RSA’s Art Coviello praises UK at briefing on e-crime
Cyber security has long been a priority for CIOs, CTOs, and others in working in technology. But following a number of high profile attacks, and as IT becomes increasingly integral to everyday life, cyber is becoming a mainstream issue of concern, not just across the across the whole of the c-suite, but also among policy makers and wider society. New research released by the UK government last week found that 87% of small firms and 93% of large enterprises had experienced security breaches last year, with some attacks causing more than £1 million of damage.
Like many other countries, the UK has responded to the increasing cyber threat by developing a comprehensive national cyber security policy programme. The £650million, 4-year agenda includes actions to strengthen Britain’s cyber intelligence, defensive, and offensive capabilities; boost skills; and increase resilience in the private sector.
Given this level of activity and investment, British Members of Parliament have been keen to scrutinise the government’s actions, and seek expert views on the progress the UK is making compared to that in other countries. As part of this, members of the House of Commons Home Affairs Select Committee have been holding a number of hearings on Britain’s response to the cyber crime threat. Last week the MPs invited RSA’s Executive Chairman Art Coviello to share his 30+ years of experience at the forefront of the security industry as part of a panel of leading private sector representatives.
Among the many interesting issues discussed during the hour-long session, the committee chair Rt Hon Keith Vaz MP began by asking Art whether the “war” against online criminals was being won or lost? Art responded:
I do not think the war has been lost, but we are not winning it either…obviously, we have to keep in mind the threat environment—but what people sometimes overlook is what I call the expansion of the attack surface. We have now developed so many web applications, we have so many remote access devices, mobile devices, we have so many points of entry into our enterprise, and now we starting to outsource a lot of our infrastructure and applications to the cloud, that we have expanded the attack surface and made it literally easier for the attackers to take advantage of us. But having said that, I am a technologist, so I am an optimist, and I believe we can win the war, but we are not winning it yet.
The importance of information sharing to combating the cyber threat arose during an exchange between Art and committee member Nicola Blackwood MP on the new Cyber Security Information Sharing Partnership that the government had created to provide a trusted environment for companies and other organisations to gather and share cyber threat information:
Nicola Blackwood: Why do you think [The Cyber Security Information Partnership] will be helpful?
Art Coviello: Because any opportunity [to] timely share information about attacks, as long as you disseminate the information broadly… means that all potentially affected companies can be on the lookout for a similar-type attack, whether it is the IP addresses from which the attack has been launched or the particular malware itself.
Another vital element, Art added, was to adopt an advanced security approach in today’s hyper-extended, “bring your own device” world in which traditional, perimeter defence products like anti-virus and firewalls were becoming less and less effective:
In an age where the attack surface has broadened… in an age where there is no discernible perimeter, perimeter-oriented defences are less and less effective. So, the game shifts from outright prevention of breaches to early detection and response to breaches. The model that we advocate is one where you have technology that can detect these breaches in a far more timely fashion. To do that, you have to have a lot of data. You have to be able to see the faint signal from the attacker that anomalous behaviour or an anomalous flow or use of data is occurring. To do that requires a substantial capability to correlate and analyse vast streams of data at very fast speeds.
Art concluded by praising the UK government’s cyber security policies, in particular around information sharing and working with the private sector, comparing them favourably with the situation in the United States:
In the US we have been talking about public/private partnerships since 2003, and we have got nowhere. Quite frankly, it is an extreme frustration… in general the outline of [the UK] strategy is far more coherent than anything that is being done in the US… you are [also] on the right track around information sharing. Unfortunately, in the US we have not been able to get a Bill passed to facilitate information sharing, which to me is quite a pity…. [in a world where] breaches are probable, if not inevitable, then having intelligence sooner as opposed to later is fundamental to building out a new model of security so that we can shrink the window of vulnerability from all attacks.
MPs on the Home Affairs Select Committee last week heard that the UK government is pursuing a very active and comprehensive agenda to boost the nation’s cyber defences. Although still early days, good progress is being made, and RSA will continue to share its knowledge and expertise to support this important work.