Quick question. What is the greatest threat to the United States…and the world today?
- Asteroid impact
- Nuclear holocaust from a rogue nation
- None of the above
15 years ago, nearly everyone would have likely chosen terrorism. In the last 5-10 years the nuclear threat has become a grave concern for many. But according to the CIA, NSA, FBI and other top US intelligence agencies, the correct answer is D. None of the above.
Feel free to read the entire article at CNET, but I will summarize it here. According to Director of National Intelligence Dan Coats, cybersecurity is both the greatest concern and top priority. No other area is as ubiquitous and challenging to protect.
What makes cybersecurity the greatest threat vector? Three major factors:
- No single entity has the ability to manage and secure it.
- The methods of attack continuously change and improve and the attackers themselves can come from anywhere at any time.
- Nearly everything necessary for living in our current society depends on technology…and that dependence increases almost daily.
The Survival of the United States, Really?
Really, I promise this isn’t a game friends. Let’s look at three of the 16 critical infrastructure areas that rely on technology and could be affected, damaged or destroyed by a cyberattack.
- Municipal water systems: We probably won’t last long without safe drinking water or if improperly treated waste water infects our water supply.
- Regional power grids: How long can you survive without power and heat, in the winter? Live in the South or Southwest? What would be the impact on those living in their golden years if the air conditioning is suddenly lost for an extended period? A 1995 heat wave in Chicago (NOT the South) killed an estimated 733 people. The power was working but many didn’t have air conditioning in their homes. How many would die if NO ONE had air conditioning in Phoenix for a few weeks?
- Communications providers: Losing Internet service at home for a little while is an inconvenience. But a well-coordinated cyberattack has the possibility of crippling interconnected communications systems. What would that look like? Cellular and Internet become unavailable. Credit cards don’t work for purchases. At all. You can’t buy food, gas, medications, nothing. Unless you have cash. How much are you carrying right now? No communications mean ATMs won’t work and there won’t be more cash available.
Is It All Doom and Gloom?
No. Thankfully many organizations are working hard internally, with others in their industries and with the government to do everything possible to secure our nation’s critical infrastructure. They use different frameworks to create and implement cybersecurity programs but the goal is the same, maintain the access to products and services while keeping them from being compromised by an attack.
But You Said the Survival of the United States Depends on Me
I did. Excellent memory! If you are reading this blog you are likely an IT professional. You may be taking helpdesk calls, writing apps, overseeing infrastructure systems, managing a team, the CIO of an organization or any other of the hundreds of roles in IT.
However, we all share one area of responsibility. If you recall from above a major factor in making cybersecurity attacks the greatest threat is that the methods of attack continuously change and improve and the attackers themselves can come from anywhere at any time.
Because of this fact all of us in IT and, in fact, everyone in your organization has responsibility to be aware of cybersecurity. Even awareness in not sufficient. We must know what to do and not to do. How to respond when we see something suspicious. What it takes to protect credentials, data, communications and devices in the area where we do our jobs.
Overall security in your organization may be managed, monitored and implemented by a security department, IT Security or a team known by some other name. But security must be understood and observed at every level because the attacks can come from anywhere at any time.
Ok, So What Are You Selling?
I’m not here to tell you to buy a better firewall, the latest antivirus or even a $500,000 system to track, monitor and report on how all your data is used. I AM here to tell you that none of that matters if you miss the next point.
Without a comprehensive, risk-based cybersecurity program you are not secure.
The old piecemeal method of buying hardware and software to protect different areas of your organization will not cut it in the era of ransomware, artificial intelligence and nation state threats. Lacking an overall cybersecurity program means that gaps in your defenses will exist. Gaps you may not even see, because they aren’t covered by the way we have done security in the past.
To be truly secure we have to know the risks and threats to each of our assets and deal with those risks and threats now…and as they change over time.
Each of us needs to see the big picture. What are the most time-tested ways to discover and secure our assets, based on all the risks that can affect them? You will discover the answers to that question by using a widely accepted risk-based cybersecurity framework to plan and implement your cybersecurity program.
We highly recommend the NIST CSF. The acronym stands for National Institute of Standards and Technology Cybersecurity Framework. The NIST CSF was created due to a Presidential Executive Order and represents a set of methods and standards from leaders in both the private and public sectors based on what works to protect the data of millions of people in thousands of organizations. In fact over 30% of private companies already use the NIST CSF and growth rates indicate 50% will by the year 2020. All Federal government agencies are also now required to use the NIST CSF.
It’s probably something you should check out. Your peers and competitors are likely already doing so.