Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/507045
c cyber SeCURITY 36 APRIL/MAY 2015 www.vanguardcanada.com Q What are the major cyber concerns for governments and defence and security agencies? The biggest challenges are frankly not any different than what we see for commercial and citizens generally. The major trends are the growth in the attack surface and the different types of platforms and devices that are being used. In the mobile space over the last several years, we have seen year-over-year triple digit growth in mal- ware and exploits that are being launched against different types of mobile devices. We expect that is going to continue. With that we see much greater sophistication in the types of at- tacks and malware that are proliferating. And if the criminals, the hackers, aren't very sophisticated, they can just go online and buy the tools, because many of them are easily available for purchase on the Darknet; you can rent a botnet for however much time you want; you can buy any type of personal information. All of those things are creating an expanding cyber threat environment. Q Given that increase, what advice are you providing to govern- ments? A lot of the advice is around threat and security awareness and the appropriate protocols, and around the trends that we see coming down the road from an attack and from a security innovation per- spective. We are also working with governments on information sharing. We want to make sure that privacy and civil liberties are protected, but we know it is helpful to everyone if we have a com- mon picture of what the threat environment is so we can protect ourselves more effectively. So a lot of the conversations we are having with different governments around the world are around the notion of public-private partnerships for information sharing. COLLABORATION TO COUNTER THREAT EXPLOSION Q It seems we keep having the same conversation about im- proved information sharing. Is there progress? We are still having that same conversation, but I do believe it has evolved quite a bit. Nine months ago we established a new in- formation sharing organization called the Cyber Threat Alliance with Intel Security/McAfee, Palo Alto Networks and Fortinet. We are all competitors but we all have a common goal in protect- ing our customers and their data. We have been sharing across the security industry for 20 years but it was mostly at the signa- ture-based level – antivirus. Security has progressed signifi cantly from that. We are sharing at the next level, which includes things like botnet command and control servers, sophisticated malware – threats that we want to be able to share in a trusted environ- ment. We have set up the platforms to share and keep informa- tion secure. And we have set up the protocols, meaning we have a very robust privacy policy. It is imperative we are protecting our customers' privacy even as we are sharing this information. Q Governments are being encouraged to move into the cloud. From a security standpoint, what are the implications? The debate and the implications are about both the positive and the potential risks. The positive is that you get much greater ef- fi ciency for data storage and data growth. You potentially could get security scalability – you could get much faster proliferation of patches and security down to the device. You can also apply greater security to specifi c enclaves of data if you have appropri- ately categorized it. On the downside, there is concern that if we put all of our infor- mation in one place and it gets hacked, then what happens. So you have to make sure you have best business practices in place: that you have redundancy, that you have built into your service agree- ments with your cloud providers appropriate security provisions and what they will do to protect your data. And then you have to have an audit ability to make sure those things are happening. Q With breaches happening almost weekly, if not daily, are there keys to protection? Studies have shown that basic security hygiene will help prevent a lot: strong passwords, data encryption, keeping your security software up to date, making sure your systems are patched, multi- factor authentication. These are things that any organization, and frankly any individual, can do. The Online Trust Alliance recently released a data breach guide...[and] found that 90 percent of the data breaches that are reported today could have been prevented by basic cyber hygiene best practices. You can't protect yourself from everything, but having a lay- ered security approach that goes to policy, to access controls, to data prioritization, and to the people piece – building a culture of cyber security inside your organization and treating it just like you do physical security – is key. In Budget 2015, the federal government earmarked $58 million over fi ve years to further protect its essential cyber sys- tems and critical infrastructure and pledged an additional $36.4 million over fi ve years to support cyber systems opera- tors as they deal with security threats. cheri mcguire is vice president of Global Government Aff airs and Cybersecurity Policy for Symantec. She recently spoke with Vanguard about the nature and growth of those threats.