Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/679566
c cYBer SECURITY 12 APRIL/MAY 2016 www.vanguardcanada.com Since then, Public Safety Canada has spent over $245 million in meeting these key initiatives and defending government computer networks, safeguarding critical infrastructure and educating the public. However, given the slow pace of government acquisition, many of these countermeasures take months upon months to im- plement, often rendering the new technology and threat defini- tions out of date by the time they are rolled out. Considering how much we have spent - and now what we won't be spending - on net new countermeasures instead of on develop- ing and maintaining a robust infrastructure and agile, up-dateable safeguards, it's concerning that we are still struggling to keep up with cyber threats. Meanwhile cyber security costs continue to rise. Incapsula, a cyber security firm, released figures in 2015 show- ing that the approximate, real-world cost of a cyberattack is $40,000 per hour for most organizations and can cost upwards of $15 million when all recovery measures and damages per attack are factored in. Currently, malicious insiders, Web-based attacks, and Distrib- uted Denial of Service (DDoS) attacks account for the costliest of cybercrimes. With the proliferation of botnet technologies launching a DDoS attack has become cheaper. Incapsula estimates, that the price of launching a DDoS attack has dropped to just $38 per hour and the growth and ease of access to the "darknet" (where tools and methods can be shared in forums or bought in online market- places) has brought hacking to a whole new level. With cybercrime affecting all industries and all markets, recent trends show that cyberattacks have been increasing in their sophis- tication and frequency. For malicious actors who are too busy planning larger attacks or who are in need a quick cash infusion, there is a thriving hacker- for-hire industry that purveys attacks, code, methods, as well as spoils from exploits, such as credit card information and verified bank accounts. Cybercrime tools are coming in fast and furious. A recent bonus to hackers was the hacking of the Italian surveillance company, Hacking Team which set free a number of "zero-day" exploits and unknown security flaws in common software. It is still unclear whether patches have been issued by software vendors to address all of these no known vulnerabilities. What do these game-changing factors amount to? It's little more than a guesstimate, but the global cost of the over 90 million cyberattacks per year is $575 billion or more and that figure is poised to surge yet again. At the RSA Conference in 2013, Ed Skoudis and Johannes Ull- rich of the SANS Institute identified the five main concerns in cyber security, which are also barriers to closing the threat gap: • The rise of offensive forensics • Misattribution • The kinetic impact of attacks • Large-scale DDoS attacks • Continued password breaches and leaks What is most interesting is that of these five, only one - DDoS - is technology dependent. The other four are based on tactical capa- bility and degree of harm. What does this mean? It means malicious actors are looking be- yond the technology and have intellectualized their tradecraft to exact creative, asymmetric, and effectively convert persistent at- tacks. Once more, the government is placed in a position of having to select a representative fraction of the problem rather than taking a hard cut across the middle and addressing the most common and critical threats. More importantly, the government also needs to revisit our na- tional cyber strategy and government security policies and direc- tives. In fact, prior to Budget 2016, the new government had already committed to a review of cyber security but only on critical infra- structure and for only seven departments. One has to ask: Are we doing it again — creating siloed, local approaches to deal with a serious, growing global problem? It's not for the faint of heart. Government security, that being the protection, assurance, credibility and of assets, information and services within government and to the public and partners, requires an aggressive strategy that raises the bar for accountabil- ity, mandatory compliance and recognizes the horizontal inter- connectivity of systems and networks with stakeholders. If Budget 2016 carves out critical infrastructure from inextri- cably connected systems, selects only a handful of the over 40 federal departments, slices these strata into budget-friendly com- ponents and focuses on the immediate threat landscape instead of the one we must evolve to years from now, the efforts to develop effective cyber security countermeasures will be futile. Again. Valarie Findlay has over a decade of senior expertise in Canadian federal government and is President of HumanLed, Inc. (www.Hu- manLed.com) …the government also needs to revisit our national cyber strategy and government security policies and directives.