastructure, as well as the proprietary work of our government and private sector, is under constant attack. This threat level requires a more sophisticated and comprehensive approach to protecting valuable information. That starts by encrypting data at the device level, and ensuring data is protected throughout its lifecycle, both inside and outside the firewall.
John D. Cohen is the chief strategy advisor for Encryptics. He is a former Acting Under Secretary and Counter Terrorism Coordinator at the Department of Homeland Security.
