Cyber breaches are escalating in terms of volume and complexity, growing exponentially in scope with the rapid emergence of new technologies. Akamai Senior Director R. H. Powell shared valuable insights with us in an exclusive interview regarding the reasons for this escalation, finding a balance between privacy and government access to private client data, and the future of cybersecurity.
The Usual Suspects
There are four main groups of actors who are responsible for the increase in cyber-attacks, said Powell. You have your traditional type, who is just one individual – basically a glory hound, doing it because they consider it to be fun, or just because they can. 10-15 years ago, that used to be the majority of actors out there.
You have criminal organizations, which include groups such as the Russian Business Network, where their primary motivation is money. They try to steal money, and this could take the form of some sort of fraud, or they could try to gain access to your account, get a loan in your name or get credit in your name.
We also have the state actors. Recently, it was announced by the DoD that cyberspace is the fifth domain, after land, air, sea and space. This is due to the realization of the real impact this could have on military operations and national security, which is why governments are focusing a lot of money on this problem.
You also have the political hacktivism aspect, where people are using the Internet to protest for a political cause. We saw with Arab Spring [a series of anti-government protests, uprisings and armed rebellions that spread across the Middle East in early 2011], how that was used to organize an online and physical protest simultaneously.
A major factor is the ubiquitousness and escalating nature of Internet usage. We use the Internet differently today than the way we used it, even ten years ago. This is not the era of getting online to get online, but the reality is that we are online all the time, paving the way for a lot more things to get attacked.
There are a lot more vulnerabilities between mobile devices, with a vast variety of operating systems, applications and platforms. The ease of tools has also increased. A few years ago, the main types of attacks were DDoS attacks, viruses and malware. Today, it’s not just these network attacks, now you’re dealing with more sophisticated application layer attacks [a type of denial-of-service (DDoS) attack], with a whole ecosystem of tools that make it unnecessary for you to have specialized knowledge to carry out these attacks.
This has caused an escalation in the sheer volume of attacks. All of these actors, including the state actors, criminal actors and political ones all collaborate and interact with each other. They share tools, compete with each other and literally help each other with training and services to make what they do easier. As such, it’s easier to attack and there are more ways to attack than ever before.
Is The Infrastructure Protected From A Serious Cyber Attack?
There is definitely a risk out there, and the biggest risk is some form of cyber and kinetic attack combined. An example would be where the undersea Internet cables come ashore, and someone who carries out an attack is able to take out a few of those critical links because something is not necessary physically well-protected. That would be a scenario where the physical world could impact the Internet.
You also have SCADA-protected systems, automated systems, power generation systems and so on that are open to vulnerabilities. New technologies that make legacy systems accessible via the Internet also definitely open up avenues for attacks.
In the area of power generation, some researchers have demonstrated how you can take control of generators and run them to the point where they are overloaded, and basically destroy them. The risk is certainly there and we are taking steps to protect it, but it is always a game of cat and mouse, and a question of who will get there faster. The wrong information in the wrong hands could cause physical and digital problems, not only for the US, but for the whole world, as well.
Is The Technology Moving Too Fast For Security To Keep Up?
Technology is moving faster than security can offer guaranteed protection. However, companies are moving quickly to fill the gap. An example would be the recent security issue with Nest thermostats, and a lot of people might not realize that something like that sitting on your wall is a full-fledged computer.
It’s got a mini-operating system that can do a whole lot. People don’t understand the impact of what they are doing when they are hooking that up in their homes, especially with the type of personal information they are putting out there on usage.
There are also physical vulnerabilities from all of that data. Nest is a really good product with motion sensors that can automatically adjust to whatever temperature is in the house. It knows when you’re there and when you’re not there. So when you have a device that knows when you’re not there – and most people don’t necessarily connect that, it is the same thing as using social media and posting when you are out of town – which increases your vulnerabilities and risks.
People need to be better trained in the sense that you probably don’t want to put that Nest system on your normal network. If you have your normal home computer network with financial and personal information, then it’s definitely a good idea to segregate the Nest system elsewhere. If someone who shouldn’t have control gets control at some point, then this would make a lot of sense.
With new technology, it’s always a question of weighing the benefits versus the potential negative impacts. Still using Nest as an example, they have a compelling financial incentive to get security right. All it takes is one, maybe two really bad incidents and they are out of business. This goes for other companies, as well.
About 60 percent of small businesses that come under attack end up having to shut their doors after six months because they don’t have the right liability insurance, since they weren’t prepared for that. Bigger businesses are taking that into consideration, which is why security is really important. But even the best security is never going to be perfect security. There is a real training ramp that we have with people so that they have better understanding of the risks that they are assuming.
Exploits are always going to be there, regardless of the type of technology in consideration. The deciding factor will always be if the benefits outweigh the potential risks, and the key is to always make sure we address vulnerabilities as soon as they are identified. The users also have to demand that the vendors build in security into their products. There may be some additional costs there, but that may be the price to pay. We are not going to stop the technology from evolving, anyway.
Do You See A Rise In Authorities Compelling Tech Companies To Reveal Customer Data?
The government is going to try and get as much information as possible. If you are in the government and bad things happen which you could have known about beforehand, you will get chewed out by the public. There will be questions of why you didn’t protect them. There are going to be times when they could have used this type of information to stop potential harm.
On the flip side, there is also a good reason why the constitution ensures the right to privacy, requiring things like warrants, or in the case of a company, subpoenas to get this sort of information. Corporations, and certainly those of us at Akamai, want to be law-abiding, but we also want to protect the information that is confidential to our customers. That is their information, and it’s not something that is just out there for everybody’s consumption.
There are always going to be cases – to some extent – where the lawyers say if the government comes in and issues a lawful subpoena for information, and we have information, then most companies would want to try and obey that.
The way corporations are trying to get out of being in the middle is doing something similar to what WhatsApp did [end-to-end encryption]. They don’t want to have that information in the first place, as such, they don’t have to worry about the storage requirement, which has a lot of costs attached to it. There is a need for privacy, and there is always a balance in there somewhere.
Do We Have Enough Manpower To Take Care of The Cybersecurity Challenges?
More training is still needed, and this goes all the way to colleges. We already see this trend increasing where there is a lot more interaction between educational facilities such as universities and colleges, and the business world in terms of developing curricula specifically for cybersecurity and information protection. This is absolutely what we need because there’s still a lot of people who have good technical skills who are being brought in to the security field, and are learning as they go.
Having a foundation of a degree in a specific field could speed up the pace at which we can train security professionals. There is more pressure in the system and knowledgeable security professionals are a valuable commodity. The law of supply and demand will adjust there, but there is more demand than there is supply.
How Do You See The Whole Scenario Playing out in The Next Few Years?
We have made a lot of strides in the last five or six years in the industry as to how quickly we have adapted to new technology and emerging security challenges. There has been a cultural change where people in the private sector are more knowledgeable about security. That will continue with more people becoming more aware, but as technology explodes, the threats and challenges also explode alongside.
There will be new technologies that none of us have even though of, maybe it will be augmented reality or some other technology that adds a whole new set of vulnerabilities that no one is even thinking about right now. Five years from now, people will take it for granted that there is going to be a bad day scenario, and they need to have plans in place for such eventualities. Do your best to protect ahead of time with the realization that there is always going to be some zero day.
There might be more investment in security research since they do a good job of finding vulnerabilities and allowing us to get those patched quickly. Heartbleed [computer bug] is a great example and the industry found that vulnerability and found a fix for it. Five years from now, the sense of panic will no longer be there, just the realization that this is a part of doing business and you need to be able to react quickly to close the vulnerability.
Profile
Speaker: R. H. Powell
Position: Senior Director, Akamai Americas Security Services
Powell is responsible for Akamai’s America Security Services Team, which includes all of Akamai’s security solutions for north central and South America. He has been at Akamai for more than 12 years, with half of the time focused solely on the public sector.
Akamai is a provider of Content Delivery Network (CDN) services, making the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere.