Cyber Security in 2019: A Year in Review
Offense is Winning
Since the dawn of cybercrime, there has been a gap between cybersecurity defenders and offenders—the former pursuing the latter. The size of this gap has fluctuated over the years depending on the capacity for one to pursue or evade the other. Over the past decade, defensive efforts have made considerable gains in defending the public against the efforts of cybercriminals. In an unfortunate turn of events throughout 2019, the opposite has been true. Despite major gains, defenders have routinely been losing ground in the cyberwar.
Breach Detection Time Increased from 2018 to 2019
Several metrics can be used to determine the "score" of the cyberwar. One of the most telling statistics is the industry's average time required to detect and resolve a data breach. According to an IBM report, the average breach detection and remedy time increased from 2018 to 2019 by about 4.9%. This reverses the trend of the past decade where that gap was previously narrowing consistently. Not only is this a disconcerting statistic for cybersecurity specialists and organizations alike, but it indicates increasing damage to our economy. According to the same report, the global average cost of a data breach is $3.92M. Breach recovery lifecycles surpassing 200 days cost an entity an average of $1.22M more than those under that number of days.
Why Cybersecurity is Growing Increasingly Difficult
The Exploding Market of IoT Devices
More than ever, cybercriminals are gaining the upper hand and winning for a variety of reasons. One of those is the complexity of the networks that require an adequate defense. Complexity is the enemy of security. What does that mean? There's a chance that you're reading this article on a device capable of connecting with your watch, car, headphones, mobile device, other computers, thermostats, or even your refrigerator. For business, this has extended to everything from company security badges to security cameras and remote network connectivity. Technological innovation, combined with cheaper manufacturing processes, has led to a market explosion for internet-connected devices. IoT (internet of things) device providers have done a fantastic job of marketing a picture of an increasingly interconnected existence. Where it has mostly failed is in its inability to adequately secure these new devices and networks from cyber threats.
IoT Cybersecurity Headaches
This level of hyper-connectivity means an increasingly complex network system architecture and an ever-larger potential attack surface for adversaries. Though IoT connectivity can be markedly convenient for users, the same can be said for hackers. IoT devices present a wide range of system access points for cybersecurity threats to exploit. As networks grow progressively complex, they become more difficult to defend from hackers. Any device with internet accessibility also requires adequate cybersecurity protection. Failure to do so can and has resulted in significant data breaches. For example, one group of hackers managed to hack a casino's inadequately protected cloud-connected fish tank to steal patron data. Hackers are growing incredibly good at finding any and all access points IoT and other avenues can provide.
The Growing Sophistication of Organized Cyber Crime
Somewhere in the 2015 timeframe, cybercrime efforts became even more lucrative than the sale of illegal drugs for organized crime in the United States. According to FBI reports, cybercrime is estimated to be a problem upwards of 6-trillion-dollars for the U.S. economy. How is this possible within the world of organized crime? Growing sophistication.
Running Cyber Crime Like a Business
When the profitability of any industry swells, so too does its level of organization and sophistication. Cybercrime is no exception. Organized crime groups engaged in the business of hacking have entire teams of software engineers and developers on their payroll. In the same way a bullet manufacturer may acquire various classes of body armor to develop a round that can penetrate them, organized crime groups do the same with cybersecurity software systems on the market. Hackers work tirelessly, developing and testing their malware to make it capable of penetrating or bypassing anti-virus and cybersecurity software programs while remaining undetectable to scans. These efforts are funded by the increasingly lucrative underground industry of cybercrime monetization.
The Lucrative Business of Stealing...Press Releases?
Most depictions of hackers in modern media are edgy-looking characters hacking into banks and draining their contents into foreign accounts like a safecracker with a laptop. The public doesn't typically consider the profitability of stealing unpublished press releases. Who would care about stealing a press release, right? It will be published for the entire world to see in 24 hours! For insider trading efforts, however, unpublished company press releases can provide less honest brokers and investors with jackpot-winning business insights. This is only one of the many inventive ways hackers are monetizing the results of their efforts. Despite this underground market for privileged information, press release companies, for example, may underestimate the role that cybersecurity plays in their business.
Business Email Compromise
You've likely been instructed not to open emails from anyone you do not know, much less act on their instructions. Well, what if you received an email from the CEO of your company with specific operational instructions? One disconcerting cyber scheme is called “business email compromise.” During a business email compromise, a cyber threat may have managed to breach your company's email system. From there, they may carefully manipulate or extract details for their own gain. Others may impersonate those in authority to provide other entities with seemingly innocent, but ultimately damaging instructions. With an email designed to appear coming from the company CEO, perhaps they craft a persuasive email to the company's CFO, instructing them to wire funds to what they claim is a well-known business partner. That partner's account is actually the hacker's foreign bank account, and often those funds are impossible to recover even after the theft is identified.
It isn't only large corporations that are vulnerable to these types of attacks, but also smaller entities. A realtor, for example, could very realistically become the victim of business email compromise. I'm personally familiar with scenarios involving the hacking of a realtor's email credentials. The hacker crafted an email that appeared to be from the realtor to a family in the process of buying a house. Impersonating the realtor, the hacker requested that the family wire their down payment to what they assumed was a reputable banking institution. In reality, this source was a foreign bank. The young family's down payment was irretrievably lost. Robust cybersecurity efforts are crucial for all organizations regardless of size. No one is immune.
Under-Reported or Unreported Hacking Schemes
Aside from the financial devastation that these attacks have on business, they're also immensely damaging to other at-risk entities as well. How so? A good portion of these instances go unreported to legal authorities, much less news outlets. Depending on the circumstances, businesses may not be obligated to report such losses to anyone outside of their organization. Many take advantage of this secrecy to protect the reputation of their organization, brands, and services. Unfortunately, this dramatically reduces the ability of other such entities to learn from these scenarios and take the necessary precautions. In attempting to keep their cards close to the vest, they’re really just hiding the entire industry’s bleeding wound.
The Sensationalism of Ransomware
Stories relating to cyber threats tend to lean in the direction of exciting, breaking news. A cybercriminal holding a company's information hostage with ransomware is a favorite theme. The overt viciousness juxtaposed with the anonymity of the attacker makes for a compelling news story. The issue of defeating ransomware, however, is not a matter of detection for cyber defensive efforts. Ransomware's very obvious presence is a crucial aspect of its ploy—it knocks on your front door with its demands. While it's always helpful when cybersecurity is given play in the news, there are a variety of styles of frequently executed cyber attacks deserving of further elucidation in the media, that far from knocking on the front door, work hard to stay undetected.
Executives Underestimate Cyber Vulnerabilities
One of the most significant challenges to closing the gap between cyber offense and defense is the lack of support from the lofty perch of leadership. CEOs and leaders in business operations routinely fail to realize the potential impact of cybersecurity shortfalls on their business. To help close the cyber gap, leadership must understand that no organization is immune—any entity is vulnerable to attack. Placing the appropriate emphasis and severity on cyber defensive efforts is a must for all organizations. Making cyber defense one of the highest priorities on an executive level is the only way to ensure ongoing investment for adequate cyber defense.
Cybersecurity Staffing Challenges
Winning the cyberwar takes more than investment in new technologies—it takes an army. One of the most significant impediments to adequate cybersecurity today is finding, hiring, and retaining adequate staffing. Cybersecurity teams are understaffed to the tune of over 1 million unfilled positions across the United States. The staffing challenge is two-fold.
- Greenlighting the creation of these positions from the top down
- Finding qualified candidates to fill these roles
Because cybersecurity threats are continuing to evolve year after year, finding talented cyber defense specialists capable of closing the security gap can be extremely difficult. To properly train and prepare the next generation of cybersecurity defenders for the ever-changing landscape, robust training programs should be sought out and developed both internally and externally.
The Illusion of Continued Sufficient Cyber Defense
It can be difficult to convince an organization to take cybersecurity seriously when they feel that they already are. Many entities are under the illusion that they have adequately invested in the protection of their organization… two years ago. Investing in a dedicated cyber defense system can provide a false sense of security. Defenses should constantly evolve because adversaries across the spectrum are constantly evolving. Any cybersecurity effort should include continuous improvement and the ability to quickly adapt to a changing cyber defense landscape.
A New Era of Hackers
We are not facing the same hackers today as we were three years ago. We are not even facing the same hackers we faced last year. The modern hacker's methods are constantly evolving, growing more sophisticated with a changing attack surface. The huge reinvestment that organized crime is making in cybercriminal activities is daunting. Criminal organizations are making hundreds of billions of dollars and spending much of those ill-gotten gains on improving their capabilities. Entities that pat themselves on the back over past investments in cybersecurity need to ask themselves a question: How am I playing the game better this year than I was last year, and how will I play it better than ever next year?
Oklahoma's Promising Future in Cyber Defense
As Executive Director of SENTIR Research Laboratories in Tulsa, Oklahoma, we're immensely focused on the future of cybersecurity and how to extend its capacity for the United States. With that, we're excited to explore the underutilized technology and intellectual capital in Oklahoma. In addition to a broad pool of tremendously talented specialists, Oklahoma is also home to the Center of Academic Excellence in Information Assurance and Cyber Defense Education at the University of Tulsa—an elite, world-class cybersecurity program that has been utilized by the Federal government for over 20 years.
Despite the state's understated relationship with technology, we believe that Oklahoma and Tulsa in particular are on the brink of an enormous boom in their tech ecosystem—the likes of which have not been seen in the midwest. Tulsa and Oklahoma have tremendous untapped potential for technology innovation and entrepreneurship. For those who are curious about this, I invite them to learn more through SENTIR Research Labs.
For those interested in the details of the state of cyber defense efforts, successes, and failures in 2019, there are two reports I recommend.
Both of these reports deliver considerable insights into the state of cyber defense—successes, failures, and additional input.