Although cybersecurity experts have their separate ideas on what the most pressing Internet security concern is, they generally agree on one thing: The threat landscape is evolving into more attacks of increasing sophistication.
Here, 10 industry insiders offer their insight into what they believe are the most dangerous cyber threats, ranging from social engineering to cyber espionage.
Lance Cottrell, chief scientist, Abraxas: “Malware is really becoming one of the biggest issues. Especially what I describe as spear-phishing type malware attacks where this is not some virus or Trojan that is sort of generally running around on the Internet, but zero-day threats that have been typically built and then targeted at a very select, small audiences. The security systems we have in place now are almost all signature based; a really novel, new attack vector, or a new piece of software isn't going to show up, and if it is only ever delivered to a small handful of people, it won't get picked up by any of the conventional mechanisms that are used to discover these kinds of things. We are seeing a lot of issues with highly targeted, highly crafted phishing attacks.”
Alex Miller, senior vice president/general manager, Intelligence Systems Business Unit, L-3 Communications: “I think there are many cyber threats out there: nation-state, terrorists, illegal activities, to name a few. But I'd say the greatest threat is the ignorance of the people who use computers and the Internet and their failure to realize how vulnerable they really are. Password protection and point defense systems that we use now are very vulnerable, and they [instill] a false sense of security. Securing our computers and trying to mitigate our risk while on the Internet will be a significant issue for the foreseeable future.”
Gunnar Hellekson, chief technology strategist, Red Hat U.S. Public Sector: “The threats that I have seen lately are mostly internal. I don't mean hackers from the inside or hackers on the outside; I mean the greatest threat from the increased focused on cybersecurity is the threat that comes from our reactions to real and perceived threats. I see this growing “˜Fortress America' movement around computer security and the security of the software-supply chain. When I hear about plans to certify software development, or otherwise close our software development system, I get really nervous. Because I come from an open source background, I am certain that we cannot add more barriers to entry for good ideas into our software-supply chain. … Another threat that I have seen lately, and it is along the same lines, is less about cybersecurity as it is about the way that software and systems are developed. There is definitely a lack of stewardship of government-funded intellectual property.”
Steve Hawkins, vice president, Information Security Solutions, Raytheon: “One of the most important threats is social engineering as a means of getting individuals within any enterprise to either click on an attachment or a website that would bring malware or the Advanced Persistent Threat into your enterprise. I would say the one other thing that bothers me is non-threat based: There has been so much discussion on cyber that there is a little bit of cyber fatigue across the country. That is causing a level of complacency that I think has our country and the world interest saying, ‘Could it really be that bad?’ I believe it is, and I believe that complacency is dangerous.”
Jeff Carr, CEO, Grey Logic: “I don't think hackers are going to waste time with anything that does not yield some type of profit. So, then it really becomes the question of what was targeted. That is how Grey Logic looks at attribution when it comes to cyber espionage; what have we tied it to what was taken, who would have reason to have entered or accessed it; it has value to what party? Then you can start narrowing the field. I categorize it in three areas, you have state actors, and state sponsored actors, which would typically be skilled hackers who have some type of handshake arrangement or some other compensation with the state entity, but also at the same time create plausible deniability. Then you just have non-state actors.”
Gen. Dale Meyerrose, vice president/general manager, Cyberspace Solutions, Harris Corporation: “The one of most concern to me is cyber crime. It's the most insidious, I think. I know there's a propensity for folks to want to demonize and look for radicals or other countries to be the cause of bad things that happen in cyberspace. Those are there and those threats are very real, but the elements of cyber crime I think, particularly economically for our country, have come to the point where we need to really be concerned. There have been estimates that we've lost over a trillion dollars a year to cyber crime in the last couple years. And it now exceeds all other crime in terms of the amount of money. So, it's something that undermines the trust in our economy and something that I worry about, not only as a citizen, but also as a steward of a company's assets.”
JR Reagan, principal, Federal Solutions Group, Deloitte Consulting LLC: “Lately, we're seeing threats from global players. The type of distributed threats where cyber intruders can unwittingly harness and marshal thousands, if not millions, of computers to attack an organization's systems. There's just a lot of unsuspecting victims out there that suddenly become part of somebody else's scheme to attack DoD computers or other government agency systems. Some of the other threats are the insider threats, which we wrestle with a lot. How do you make change the culture at an organization that makes their employees feel they are part of the solution, and not again, an unwitting part of the problem. And lastly, I think is the threat that a lot of these infected computers pose to the network at large, and the inability of network providers to legally quarantine these threats from infecting more of the network. There isn't a mechanism in place that says, “˜you've got an infected computer, you need to stay off until we can fix you.' So it's open gates, open arms, open doors, it just continues to spread the threat.”
John Watters, chairman/CEO, iSIGHT: “Not unlike our customers, criminal interests are attracted to low-risk/high-reward opportunities. Organized criminal groups now make more money in cyber crime than from the narcotics trade. That is a clear reflection of an adversarial shift from the kinetic to the non-kinetic world, where anybody can steal money namelessly, facelessly, with minimum risk and a high degree of operating leverage in a way that is both efficient and productive. In addition, a criminal group only needs a limited number of people and financial resources to be successful. The gravitational pull into electronic crime has created a meaningful shift in the risk dimension.”
Maj. Gen. Steven Smith, director, Army Cyberspace Task Force: “The threat that worries us the most is the threat we don't know about. I don't know what I don't know. This will always be a leader's biggest concern. All of the other threats that are current with zero-day exploits, insider threats, etc., are no different for the Army than they are for a bank or technology company. For those of us in this business, particularly in active defense, you are probably most concerned about the threat you don't know about.”
Vincent Mihalik, vice president, Cybersecurity Solutions, Wyle Information Systems: “A complete understanding of the makeup of the threats facing the United States in cyberspace is difficult to characterize in a short response. Some suggest the cyber threat is overhyped, and others suggest that we are actively engaged in a cyber war. It is often stated that if end-users and systems administrators would follow generally accepted best practices for computing, our cybersecurity risk could be reduced by as much as 80 percent. At Wyle, our philosophy is based on solutions that encompass active defense today and investment in research and development to prepare for next-generation threats. … Our relationships with DARPA, NSA and USCYBERCOM provide us insight in to leading-edge security technologies and processes, and form a basis for collaboration and information sharing in facing this evolving threat.”