reading

Looks at evolving operational needs in areas that affect our daily digital lives.

Hudson Whitman is a small press affiliated with Excelsior College, a non-profit, online college serving primarily adult students.

Our tagline is “Books That Make a Difference,” and we aim to publish high-quality nonfiction books and multimedia projects in areas that complement Excelsior’s academic strengths: education, nursing, health care, military interests, cybersecurity, and for special projects that may not easily fit in one category, American culture and society.

If you would like to submit a manuscript or proposal, please review the guidelines on our website, hudsonwhitman.com. Feel free to send a note with any questions.

Writing a book about a topic that one enjoys is always a pleasure, but it is never written in a vacuum. There are always countless individuals who contribute their time and talents to making sure it reaches the finish line. Greg and I would like to thank everyone who helped us to accomplish this work. Naturally, we wish to thank the authors of the various chapters for their participation, hard work, and diligence in providing their valuable insights. Without question, the information they have provided will go a long way to helping the reader better understand the multiple issues involved in cybersecurity. Hudson Whitman/ Excelsior College Press, in particular Susan Petrie, should be thanked for valuable inputs to the final product. The support staff at our National Cybersecurity Institute (NCI) has been essential in completing this work. And, as always, Dr. John Ebersole, the president of Excelsior College, must be thanked for his ongoing support of the NCI, and for his encouragement of our efforts. Finally, we wish to extend our appreciation to former U.S. Attorney General John Ashcroft for taking time from his busy schedule to write the foreword. It is deeply appreciated.

As U.S. Attorney General, I witnessed first-hand the consequences of being unprepared to defend against attacks—be they attacks of rogue states or commercial criminals. The cyber threats to our national security grow day by day.

Whether cyber attacks are launched to gain a marketplace edge or to impair the security of the United States, their impacts always reverberate broadly. The pervasive use of information technology in the digital age has fostered unparalleled productivity. Unfortunately, it has also exposed new avenues for espionage and disruptive malicious acts.

While systems, tools, and rules can help build a bubble of defense against cyber attack, the deployment of these measures is often too late. In the end, the most important resources for threat prevention and attack mitigation are found in the preparedness of trained professionals. This book examines how individuals and organizations can be better prepared.

Industry and governments have developed a wide variety of measures to evaluate disparate risks to their cyber infrastructure. As a result, they can estimate various risks. However, bad actors massage the data and develop strategies to penetrate existing defenses.

There are those who see cybersecurity as simply the new technology “buzz” word. However, as major breaches of the government health care system, Veterans Affairs, Gmail, and major retailers attest, the negative impacts on compromised systems are most serious and significantly damaging. The National Cybersecurity Institute (NCI) at Excelsior College has considered these issues and the challenges we face as a nation. The NCI has assembled a valuable set of tools to help students, government, and commercial enterprises both understand and address the serious threat to our cybersecurity.

We are a connected people. Daily, our dependence on computers, mobile devices, and digital systems increases for business, personal transactions, social media, education, entertainment, communication, and a host of other purposes, some vital to our wellbeing and some insignificant and perhaps frivolous. We are a connected society—a “digital people” with our fame and fortune a click away on the Internet. With so much of our daily life dependent on digital systems, we need to insure that our dependence on those systems is secure and safe from mischief. Despite our reliance on information technology, most people are naïve as to the threats and the security required to combat malicious actions. People have placed their digital security in the hands of others and in many respects have relinquished control of their personal and commercial data and information.

Cybersecurity, simply stated, is the process by which we guard our data at any level—personal, organizational, or governmental information in the digital world. Information—data—is valuable not only to us personally, but to our national interest. Our personal computers and mobile devices are being assaulted by viruses, the digital networks of the banking systems are attacked regularly, and every minute of every day those with malicious intent attempt to breach the cyber defenses of our government agencies. Bad actors, both state and criminal, seek to steal our personal information from social media outlets, gain access to financial information through social engineering, and harm businesses from the inside. Cybersecurity seeks to guard against such intrusions as well as losses.

Cybersecurity continues to be one of the most important issues confronting the connected planet. If we recognize the value and importance of information in the digital age, then it is essential to appreciate just how crucial cybersecurity is to us as individuals, organizations, and most crucially to the sectors we highlight in this book. The globe is now linked in ways unimaginable little more than a decade ago. We are sharing enormous amounts of information and data sometimes willingly, but often times unwittingly. We operate in a knowledge economy where information and the exploitation of that information are incredibly valuable. Nefarious actors, be they state or criminal, strive to access commercial information for competitive advantage, personal data which is exchanged and exploited by criminals for financial gain, and of course government databases affecting everything from health care to national defense.

While we like to believe that our data is secure, rarely a day passes without news of a major cybersecurity breach. Seemingly cuttingedge organizations such as Target, Home Depot, Amazon, Pinterest, Tumblr, Airbnb, Facebook, Google, Twitter, Adobe, the Washington State Courts, and J. P. Morgan have all been compromised. The new national health care system, the national power grid, numerous government agencies, schools, social media, the defense industry, and financial institutions have all been assaulted by those with malicious intent (Marks, 2014). Sensitive data has been lost, businesses compromised, personal lives exposed, credit card numbers stolen, and health and well-being endangered through threats to our major networks and infrastructures.

We have gained much through technology; we now have the ability to: transmit huge amounts of data over the Internet, complete limitless electronic transactions on a daily basis, and compile increasingly large amounts of sensitive information for our business organizations. Some estimate that each day nearly three quintillion bytes of data are generated online. Digital technology has given us the ability to utilize social media and chat with our friends, shop online, read magazines, enjoy the news, monitor our finances, and secure our homes. We spend billions of dollars online each year and send countless tweets and e-mails. The convenience and advances have come with a hefty price—security (Indvik, 2013).

Technologies are rapidly evolving with enormous change having occurred during the past decade; this has created a great sense of urgency to protect our systems. Experts are increasingly strident in urging that our cyber infrastructure be strengthened to meet mounting challenges. As we seek to strengthen our defenses, it is imperative that we recognize the importance of educating our workforce so that there is a seamless transition between educational facilities and industry (Pawlenty, 2014).

While our reliance on technology has grown, so have our many vulnerabilities, and often there are individuals and foreign powers actively seeking to do us and our systems harm. With seeming regularity, there are reports of cyber attacks on our financial institutions, government agencies, defense contractors, and our own personal computers. Millions of dollars have been lost to cybercrime; increasingly sophisticated viruses attack our personal systems, social networks, and mobile devices (Strohm, 2014).

Much is at risk and expenditure on solutions is ballooning. Corporations and government agencies globally are scrambling to harden computer systems from outside attack and increasingly seek protection by storing data in ‘the cloud’ (Strickland, 2014). Computers and systems are being constantly upgraded with new virus protection and much has been done to educate those who care for our systems. This effort to safeguard our data has resulted in cybersecurity becoming one of the fastest growing and crucial areas in information technology.

There has been a good deal written on the topic of cybersecurity, but much remains to be addressed. There is a scarcity of information about the topics covered in this text and even less regarding the urgent need to develop the cyber workforce, particularly in numerous sub-sectors. There are unique challenges in the areas of specialization addressed here. The National Cybersecurity Institute (NCI) at Excelsior College in Washington, D.C., has called upon experts in these unique topics to provide insight aimed at filling the gaps. The special topics examined in this book are cybersecurity as it relates to: the supply chain, the Internet of things, social media, the cloud, mobile devices, the law, social engineering, insider threats, C-Suite, and future trends in education.

Dave Chesebrough begins this work with his essay on cybersecurity in the supply chain. Threats from malware introduced along the chain are too often ignored. Dave illustrates just how crucial securing the supply chain is to our daily lives. We have all heard the term “The Internet of Things,” but do we really understand what it is all about? Justin Zeefe gives us an overview of just what these ‘things’ mean and how catastrophic a compromise of the system could be. A huge portion of our population is using social media despite the ongoing concerns over its security. Ron Carpinella takes a close look at the interesting phenomena of social media and cybersecurity. One of the growing aspects of technology is the secure storage of data. Diana Burley discusses this issue with her essay on cloud storage and the dilemmas surrounding it. Thomas Malatesta and James Swanson have extensive, hands-on experience with cyber issues related to mobile devices and provide many interesting and expert perspectives into this rapidly expanding technology. Andrew Proia and Drew Simshaw combine their talents to give insight into the complex issues of cybersecurity and the legal profession, a sector that continues to grow in importance with each breach of security. Reg Harnish has some excellent thoughts on one of the biggest problems in cybersecurity—social engineering. Training is invaluable in overcoming this threat and Reg shares his expertise in training opportunities. Derek Smith offers insight on the vitally important aspect of insider threats to an organization’s cybersecurity. Peter O’Dell offers his expertise on cybersecurity at the upper management levels of organizations in the C-Suite. Finally, Kevin Jackson concludes with a discussion of future trends in educating a cybersecurity workforce. He points out that the trend is toward cloud computing and the workforce of the future will need to be well versed on its capabilities and constantly be upgrading their skills.

Government agencies and private organizations spend billions to protect their digital assets, yet nearly every day we hear of another major data breach. Each subsequent attack seems to be bolder, bigger, and more complex. Advanced persistent threats (APTs) are highly complex, targeted advanced malware that once inside an IT infrastructure will mutate and remain undetected for extended periods while stealing assets and data. During the last few years, technology has had a staggering and disruptive influence on society with burgeoning accessibility to our personal data. In just 24 hours nearly one billion files are uploaded to ‘Dropbox’ (thenextweb.com), half a billion tweets are sent, and approximately 140,000 hours of video are posted to YouTube (internetlivestats.com). The more information we share, the more we expose ourselves to threats, fraud, and exploitation. Cybercriminals generally follow broad trends. Therefore, organized criminals are increasingly engaging social engineering and social networks to perpetrate targeted cybercrime. The more we share information via social networks the more exposed and vulnerable we become.

As our technologies rapidly evolve, an increasing amount of data is generated and available with no more than the click of a mouse or the touch of a finger. A great deal of that information is sensitive, valuable, and needs to be effectively secured. From our own mobile devices and personal computers to business and government networks, data needs to be safely guarded. The National Cybersecurity Institute (NCI) in Washington, D.C., continues to assist in the ongoing battle against illegal and intrusive activities in cyberspace through research and the development of cybersecurity programs. The Institute, in conjunction with Excelsior College, is pleased to present this latest informative text offering the knowledge of experts in the various topics that have been neglected in the cybersecurity field. Cybercrime, cyber terrorism, and cybersecurity are all important topics in our current society. Henry Ford once said, “The only real security that a man [sic] can have in this world is a reserve of knowledge, experience and ability” (brainyquote.com). This book examines the cybersecurity issues faced by society across a broad spectrum of perspectives and offers information for practitioner use. In addition, it seeks to tap the knowledge of cybersecurity experts and provide readers with the ability to act in their own cyber defense.

Indvik, L. (2013). Forrester: U.S. online retail sales to hit $370 billion by 2017. Retrieved from http://mashable.com/2013/03/12/forrester-u-s-ecommerce-forecast-2017/.

Marks, G. (2014). Why the Home Depot breach is worse than you think. Retrieved from http://www.forbes.com/sites/quickerbettertech/2014/09/22/why-the-home-depot-breach-is-worse-than-you-think/.

Pawlenty, T. (2014). Time to strengthen our collective cyber defenses. Retrieved from http://fsroundtable.org/time-strengthen-collective-cyberdefenses-american-banker-op-ed/.

Strickland, J. (2014). How cloud storage works. How Stuff Works. Retrieved from http://computer.howstuffworks.com/cloud-computing/cloud-storage.html.

Strohm, C. (2014, June 9). Cybercrime remains growth industry with $445 billion lost. Business week.com Bloomberg Anywhere. Retrieved from http://www.bloomberg.com/news/2014-06-09/cybercrime-remains-growth-industry-with-445-billion-lost.html.

Summers, N. (2013, February 27). Dropbox: 1 billion files are now being uploaded every day. TNW Blog. Retrieved from http://thenextweb.com/insider/2013/02/27/1-billion-files-are-now-being-uploaded-to-dropbox-every-day/.

Complex, interconnected supply chains dominate the vast majority of businesses. They provide the mechanisms to deliver product and the flexibility and cost control necessary for competitive success in modern markets. Understanding cybersecurity in a supply chain requires examining the present state of supply chains, the vulnerabilities created by modern approaches to supply chain information exchanges, and the extent of IT application within this environment. In today’s business environment there are very few, if any, products that are produced completely, beginning to end, by a single company. In fact, the modern archetype for production has been to reduce costs, increase flexibility, and increase speed by outsourcing pieces, parts, and components to other companies. This is particularly true of multi-national corporations operating in international markets. Boeing does not manufacture a 787; it assembles the pieces from its lean, global supply chain. Dell does not take silicon, copper, and petroleum in one end of a building and ship finished computers out of the other. Supply chains are mostly global, with vast, incredibly complex, and interconnected networks of production, distribution, and sourcing across multiple nations.

Perhaps you are reading this on an iPhone or an iPad. Since Apple completely outsources its manufacturing, your device contains components from upwards of 700 suppliers, most of them in Asia. This device is far more complicated than even the best devices were just a few years ago. It includes a powerful operating system, high definition display, responsive touch screen, fast processors, more memory, broadband connectivity, third-party applications, and a high-quality camera. The Samsung Galaxy SIII has over 1,033 discrete components, more than triple the best phone from six years ago (Gharibjanian, 2014). These devices are produced in mass quantities, with 990 million units shipped in 2013 (Hyer, 2014). Apple and Samsung manage high volumes of components sourced from a global supply chain. The trend toward lean and just-in-time processes means the probability is quite high that a disturbance anywhere in the supply chain will disrupt product delivery schedules, and impact market share and profitability. Larry Page, CEO at Google, came forward in 2013 to address the supply chain issues that were delaying delivery of the NEXUS 4 device, saying that fixing the Nexus supply line would be a goal for the company’s team (Eadicicco, 2013). Not the kind of message a company at the leading edge of innovation wants its CEO to deliver.

What is the evidence of this ubiquitous reliance on complex, global supply chains? Tom Friedman, in his book The World is Flat, analyzed globalization in the 21^st century and identified ten “flatteners” that are factors impacting international commerce. He correctly identified that technology adoption requires a perceptual shift on the part of countries, companies, and individuals if they are to remain competitive in global markets. Three of these relate directly to the growing global supply interdependence: outsourcing enabled by global expansion of information and communications technology; offshoring of manufacturing or other processes to take advantage of lower costs; and advanced supply chains that enable mass customization and proliferation of product choices to win market share. Friedman pointed to Walmart as an example of a company using technology to streamline sales, distribution, and shipping. In 2005 this may have been best commercial practice, but today it is commonplace (Friedman, 2005).

The Organisation [sic] for Economic Cooperation and Development (OECD) said, in a report in May 2010, that “intermediate goods and services—that is, products used as inputs to produce other products—dominate international trade flows, representing 56% of trade in goods and 73% of trade in services in OECD member countries” (OECD, 2010). This is an indicator of the expansion of global markets and supply chains that has become a dominant feature of the international business landscape. The cybersecurity implications are significant when considering the vast array of digital networks that enable these business arrangements.

A lean supply chain is a fragile one, and supply chain visibility is a key item on the agenda of supply chain management (SCM) professionals. SCM software connects suppliers and bridges visibility gaps with information exchanges. For example, Levi Strauss & Co. reduced manual tracking and tracing of inbound shipments by 98% by implementing a supply chain visibility platform supporting the EDI transaction Advanced Shipping Notification (CapGemini, 2013).

The concept of a supply chain is most often described in two-dimensional terms. The Michigan State University Department of Supply Chain Management (SCM) defines a supply chain as “an integrated approach to planning, implementing and controlling the flow of information, materials and services from raw material and component suppliers through the manufacturing of the finished product for ultimate distribution to the end customer” (MSU, 2014). Supply chain descriptions also include the various stages of distribution channels that actually make the product available to the end consumer. Each of these tiers and stages has value, transactions, and information flows enabled by digital business systems and networks.

This two-dimensional concept is, however, insufficient to describe the cyber environment that surrounds these complex supply chains created by the relentless adoption of information technology across all functions of an enterprise. Businesses and governments have turned to the best available information technology and digital networks to speed the flow and accuracy of information. This, in turn, has created and internal and external environment where risk of cyber attack has grown to an alarming level and the security of any participant is dependent on the security of all. The Business Continuity Institute reports in its Supply Chain Resilience study for 2013 that once again the most frequent causes of disruption were unplanned outages of telecommunications (networks) and IT systems (Business Continuity Institute, 2013). If an adversary wants to halt production, it just needs to bring down a critical supplier.

The need for cybersecurity across supply chains has never been more important. Cyber introduces a third dimension to the supply chain problem. Vulnerabilities are created when any aspect of a supply chain is connected to a network, connected to the Internet, or connected to another company’s network. The sources of these vulnerabilities are:

Products with embedded processors, supply chain transactional systems, even third-party suppliers who do not directly participate in the flow of goods through the supply chain are vulnerable to cyber attack. Communications among the participants of many supply chains have become almost exclusively network-based. For example, suppliers to Lockheed Martin receive purchase orders by connecting to a supplier portal to receive and accept purchase orders and submit invoices. Many major corporations have similar systems. Bringing suppliers into such a close relationship through online systems has clear competitive advantages, but it also presents increased vulnerability to cyber attacks. But that is not the whole of it. Consumer products, critical infrastructure, manufacturing processes, security and military systems have increasingly integrated physical, electronic, and information system components to form capabilities essential to product and process quality. As more and more products introduce networked connections, the number of vulnerable areas, or what is called the attack surface, is increasing rapidly.

The Target data breach in 2013 is an example of how supply chain vulnerabilities now extend beyond the supply chain interactions and into the interconnected corporate information world. The Wall Street Journal reported that the Target attackers were able to steal, through a phishing campaign, the credentials of an employee at a vendor that supplied HVAC services to Target stores (Yadron, Ziobro, & Levinson, 2014). Once access was gained to Target networks, attackers were able to plant malware in point-of-sale devices, skimming credit and debit card transactions from about 40 million customers. They also were able to access a Target database to steal personal information on 70 million people.

Consumers demand through their spending habits ubiquitous access to the Internet. This demand is driving manufacturers to build “e-enabled” cars, trains, and commercial aircraft with embedded computers. Most people are not aware that their cars incorporate already high-tech computers. And now manufacturers are networking them by giving them wireless connectivity. Research has shown that all major car manufacturers, led by BMW, have as central to their strategy the goal of bringing connected cars to market (Machina, 2014).

These cars will offer services ranging from complete on-board diagnostics that can communicate problems to dealerships and manufacturers, to streaming audio, Wi-Fi, communication with home systems, and connected navigation (Muller, 2013). Low-end models may have a few dozen micro-processors, while luxury models can have a hundred or more. More features and functions mean more computers on-board that are linked to an on-board backbone network, and more opportunities for hacking. During a presentation at DEFCON 21 in 2013, two hackers demonstrated how they were able to control a car through a laptop hacked into the car’s network, making it alter its speed, change direction, and even tighten the seat belts (Rosenblatt, 2013).

Obviously embedded computers use software. The Apollo 11 spacecraft had roughly 145,000 lines of computer code. The Android operating system has 12 million. Today’s luxury vehicle can easily have 100 million lines of code (Pagliery, 2014). Much of this comes from the supply base. Manufacturers must assure that there is no malware or backdoor programmed into this code that provides unauthorized access to systems. Commercial aviation is also moving into connected platforms with e-enabled aircraft. Driven more by the search for efficiency than consumer demand, digitally connected aircraft will have major benefits for airline operations. The aviation community, which is quite capable of managing risks of aircraft and operations, has no common roadmap or international policy for cybersecurity (AIAA, 2013). These are examples of the growing connection between the cyber and physical domains. The blending of cyber and physical systems—where a network-connected processor controls a physical aspect of a product, facility, or system—adds another dimension to the supply chain cybersecurity problem.

Businesses employ automation and networks to increase efficiency and reduce costs across business functions that do not directly participate in the flow of the supply chain. These support functions— from point-of-sale systems, to building security, to plant operations, to mobile connectivity—also introduce additional sources of vulnerability. The reliance on digital technology in nearly every functional business area creates an interconnected, highly complex fabric from which a clever adversary can launch an attack in any direction in a supply chain once it gains access.

Driven by competitive pressures, manufacturers have increasingly incorporated the principles and techniques of lean production into their processes, and have integrated suppliers into production scheduling systems and resource planning. While technology has enabled adoption of these lean manufacturing strategies, it has also created very complex relationships and dependencies. For example, there are about 3,000,000 parts in a Boeing 777 supplied by 500 companies from around the world (Boeing, 2014). The Boeing 787 program suppliers have been connected directly into production systems through lean principles of just-in-time ordering and point-of-use delivery (Arkell, 2005). The digital fabric of complex supply chains is necessary because, without it, no producer has the ability to give customers what they want, when and where they want it, at an acceptable price.

The cyber threat is one of the most serious economic and national security challenges we face as a nation—America’s economic prosperity in the 21st century will depend on cybersecurity.

—President Barack Obama

Can there be any doubt that the Internet has become one of the greatest engines for innovation and productivity the world has ever known? This disruptive force is changing traditional equations of economics and social structures across the globe. As the use of the Internet and the World Wide Web has evolved, the nature of the threat continues to evolve. Sophisticated and inventive professionals, drawn by the enormous value of the data and information contained in networks, continually change the threat landscape.

Cybersecurity must be an executive concern. It must be addressed in the Boardroom and the C-Suite as a corporate priority. Believing the threat is not real, or that somehow your company is not a target, is a mistake. Executives who have fallen into this trap have placed their organizations in serious jeopardy. Cybersecurity is an enterprise risk to be dealt with by executive management and corporate governance. It should not be viewed as the sole responsibility of the CIO, the CISO, or the IT organization. Cyber breaches impact shareholder value, tarnish the brand, require expensive mitigation efforts to protect customers, and expose companies to litigation. See Chapter 9, “Cybersecurity in the C-Suite,” for a full discussion of this issue.

There are many challenges facing organizations that participate in modern supply chains. Perhaps the most important of these is to be aware of and acknowledge the risks inherent in doing business in a highly networked world. Another fact to acknowledge is that a chain is only as strong as its weakest link. The weakest link may be the unaware or incautious employee ensnared by a social engineering attack, or one that intentionally ignores security rules, having insufficient appreciation for the consequences.

Knowing your suppliers and the inherent risk they bring: As the computer network defenses of larger corporations and government organizations get stronger and harder to penetrate, attackers are seeking the easier targets. These may be suppliers without adequate knowledge or resources to protect their networks. Smaller firms that offer the innovative or specialized capabilities and products essential to maintaining a competitive edge are often not financially positioned to afford adequate defenses, especially if they are being squeezed by customers to lower costs. A recent survey of small and medium-sized enterprises (SMEs) by security firm Kaspersky Lab revealed that 75% believe they are not at real risk of cyber attack because of their size, and 59% said the information they hold is not of interest to cybercriminals. This results in an insufficient investment in security and ignores the very real possibility that cybercriminals will target SMEs to get information that will enable them to access a larger company’s infrastructure (Ashford, 2014). Their customers would do well to take an active role in helping them defend their networks and data.

Knowing your complete risk environment: Supply chain connections are but one part of an organization’s cyber profile. Every system that connects to a network and eventually to the Internet introduces a degree of vulnerability and risk. Phishing schemes invariably use e-mail as the delivery mechanism. Weak controls on access in one part of an organization can lead to compromise and eventual loss in another. It likely never occurred to anyone at Target that a successful phishing attack on an HVAC contractor combined with weak access control for their point-of-sale systems would result in the breach they experienced in 2013.

Developing organizational competence and resilience: We now well understand the importance of internal processes and procedures that maintain cyber defenses. Firewalls, access controls, software patching and updates, password adequacy and changes, two-factor authentication, data at rest encryption, network controls, and continuous monitoring are just some of the cyber-hygiene tools every organization needs to instill in its culture. Employees along with key supplier and vendor personnel must be made aware of the potential risks and the responsibilities they have to help defend against attack. Help them understand that phishing, spear phishing, and watering-hole attacks are attempts to trick staff into giving away confidential information which could help grant a cybercriminal access to the company’s networks and sensitive information. They must learn to recognize these and resist them.

Unfortunately, the answer to this question today may not be the same tomorrow. Both supply chains and the cyber domain are dynamic; they continually experience software and system changes, new vulnerabilities, new attack methods, new suppliers, and new technology. The dynamic cyber environment surrounding an organization requires constant attention if security is to be maintained.

We don’t fully understand the economics and psychology of cybersecurity.

—Michael Daniel, White House Cybersecurity Coordinator

In an ever-more networked world, cyber vulnerabilities pose challenges to governments and industries in every sector and across the globe and it is unlikely that any meaningful legislation will be passed to assure the integrity and availability of key U.S. industries. We are vulnerable, and adversaries and criminals understand the interconnected nature of our economy and know that coordinated attacks on financial institutions or critical infrastructure would wreak havoc on the economy and weaken our ability to respond to a nation-state threat to our national security. Moreover, as the cost of technology decreases, the barriers to entry are lowered and the lucrative market for stolen data serves as profit incentive for a cybercrime “growth industry.”

There is no accurate way to determine the annual cost of cybercrime and cyber espionage. However, by all estimates, it is substantial. At an American Enterprise Institute event in 2012 General Keith B. Alexander (then Commander of U.S. Cyber Command and Director of the NSA) called cybercrime “the greatest transfer of wealth in history” (Protalinski, 2012). A report authored by McAfee and the Center for International Studies in 2014 estimated the annual cost to the global economy resulting from cybercrime to be $400 billion (CSIS, 2014). The accuracy of these numbers is sometimes questioned because they are usually generated by surveys and not rigorous analyses. Moreover, companies are normally reluctant to be forthcoming about incidents when they might be damaging to corporate image. Nevertheless, there is plenty of evidence that the consequences of successful attacks have a high cost to the affected companies, their customers, and society in general.

There are two types of companies in this country, those who know they’ve been hacked, and those who don’t know they’ve been hacked.

—Chairman Mike Rodgers, House Intelligence Committee

Digital technology is woven throughout the fabric of society. Business systems, accounting and banking, engineering and product design, command and control, manufacturing operations, communications, supply chains, air traffic control, unmanned vehicles—all make extensive use of digital technology, and the dependence is deepening.

The connected lifestyle is a given (IDC, 2014). The growth of mobile devices and applications that enhance the consumer experience present vulnerabilities and avenues of attack: A capability or convenience that may be seen as desirable may be the one thing that the adversary sees as an exciting opportunity. Information residing in a network that is connected to or transverses the Internet is vulnerable: data can be erased or altered, keystrokes and online behaviors can be tracked, account information and passwords can be stolen, identities can be stolen, physical operations can be sabotaged through their computer controls, intelligence can be gathered, and malware can be inserted that lays dormant and undetected until activated. The threats are constantly morphing, and smart phones, tablets, and ubiquitous wireless networking have exponentially increased the opportunities available to criminals and spies.

Adversaries know that harnessing the power of the Internet’s infrastructure yields far more benefits than simply gaining access to individual computers. Attackers are using malicious exploits and social engineering attacks (phishing and spear-phishing e-mails sent to employees is a favorite technique) to gain access to web hosting servers, name servers, and data centers with the goal of taking advantage of the tremendous processing power and bandwidth they provide. Through this approach, exploits can reach many more unsuspecting computer users and have a far greater impact on the organizations targeted, whether the goal is to make a political statement, disable an adversary, or generate revenue (CISCO, 2014).

John Dillinger couldn’t do 1,000 robberies in one day in 50 states while wearing his pajamas, but that’s what we deal with today.

—James Comey, Director, Federal Bureau of Investigation

Today’s cybercriminals are highly motivated professionals—often well-funded by criminal organizations or nation-states—who are far more patient and persistent in their efforts to break through an organization’s defenses. They do extensive research to identify targets and vulnerabilities, and they use sophisticated attack processes and social engineering.

Any or all of these may have the intent, motivation, and means to do harm to any organization. According to the Open Security Foundation, there were 669 incidents reported during the first three months of 2014, exposing 176 million records. Of these, the business sector accounted for the largest reported incidents (57.5%), followed by Government (15.7%) (Risk Based Security, 2014).

The rise in frequency and breadth of cyber attacks can be attributed to a number of factors. Unfriendly nation-states attack systems to gather intelligence or steal intellectual property. Hacktivists aim to make political statements through systems disruptions. Organized crime groups, cyber gangs, and other criminals breach systems for monetary gain. Nation-states seek to take intellectual property or trade secrets to bolster their national businesses, conduct espionage on governments and militaries, and potentially plant malware that could be activated to do damage at a later time, perhaps as a part of a coordinated attack.

The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team describes sources of cyber threats (ICS-CERT, 2014):

Nation-States: Nations, both friendly and unfriendly, have cyberwarfare programs that pose serious threats. Government-sponsored cyber warfare programs are oriented to cause widespread disruption and long-duration damage. Presently nations are the only institutions with the resources and motivation necessary to create and sustain advanced persistent threats.

Terrorists: Terrorists, despite their intentions, are less developed in their computer network capabilities and resources. Their propensity is to pursue attacks that garner immediate attention. They are likely, therefore, to pose only a limited cyber threat.

Organized Crime and Industrial Spies: Corporate spies and organized crime pose a serious threat because of their ability to conduct industrial espionage and large-scale monetary theft as well as their ability to hire or develop hacker talent. They are considered to be high intent and high impact threats.

Insider Threat: There are essentially two types of insider threat— malicious and accidental. Malicious insiders can be employees, former employees, contractors, or business associates who have inside information concerning the organization’s security practices, data and computer systems, and a personal motivation to harm the organization or achieve personal gain. An accidental insider threat results from an employee unwittingly victimized by a phishing e-mail campaign that results in downloading malware to an organization’s networks. This social engineering approach has become quite sophisticated and is a favorite tactic of an advanced, persistent threat.

Hacktivists: Hacktivists are small groups of hackers with political motives. Hacktivists appear to desire propaganda victories rather than damage to critical infrastructures or high-impact theft. Their goal is to support their political agenda, and to inflict damage to achieve notoriety for their cause.

Contaminated Parts: This is a critical supply chain assurance issue. Supply chain assurance involves validating the authenticity of parts and components as they flow into products. The concern is two-fold— counterfeit parts/assemblies with potential for inserted malware, and assurance of the IT supply chain, to include the computers and the software they run. While “knock offs” pose certain threats to businesses through patent infringement and loss of sales, they may also often have inferior specifications and quality, which may represent a hazard if incorporated into critical systems. However, for many parts or assemblies that contain processors and embedded software, the concern is over the insertion of malware.

Advanced Persistent Threats: Advanced Persistent Threat (APT) usually refers to a well-funded, highly organized group, such as a government or criminal gang, with both the capability and the intent to persistently and effectively target a specific entity. This targeting can be general, such as a type of company or industry, or specific, based on the goals of the attack. An APT uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term. The APT usually targets organizations and/or nations for business or political motives, and it depends on not being detected over a long period of time. APT attacks consist of several stages or steps: targeting, reconnaissance, infiltration, control, discovery, and exfiltration. APT attacks are not random, but are part of a well-conceived plan to accomplish strategic goals.

Identifying and managing cyber risk originates at the top of the organization through its recognition and inclusion in Enterprise Risk Management. It is never a matter purely for the IT team, although they clearly play a vital role. An organization’s risk management function needs a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them. What do we mean by cyber risk? Cyber risk means any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems (IRM, 2014).