David J. Barton
Carlos Fernandes serves as director of Salient Federal Solutions‘ Cyber Security Center of Excellence and recently wrote an op-ed piece for the Insurance Technology Association.
The more-than 21-year information security veteran was the founder, managing principal and CEO of Agile Cybersecurity Solutions prior to joining Salient.
The Air Force veteran has also held leadership roles at CACI, L-3, Booz Allen Hamilton, EDS and LinQuest.
In this column, Fernandes covers recent cybersecurity developments in both the public and private sectors, includes prediction and prevention as keys to success and discusses where he thinks cyber will go next.
_ _
Cyber incidents are on the rise, with nearly 100 percent of Forbes Global 2000 companies reporting breaches within the last 18 months. Â With the emphasis placed on new and emerging technologies, corporate America has become an attractive target for cyber criminals.
Contrary to rising domestic and international accusations and mistrust of U.S. government cyber programs, prompted by media attention to NSA contractor Edward Snowden and the NSA Surveillance Program, the U.S., by policy, does not engage in economic espionage. By contrast, most other nations do. We have all heard news reports of nation-state sponsored cyber activities, targeting U.S. public and private sector organizations, allegedly from China and Iran.
It is further alleged that Iran, in retaliation for the Stuxnet incident in 2010 responsible for setting back their nuclear ambitions, has recruited the largest army of hackers on the planet. According to Vice Admiral Mike McConnell, former NSA and DNI Director, speaking at the Bloomberg Cybersecurity Conference in October 2013, it is estimated that over 200 nations have an active Cyber Intelligence capability.
Cyber tools, used for computer network exploitation, can also be used for cyber-attacks. These capabilities are cheap and are being built by the thousands. The alarming reality is that most U.S. corporations have been penetrated and in most if not all cases malware has been installed and hidden within their networks, with data either currently being “exfiltrated,†or with an ability to do so remotely and at will.
It is estimated that over the next 10 years, if these clandestine operations against U.S. corporations continue, there will be serious consequences to our free market economy. Our market-leading, competitive advantage in research and development and world class innovations could be greatly reduced, potentially hurting our ability to compete globally.
We believe that the answer to combatting this threat is focused around the concept of precognitive capabilities, a holistic approach utilizing both artificially intelligent technologies and top industry cyber professionals, with a laser focus on predicting, preventing, and persisting against cyber incidents.
An ethical hacker was recently quoted saying, “Given enough time and resources, I have always been able to breach my target. I start with the low-hanging fruit. The sad truth is that there is so much low hanging fruit to choose from. If I can do it, there are others that can, too.â€
The fact is that much of this low-hanging fruit can be eliminated with the 80-20 rule. About 80 percent of cyber breaches can be prevented with the application of industry security best practices. It`s the remaining 20 percent that causes C-level executives (especially those from Target and Neiman Marcus) to lose sleep at night.
The alarming reality is that regardless of how diligent any organizations` IT department is at reaching compliance with security best practices, it is impossible to eliminate all vulnerabilities. I equate it to the legend of the Dutch boy plugging the hole in the dike with his finger, in an effort to hold back the Atlantic Ocean. You plug one hole only to find ten more. You simply end up running out of fingers.
So, what`s there to do and where to begin?  We can no longer afford to wait for a breach to occur before we respond. We must predict and prevent—educate, train, and employ security best practices so that when the adversary strikes we are ready. The following is a simple list that, if applied, is guaranteed to reduce cyber incidents.
- Develop a security and risk assessment strategy
- Implement the strategy
- Establish a security baseline, aligned with best practices
- Identify security gaps
- Prioritize findings
- Develop and implement a mitigation strategy
- Continuously monitor network assets
But to stop there would be a mistake; we must persist. It has been said more than once that the solution is less technical and much more philosophical and political. Cybersecurity is not a once and done IT project. It is an ongoing effort with newly evolving threats that we must anticipate and adapt to overcome.
I encourage those of us that have been in the fight for many years to not grow weary and continue to look for ways to find common ground for reaching collaboration between public, private, and international communities, with the realization that cyber security is a journey, not a destination … it never ends.
The goal of the Insurance Technology Association is to provide members with opportunities to collaborate, educate, network, share, and use knowledge related to insurance technology. The ITA serves the insurance technology community as a resource and is dedicated to serving this specialized sector of the industry. Publications and educational programs created by the ITA are geared to professionals interested in or charged with evaluating, implementing, and marketing insurance-specific technology systems or services. Please visit www.itapro.org for more information.
