I participated in the Cyber Exchange Forum earlier today, an event sponsored by the Advanced Cyber Security Center (ACSC). The featured speaker was Sean Kanuck, National Intelligence Officer for Cyber Issues, Office of the Director of National Intelligence. In this role, Sean directs the production of national intelligence estimates (for cyber-threats), leads the intelligence community (IC) in cyber analysis, and writes personal assessments about strategic developments in cyberspace.
Here are a few of the highlights:
- On the scope of threats. Sean does not subscribe to the notion of a "cyber Pearl Harbor" for the most part. He stated that there are only a few nation states capable of this type of attack (i.e. China and Russia) and that an attack of this magnitude was highly unlikely during peace time. His caveat to this was that we already face a series of disruptive attacks like those at the Sands Hotel of Las Vegas and Sony Pictures that are having a cumulative impact on the U.S. economy and national security.
- On future attacks. Sean spoke of a growing concern around data integrity using the Syrian Electronic Army hack of the Associated Press's Twitter account in 2013. This particular event led to a decrease of $137 billion in stock market valuation. He emphasized the fact that a relatively small crime moved billions of dollars and that these types of scams are often used to fund all types of other malicious activities.
- On non-state actors. While these groups don't have the sophistication of nation states, Kanuck described the threat from non-state actors as being "as good as what can be purchased online from the cyber black market." In other words, the bad guys will improve malware attacks as well as their tactics, techniques, and procedures (TTPs) as the cybercrime industry becomes more organized and market-like. Unfortunately, this advancement is already well underway.
- On political will. Sean stated that there are about 30 countries that are now developing offensive cyber capabilities. It's cheap and effective with very little risk.
- On commercial cybersecurity innovation. New products like automated penetration testing software can really help companies identify IT risk, but Kanuck pointed out that they are also making it easier for the black hat community.
Sean said that organizations can expect to encounter cyber-attacks that cause IT attrition and degradation. Much like disaster recovery, organizations should then create a plan that allows them to operate in a degraded state when this occurs – not optimal but not out of business either.
In my humble opinion, Mr. Kanuck did a great job of bridging the gap between the feds and the private sector cybersecurity community this morning. We need more of these candid presentations/discussions and less rhetoric and government-speak out of Washington.