There was a great deal of anticipation about President Obama’s participation in the recent conference on cybersecurity at Stanford University, in the heart of Silicon Valley, where he met with high-tech company executives last week.
It wasn’t a shocking surprise, however, that the Government’s proposal, to be enshrined into a Presidential Order, in reality only boils down to a call for sharing misery tales between the Government and private companies. Once the political rhetoric is stripped away this approach doesn’t offer any improvement in cyber security. The reality is that hacks are usually discovered months or even years after the fact, when all the damage has already been done. That’s assuming the hack is even detected in the first place.
It’s not the best kept secret in town that most hacks, and certainly the most dangerous ones, are rarely or never detected, or only long after the fact. A great example is the recently announced international multi-bank hack that netted somewhere between $300 million and $1 billion to the unknown attackers. See http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?emc=edit_th_20150215&nl=todaysheadlines&nlid=58721173&_r=0
The vagueness in the loss assessment speaks very loudly to how little the cyber security experts involved know about the hack even now. And, of course, they haven’t a clue as to who did it. Not to mention that it took them two years to discover the loss.
On the more optimistic side there is a rising public awareness of the problem that sooner or later will lead to a public demand for the development of a true cyber security technology. Unfortunately, this is unlikely before the pain from cyber attacks becomes really intolerable, probably as a result of a massive loss of human life.
Tag Archives: cyber misery
Cybersecurity: 3% misery
Whenever we make a journey, physical or otherwise, it’s important to understand where we are before we decide what direction to take. Otherwise we’ll get nowhere. This is as true as ever in cybersecurity.
Russian cybersecurity portal cybersecurity.ru, citing security research company Group-IB, recently stated that only 3% of cyberattacks are detected and countered by bank IT experts. This conclusion notably relates to institutions that boast superior protection against cyber attacks. Mere mortals are obviously less successful.
That 3% is a significant drop from the 10% average attack detection reported by a similar British study a decade ago. More important, this is startling evidence of our deepening cyber security misery. What’s really vital here is for us to recognize the reality. And that reality is frightening. All these almost daily proud statements of detected “sophisticated cyber attacks,” usually followed by bravado announcements that the attack has been defeated and from now on the particular company is reliably protected, are nothing but wishful thinking.
Even if these optimistic announcements were true, the reality is that they’re based on just 3% of cyber attacks. Furthermore, these 3% represent the least sophisticated, often clumsy attacks, while the better than 97% of the attacks go undetected — and we have no idea what they are, nor what we lost in those attacks.
Until we acknowledge the reality of where we actually are in cybersecurity, we’re getting nowhere, faster and faster.