This week, San Francisco is hosting the RSA Conference, a cyber conference that allows government officials, corporate executives, and commercial vendors to discuss how to best protect and defend both government and commercial networks. RSA started as a group of cryptographers coming together to discuss and prepare for future challenges in securing technology, but the conference has grown into much more. It has evolved into a place for dialogue on managing cyber risk, and expert attendees will discuss how to best secure major public and private technology assets moving forward. One of the major topics that is sure to be discussed at RSA is the need for data analytics around cyber assets. Network operators, particularly in the government, could greatly reduce their cyber risk by making greater use of data analytics.
We lose productivity, data, and equipment in cyberattacks. Protecting both the information and the equipment that makes our digital economy and digital existence possible is something governments, corporations, and individual users should be monitoring at all times. Perhaps the most public measurement or indicator of cyber damage is in the breaches of major networks we are all familiar with and use every day. So much data resides in these systems that any loss or incident potentially causes noticeable, negative effects. The Breach Level Index database (0) tracked 874 data breaches worldwide in 2016, a 31 percent increase in stolen or lost data records from the previous year. There is a litany of incidents from the recent past (1) — Yahoo (500 million users affected), LinkedIn (117 million users affected), Anthem Health Care (80 million health records divulged), and the infamous Office of Personnel Management breach (21.5 million records stolen), among others.
Other attacks — such as the coordinated distributed denial of service attacks that targeted Domain Name System provider Dyn (2) — are temporarily taking down the websites of Twitter, The New York Times, The Guardian, Netflix, CNN, Reddit, Spotify, and others in October 2016. In this incident, malware spread through a large number of internet-connected devices such as printers and webcams, highlighting the need for Internet of Things devices such as routers and security cameras to have dynamic security systems in order for the digital ecosystem to flourish.
These incidents show that the loss of data and potential data-integrity concerns can create considerable distress — interruptions created by hackers or ransomware can disrupt or shut down government agencies, major corporations, and our ability to work or communicate. With data breaches proliferating, measuring risk will be a critical way for governments, corporations, and individuals to understand how many resources must be devoted to securing their digital assets and the accompanying data.
There are no signs that cyber risk will decline in the coming years. A recent Cisco survey (3) showed that 29 percent of respondents had lost revenue due to a cyberattack, and the average cost of a data breach is estimated to be headed toward $150 million by 2020. Companies face cyber risk from outside malicious actors, but also from their own employees’ behaviors. Of the system administrators who were surveyed recently, 49 percent were most concerned about the internal threats posed by employees and individual users. Individual users open emails with malware attached, click on infected adware, and fall victim to phishing attacks, opening the government, corporations, and other stakeholders to security issues. The 2016 Verizon Data Breach Investigations Report (4)noted that 30 percent of recipients opened phishing emails. Having a policy framework in place for early detection can help an organization respond more effectively to a cyber incident, but the future of securing our networks lies with advanced data analytics and using artificial intelligence to automatically scan for irregular patterns of user behavior. This is analogous to the financial institutions that use the geolocations of financial transactions as indicators for identifying suspicious behavior.
Congress has taken note of the government’s need for more analytics around cyber assets. The government’s current inability to determine the magnitude of risk when one of its networks is breached makes it difficult to pair the risk with the appropriate resources to address it. Rep. Joe Wilson (R-SC) introduced legislation this week (5) requesting that the director of national intelligence conduct a study on cyberattack standards of measurement. Wilson’s bill asks the director to work with the director of the FBI, the secretary of Homeland Security, and the secretary of defense to determine appropriate standards to measure and quantify the damage caused by cyber incidents. As the old saying goes, “What gets measured gets done,” and in the case of cyber incidents, measurement needs to be consistent with the loss that is created.
Most of the major data breaches in the past five years have occurred in North America due to the heavy use of technology and data for business success. Creating a plan to protect the networks and the information that runs on them is vital to protecting both our national security and our economy. Emerging technologies will drive our future only if we trust the networks and the data they hold. To keep the economy running on the digital backbone that governments, businesses, and individuals depend on for information, communications, entertainment, and transactions, we need to understand cyber risks and create a measurable plan to protect our technology and associated assets.