A duality of messages permeated last week's Black Hat and Def Con conferences: Cybersecurity tools are improving, business and government entities alike are better organizing themselves, and yet, the cyber threat environment continues to darken and grow more dangerous.
Part of the reason for that, Black Hat and Def Con founder Jeff Moss said, is because offensive actions in cyberspace, such as hacks, are largely a technical matter, while cyber defense involves political questions such as how much to spend and what to prioritize.
“The technology we're creating favors offense … on defense, we're stuck with politics,” Moss said in an opening speech at Black Hat. “We have to build a whole culture around defense.”
About this feature:
'The Editor Reports' is a feature from Inside Cybersecurity intended to identify themes emerging from our news coverage and pose questions about the direction of evolving cybersecurity policies. Email comments to email@example.com.
Google director of engineering Parisa Tabriz, who followed Moss onstage with the keynote address, said the key was an “offensive strategy for security."
Google's “Project Zero” was created with that in mind, she said, and has had practical successes such as pushing the shift to “https” and to faster and more useful disclosure of vulnerabilities by software and product vendors.
Throughout the conferences, there was pushback on some widely reported threats such as the Russians' alleged newfound ability to shut off the lights across the United States. But that didn't mute the underlying theme that nation-states, criminals and hacktivists alike are wielding cyber powers that threaten every aspect of digital life in the United States.
“The type of threats seen only in the Department of Defense space are showing up all over,” Raytheon's Mark Orlando told Inside Cybersecurity during Black Hat. “From a threat/attack perspective, we saw this coming from nation-states a long time ago. But now, those threats are much more commoditized and are showing up in private industry, even from unsophisticated attackers.”
A research report unveiled at Black Hat by cybersecurity firm IntSights found tools for sophisticated distributed denial of service attacks available on the “dark web” for less than $800 -- “bigger than anything I've seen, you can launch a full-scale attack on a government website for very cheap,” Itay Kozuch of IntSights said.
State and local officials at Def Con explained that they are facing sophisticated phishing and scanning operations amid ongoing resource challenges. “It’s kind of like Andy in Mayberry being sent to deal with a foreign invasion,” said Noah Praetz, director of elections in Cook County, IL.
“Phishing is still the way bad guys get in” to corporate systems as well, Andrew Howard of Kudelski Security told Inside Cybersecurity. He said ransomware, distributed denial of service attacks and general cyber hygiene are increasingly hot topics of discussion around board rooms.
“The perceived increase in nation-state threats is the number one trend of the year, along with threats to the grid infrastructure,” said Tim Erlin of Tripwire, whose firm issued a report at Black Hat on “The State of Cyber Hygiene.” “It's not the time to panic but it is time to be concerned,” he said.
“Depressing,” NSS Labs CEO Vikram Phatak responded, when asked to describe the current threat environment. His firm assesses cyber products, and released at Black Hat a largely positive report on the security of the communications system known as SD-WAN, “software defined wide area networks."
He said 1.4 percent of global GDP is going to cyber criminals and that number is rising. “The thing is, some countries are staying afloat because of it -- the merging of criminal activity with nation-state activity is alarming.” He cited Russia and North Korea as two countries that bank on revenue from cyber theft.
Phatak turned to a historical analogy that's not very comforting for the United States.
“The last time we saw a spike like this” in state-sponsored theft, Phatak said, “Queen Elizabeth was giving privateers license to steal from Spanish ships, and the Spanish were the ones with the rules-based society.”
He said the British government of the late 16th century had “plausible deniability” about what was happening out at sea, and that in the end, Sir Francis Drake was knighted and the English got themselves deep-water warfighting experience,” plus the plundered treasures.
“My concern is that we're the Spanish,” Phatak said. “We see the moves by the Russians on the political front -- it's all tied together. You can indict them, but so what? I'm very concerned. Cybersecurity needs a national security approach rather than law enforcement.”
“They are not really afraid,” IntSight's Kozuch commented on the activity his team was finding in the dark spaces of the internet. Companies as well as governments need to get better at sharing information and “consuming intelligence” to understand the threat, he said.
“Know your enemy,” he said, because “not doing anything is very wrong.” -- Charlie Mitchell, editor, Inside Cybersecurity