Does President Obama's Bid to Bolster Cyber Security Go Far Enough?
Executives from IBM, Intel, Tanium, Exabeam, and FireEye offer their thoughts on President Obama's bid to bolster cyber security efforts.
This story originally appeared on Fortune Magazine
Last night, between highlighting Iran's reduced stockpile of nuclear material and the Ebola outbreak in West Africa, U.S. president Barack Obama briefly touched on another threat: hackers.
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids," Obama said during his annual State of the Union address. But as the recent Sony Pictures breach–and countless other high-profile cyber attacks–have shown, hackers have proven quite capable of shutting down our networks. That's why the President also took the opportunity to urge Congress to finally pass cyber security reforms, including legislation that would increase information sharing among private companies and the government, introduce new penalties for cyber criminals and streamline data breach notification laws, requiring companies to notify affected consumers within 30 days of an attack.
Reactions to the President's bid to pass these reforms erupted on the Internet (and my inbox) even before last night's address. The cyber security industry in particular had a lot to say. (Keep in mind that, according to research firm Gartner, information security spending will grow over 8% in 2015, reaching $76.9 billion—meaning that these are the very companies who have a lot to gain from the surge of cyber attacks.) While many agreed that the proposals would be a positive step if they were to pass, some argued that the government's efforts are too little, too late and mostly focus on what happens after a breach has already taken place, rather than how to prevent them.
To find out more about the cyber security industry's reaction to the President's address, I reached out to a handful of executives, some from Fortune 500 companies such as IBM and Intel to newer security startups—and there are a lot of them—such as Tanium and Exabeam. Here is an edited version of what they said.
Kris Lovejoy, general manager, IBM's security services division:
We need to remember that cyber criminal networks today operate like hyper-efficient businesses, sharing information, collaborating and adapting quickly when they're foiled. In fact in 2013, the United Nations reported that 80% of cyber attacks originated from these highly sophisticated and connected criminals. To combat cyber crime, businesses and governments must improve our strategy around cyber threat information-sharing and collaborative communication, replicating the effective tactics of these highly organized cyber criminals.
The more information we have about cyber crime technologies, the better we'll be able to understand how hackers operate and what behaviors to look for. For businesses, having this external data coupled with their own internal data allows them to layer analytics in to everything while ensuring proper privacy safeguards. A quick analysis of recent breaches would show that better controls might have prevented them; modern analytics certainly would have detected them and prevented extensive damage. The results though will only be as effective as the threat data we're able to feed into these systems.
Chad Fulgham, chief strategy officer, Tanium (and former CIO of the FBI):
The President's proposed cyber security legislation is noble in its attempts; however it is primarily focused on helping people and companies after an attack has already occurred. Retroactive, defense-minded strategies do not address the questions plaguing companies today: "When will I be hacked?" and, "Can I do something about it?"
It's unfortunate that it took a string of high-profile breaches to put security front and center. The truth is these attacks happen all the time and they will continue. While you cannot stop the attacks from happening, you can do something about it. You must be able to access to real-time data about what's happening in your organization, how information flows and where vulnerabilities exist. With knowledge there is great power and I believe that there's reason to be optimistic. We need to move forward together sharing data and information as one global entity to help more people and companies around the world avoid being victims of senseless cyber security attacks.
Chris Young, SVP and GM, Intel's security group:
The President is showing good leadership on cyber security by proposing new policies to enhance information sharing and increase support for law enforcement to apprehend international cyber criminals. We commend the President for recognizing the importance of enhancing information sharing between the government and the private sector. We have much more to do collectively to deliver the best possible solutions for cyber security, but these steps are encouraging and setting us in the right direction.
Nir Polak, CEO and co-founder, Exabeam:
The President went for a moon-shot on cyber security in the State of the Union address, and while his proposed legislation providing liability protections for businesses that report hacking incidents to the federal government and support information sharing is a step in the right direction, it focuses too much on what happens after an attack. For businesses to push back on identity theft, it will require the adoption of new user identity and behavior based detection strategies and technologies that enterprise security teams can build more efficient processes around. "If we don't act, we'll leave our nation and our economy vulnerable…" should be seen a direct shout out to critical infrastructure companies that they need to move faster in protecting user accounts, creating cyber security employee training for staff, and employing solutions that can quickly detect and prevent account takeovers.
Dave DeWalt, CEO, FireEye:
Sharing real-time threat intelligence and indicators of compromise–both between the private sector and the government and among the private sector–is a critical component of a pro-active security strategy. The timely sharing of threat intelligence improves detection and prevention capabilities and provides organizations with the ability to mitigate and minimize the adverse consequences of a breach. Sharing also provides enhanced situational awareness for the community at large.
FireEye research demonstrates that over 70% of malware is highly targeted and used only once. To better manage risk stemming from this continuously evolving threat environment, FireEye recommends that organizations conduct robust compromise risk assessments, adopt behavioral based tools and techniques such as detonation chambers, actively monitor their networks for advanced cyber threats, stand ready to rapidly respond in the event of a breach and share threat intelligence and lessons learned through active engagement in information sharing organizations. As a final preventative measure, organization should obtain a cyber insurance policy to help with catastrophic repercussions of a breach.