The following is taken from an address given by Cylance Chief Security & Trust Officer Malcolm Harkins to the United States Senate in March 2017. We believe it’s important enough to share with the public and start a dialogue so that we can band together to find the solutions we so clearly need in order to secure our vastly-changing future. Part 1 of this series can be found here.
While the cycle of innovation brings new opportunity, digital disasters may be looming if we don’t manage the risks ahead.
These days, it’s hard to read an online news source, pick up a newspaper, or watch TV without seeing reports of new threats: cybercrimes, data breaches, industrial espionage, and potential destruction of national infrastructure.
These reports inevitably leave the impression that we are drowning in an inexorable tide of new and terrifying threats.
Reports such as these: “CloudPets' woes worsen: Webpages can turn kids' stuffed toys into intrusive audio bugs” read the headline on March 1, 2017, posted on The Register by Richard Chirgin. “Fatal flaws in ten pacemakers make for Denial of Life attacks” wrote Darren Pauli on December 1, 2016.
Whether it is these headlines or this one: “Hackers Show How to Remotely Crash a Jeep from 10 Miles Away,” there is one common denominator that exists today and will exist tomorrow:
Any device that executes code has the ability to be compromised and execute malicious code.
Emerging technology such as the internet of things (IoT), blockchain, quantum computing, and artificial intelligence offers tremendous promise for benefit, but if poorly designed, developed, and implemented, there is a likely ability for it to execute malicious code, and harm will occur.
Risks and Impacts to Society
The variety of risks and impacts to individuals, to our businesses, the economy, and potentially to society could be wide ranging and financial significant.
When assessing risk, I think it is important to look at data. Here is some data from recent surveys and studies:
- Increase acceleration of previous threat and vulnerability trends
- APT and cybercrime boundaries blur
- Majority of attacks are neither sophisticated nor advanced: techniques are reused, recycled, and re-introduced
- Investing in prevention may be more effective than investigating
- Cybersecurity threats are expected to have the fifth greatest effect on a company in the next 12 months
- 75% of respondents report short term performance pressures compromise management and the board’s ability to focus on the long-term
- Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge on this growing risk
- 45% of cyber professionals think their organizations are significantly vulnerable to cyberattacks
- 47% think their organizations are somewhat vulnerable to cyberattacks
- 40% of cyber professionals want goals established for IT around cybersecurity
- 44% of cyber professionals indicate they do not get enough time with the board
- 21% say that business and executive management treat cybersecurity as a low priority
- 61% of CISO turnover is due to a lack of a serious cybersecurity culture and not active participation from executives
Managing Future Risk
The conclusion that I can draw from this data, as well as all the headlines we see daily on breaches, including the March 9, 2017 headline from Tara Seals at Information Security Magazine that read, “61% of Orgs Infected with Ransomware” - is this:
We are not in aggregate doing a good job today managing our risk. We need to do better. We have to do better.
Not only do we need to make immediate improvements today, we need to get in front of our future risks. Otherwise, the potential we have in front of us with technological advancements, which can benefit individuals, business, government and our society, will be called into question.
Cylance Chief Security & Trust Officer
Address to the United States Senate, March 2017.