As tens of thousands of the world’s top security pros gather at RSA Conference 2017, they are being called upon to watch out for a new threat: their own data.
By corrupting data that is used for making decisions, attackers can cause all kinds of problems, says Chris Young, general manager of Intel Security. “Now data is manipulated and used against us to affect the decisions we make,” he says.
He calls this corruption “data landmines,” which when factored into decision making, can result in bad choices, missed opportunities and economic losses.
He says stolen and manipulated data combined to disrupt the 2016 presidential election, for example, and the consequences of similar manipulations could be high for businesses whose big-data analysis is undermined by altered small data that makes it up. With inaccurate input to draw on, the outcomes will be faulty, he says.
“We need to pay attention to small data used in models or it can be turned into a weapon,” he says.
Another new attack surface is home networks, he says. These largely insecure networks that include internet of things devices such as DVRs and security cameras can be compromised and used as weapons, as in the case of the gigantic Mirai botnet attack last year.
But because more and more people work from home, these networks become a threat to the corporate networks employees connect to, Young says. “Is the home taken into account when we design cyber security architectures? We need to make sure the internet of things doesn’t become the internet of terrorism.”
He says the problems are large and cooperation among security pros is needed to address them. “None of us can go it alone.”
Microsoft President Brad Smith, another RSAC keynoter, takes this one step further, calling on the technology community to band together as “a digital Switzerland” to protect civilian cyber assets from the acts of criminals and nations trying to exploit them.
He says the community should commit to principles similar to those adopted by the International Committee of the Red Cross in its defense of civilians in war-torn areas.
In the cyber realm, these should include:
- Focusing solely on defense; no offensive activities;
- Collaborating to respond to attacks;
- Assist and protect all customers everywhere;
- Refusing to attack civilians anywhere, regardless of who asks.
A digital Geneva Conventions should pledge no attacks on the private sector and no attacks on civil infrastructure including power grids, water supplies and political institutions.
Further, governments should not stockpile software vulnerabilities to use as weapons rather than disclosing them so they can be patched, Smith says.
Countries should form an international agency similar to the International Committee of the Red Cross only for cyber issues. Made up of respected members of private, public and academic institutions, it should monitor nation-state attacks and seek to attribute them to the perpetrators.
He says cooperation among all players is essential and that corporate pride shouldn’t interfere. He cited cooperation last year among Microsoft, Google and Facebook to fight dissemination of terrorist propaganda online.
“Governments need national and global IT infrastructure it can trust,” Smith says, and this tech organization needs to restore that trust.
The burden should fall to private security practitioners, not governments, he says. “Cyberspace is us. It’s owned and operated by the private sector… Nation-state hacking in times of war has evolved into attacks on civilians in times of peace,” he says. When the internet is attacked by nation-sponsored actors, it’s almost always against private assets, he says. “We are the world’s first responders.”
He also calls on governments to sign agreements about what is acceptable in cyber conflict, just as the 4th Geneva Convention in 1949 spelled out protection of civilians in times of physical war.
He cited the U.S.-China agreement last fall that they would no longer use cyber espionage for gaining economic advantage through stolen corporate secrets. The agreement was later endorsed by the G20.
Smith called for using the tech industry as an example of the good that can come of inclusive societies that tap the talents of everyone regardless of their nationality. He says Microsoft has employees from 151 countries. “Let’s use that inspiration and build on what we share with each other,” he says, “and show the world what we can be when we are our best.”