Experts see ounce of prevention key to cyber cure
The increasing number of attacks on business computer networks means that organizations and government agencies should change their cybersecurity mindset to one of prevention, a panel of experts warned Thursday.
"Security is getting worse faster than it will ever be fixed," said Jeff Moss, the CEO of Black Hat, a Seattle-based cybersecurity training firm. "That fundamental view isn't going away."
But Moss and other panelists, speaking before a cybersecurity conference in Washington, noted that while there may never be a silver bullet for information security, organizations can reduce cyber risks by creating a mindset of prevention.
Security firm Riptech estimates that over the last six months, organizations have suffered from more than 180,000 cyberattacks. "The data do not speak well," Georgetown University information security professor Dorothy Denning said. But "98 percent of those attacks could have been prevented. There is a lot of room for improvement ... given the right incentives and tools."
John Frazzini a special agent with the U.S. Secret Service, described how the agency's Electronic Crimes Task Force, which focuses on cyber crimes and terrorism, is promoting prevention as a means of reducing the risks.
He compared the approach that most organizations take to cybersecurity with the government's efforts to curtail drug trafficking. Over time, Frazzini said, those efforts have shifted from enforcement to prevention in order to reduce the demand for drugs. The challenge of cybersecurity is similar, he said.
"It is really a matter of creating an environment where prevention is the hallmark of what we do," he added.
The key to prevention is monitoring change, and sharing key information, such as "best practices" in cybersecurity, said Saul Wilen, CEO of the San Antonio, Texas-based consulting firm International Horizons Unlimited. The biggest problem, he noted, is that organizations and government groups do not effectively communicate their approaches to business and security. The business plan has become isolated from the security plan, Wilen said. "It's almost like the two will never meet."
But Frazzini also suggested that domestic hackers demonstrate unpatriotic and even criminal behavior when they engage in activities that actually may be innocently intended.
"The issue of information security really can become an issue of national security ... depending on how you look at it," he said. "It's almost unpatriotic if you're in the U.S. and you're still causing damage to our networks."
Denning also said that training courses for responding to cyberattacks present a real problem by adding to the body of knowledge that could bolster hackers' skills. "It's something we absolutely have to pay attention to," he said.
But Wilen called the courses a "necessary risk." "We have more to lose by not engaging other people than by what we put on the Web," he said.