For anyone who attended the Kaspersky Lab Cybersecurity Summit in San Francisco earlier this week, if they were looking for any sign that protecting networks was getting easier, they left sorely disappointed. Cybersecurity is getting harder, more complex, and continuously hampered by a lack of shared information. And that’s the good news.
The session’s lead-off speaker was Tom Ridge, the nation’s first Secretary of the U.S. Department of Homeland Security, and a man who ought to know. Ridge now leads his own cybersecurity firm and spoke bluntly about the current state of affairs. He made it clear that any attempt to bolster security through the government was sorely misguided. “You cannot secure the country from inside the Beltway,” said Ridge.
But he didn’t mince words about the private sector either, expressing concern that U.S. companies had so far not shown an ability to combat the increasing attacks seen in the past two years against important networks. According to Ridge, the ultimate solution is shared information between the private sector and the government. “You have to go from a need to know mindset to a need to share mindset,” Ridge told the gathering.
Complicating the situation are world events that pull governments’ attention and resources away from fighting online criminal activity. During a panel discussion that followed Ridge’s remarks, Eugene Kaspersky (co-founder and CEO of Kaspersky Lab) expressed alarm that political tensions in the Ukraine are giving cybercriminals an open door at the moment to exploit vulnerabilities. “International projects will have less (funding),” said Kaspersky.
The online security pioneer also warned about supplier chain security, especially in the retail world. As has now been revealed, at the center of the Target breach last December was the hackers’ ability to access store systems through a vendor’s credentials. Just yesterday, Michaels Stores, the nation’s largest arts and crafts chain, revealed that nearly 3 million of their customers’ credit or debit cards may have been compromised. “It’s a very big topic and it’s a huge problem,” said Kaspersky.
It has been widely speculated that in the aftermath of the Target breach and other attacks in the retail sector, U.S. banks and credit card companies will speed up the planned implementation of chip-embedded cards. Also known as “EMV cards,” this technology makes it far more difficult to gain access to customer accounts than today’s traditional magnetic stripe product.
But during another panel discussion at the Kaspersky conference this week, Ellen Richey, Chief Enterprise Risk Officer for Visa, made a point that her company’s fraud rates are now one third the level of 20 years ago. “They are at historic lows,” said Richey.
If Visa and other credit-card companies aren’t concerned about fraud risk, this could slow the rollout of chip cards for years. In a separate conversation with Philippe Courtot, Chairman and CEO of Qualys, he told this columnist that he still believes chip card implementation must and will happen in the U.S. Courtot delivered a similar message to attendees at the annual RSA Cybersecurity Conference two months ago.
The operative word coming out of the sessions this week is paranoia. Top-level company executives and government officials are desperately trying to keep up with a growing rise in network attacks, never really knowing where or when the next one will occur.
As the daily news brings reports of yet another breach, security directors around the country are looking nervously over their shoulders. “I doubt that the chief security officer of Walmart slept well on the night he learned of the Target incursion,” said Ridge this week. Indeed not, and most of his counterparts aren’t sleeping well either.