BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

DoD CIO: Make it expensive for hackers to play

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 17 Sep 2015 19:17:04 -0600
http://www.c4isrnet.com/story/military-tech/cyber/2015/09/17/costs-of-cyberattacks/32553457/

As recent events have shown, cyberattacks are extraordinarily expensive for
the victims. After a breach and data theft, they are forced to spend
millions cleaning up the damage, eradicating threats from their networks,
fortifying defenses and managing the fallout.

But for the adversaries committing the breaches, it doesn't cost so much.
And that's a big problem for the Defense Department, the government and
enterprises writ large.

"Today a threat actor can send a fairly modest amount of money, not just on
[attacking] DoD but on any sophisticated enterprise, and cause that
enterprise to have to spend quite a bit more money — by orders of magnitude
— cleaning up and fixing the problem," DoD CIO Terry Halvorsen told
reporters on a call on Sept. 15.

He echoed those comments Sept. 17 at the Billington Cybersecurity Summit.

"We are on the wrong side of the cyber economic curve," he said at the
summit. "We need to raise barriers to attackers' entry, making it more
expensive to play."

But how? The answer is multifold, but at least one aspect is automation,
mechanizing some of the basic actions and response involved in
cybersecurity maintenance, Halvorsen said.

Automation is key to turning around the economics and coping with the speed
of the threat, he said at the summit and on the call.

"Automating eliminates the basic [adversarial] players, makes it so you
have to raise your game to play," Halvorsen said. "It reduces the benefit
hackers will see and makes it more expensive for hackers to play."

Another key part is establishing a pervasive, standard-operating-procedure
culture of cybersecurity throughout entire enterprises and communities.
It's a worry that Halvorsen said keeps him up at night.

"How do I get a cyber discipline culture, how do I get a cyber economic
culture and how do I get a cyber enterprise culture? I think those are the
three things that if we got those, almost everything else comes after," he
said. "If I get to the cyber enterprise culture, I'll start doing
integrated, layered defenses, I'll use automated tools — [joint regional
security stacks are] the cornerstone for that — I'll get the right level of
accountability and I will understand the money."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: