With Apple's Cloud service getting hacked, security in cyberspce has assumed sudden significance. Richard HL Marshall, the former Harvard Law graduate and an global cyber security advisor, Homeland Security to the George Bush administration, is vocal about cyber security issues — within the US and in other countries, as he feels that in an increasingly connected world, organisations should make more disclosures in case of cyber attacks. Marshall, who is currently CEO, Secure Exchange Technologies, spoke to BusinessLine about government officials who have not yet woken up to this modern day battle methodology, and the way China and Russia are unleashing cyber warfare battles across the globe. Edited excerpts:

The modus operandi of cyber criminals seems to have changed from randomly targetting to personalised targets. Can security keep up?

Cyber criminals have two objectives: find targets that will yield high payoff for their efforts and attack those high payoff targets that offer the least resistance. Their business model is simple: the least effort for the greatest financial gain. A company’s business methods, customer list, and many other forms of digital data are valuable to them as they can sell that data to your competitors both at home and abroad. In the last 15 years, we have witnessed a transition from mischief makers and pranksters to brigands with destructive intent to brigades of hackers working in concert for profit. Broad opportunistic, scattershot attacks designed for mischief and mayhem have been eclipsed by sophisticated attacks that are advance, targeted, stealthy, and persistent. They include organised cyber crime entities and state-sponsored campaigns referred to as advanced persistent threat (APT) attacks. These attackers are highly motivated, well organised and unpredictable.

These new cyber attacks are not a single event. They unfold in multiple co-ordinated stages, with calculated steps to get in, establish a foothold, and survey the victim’s network and ex-filtrate data.

Taking this logic further to national security, can governments keep up with this sustained attack?

For national security entities, I would say the threat is almost the same because national intelligence is so important to an enemy. The business model is to exfiltrate as much intelligence data as you can. Cost to attack is rarely a consideration because the intelligence data is so valuable to your enemy. There are cyber criminals who hack for hire on behalf of nation states.

Russia frequently uses this technique. Similarly, China uses an army of cyber attackers, who when confronted deny wrongdoing. Upon explaining how a compromised nation got to know of it, they make sure that they do not follow that method again (to avoid detection).

Are government departments doing enough to protect from cyber attacks?

When it comes to protecting sensitive intelligence, the Indian government is not doing enough.

The biggest challenge is that senior officials do not understand the seriousness of the threat or accept the reality of the threat actors. Governments can rectify this by doing the simple things properly. Implement aggressive threat awareness programs for everyone who uses a computer. Keep your systems current through enforced patch management programs, install and use the newest versions of malware detection programmes. Doing these basic things itself will go a long way.

In many cases companies do not come forward to report cyber crime fearing that it would damage their reputation. Do you think regulations need to be in place so that there are sufficient disclosures?

Most countries now have imposed regulations that require disclosure. I strongly recommend that like organisations such as the financial serves sector share the details of such attacks with their colleagues so that their overall security stance can be improved.

This works very well with the US Financial Services Information Sharing and Analysis Centers. At the end of the day, if there is a touch point with a large number of people, then companies should make disclosures.

Related Topics
comment COMMENT NOW