This week, the FBI and Fordham University partnered to hold the International Conference on Cyber Security. The gathering of cyber security professionals, public sector officials and security-oriented individuals convened for three days to examine the threats, responses and policies shaping the cyber world. CivSource spoke with Rich Baich, Deloitte’s Cyber Threat Intelligence Group leader, about emerging cyber threat analysis, operations and enforcement.
Cyber security isn’t a new issue but, with tens – if not hundreds – of new threats emerging each week, keeping sensitive data safe never gets easier and the answers never get clearer. For governments trying to find effective ways to guard against both known and emerging threats the task is difficult at best. According to Baich, cybercriminals and rogue nation-states understand our laws and regulations, and often use them against us. Because of this, policy makers at every level of government will have to take a hard look at our legal system and find solutions to enable effective defense and enforcement.
Baich also points out that effective defense will take more than statues. Maintaining an up-to-date and effective technology infrastructure is also important for successful defense. State and local governments, Baich argues, will need to make sure that they are allocating budget dollars and applying for grants to keep their technology infrastructure strong. State and local government will also have to be at the forefront of educating the public about measures they can take to ensure cyber safety.
Baich notes that cyber security “is a like a chess game,” it’s based on constantly increasing one’s knowledge and improving situational awareness. Cyber security is not something that can be created by developing a single new weapon or tool, instead both law enforcement and the general public have to be schooled into a security-oriented mindset – a process which takes more time then other defense measures. As cybercriminals get better at their craft, they can hide the origins of their attacks or make us think they came from somewhere else, making the attack difficult to track or perceive correctly.
According to Baich, these difficulties can only really be addressed when statute, enforcement and infrastructure are working together. However, the lack of clarity about process and ownership at all levels of government in the US is making us vulnerable. He noted that the new cyber security directives out of the Obama Administration looked promising but “without a status update, it’s hard to determine how effective they have been up to this point.”
It’s also not clear who owns cyber security in the United States. Currently, there are several disparate policies and procedures spread throughout all levels of government, defense, and intelligence – leaving a muddled picture at best and a greater chance for exploitation at worst. Issues like classified data, Baich notes, has kept the full cyber picture opaque for those outside national security. While keeping data classified may be equally as important to national security, it can often create challenges for our ability to maintain effective cyber defenses in both the public and private sector.
Other speakers at the conference echoed Baich’s points. The need for some kind of collaborative response seemed to be a constant offered by the presenters. Robert S. Mueller III, director of the FBI echoed the call for more collaboration on the last day of the conference, “a bar-the-windows and bolt-the-doors mentality will not ensure our collective safety,” he said. “Fortresses will not hold forever; walls will one day fall down. We must start at the source, and we must find those responsible. The only way to do that is by standing together.”