While the most recent hack of the biggest tech companies — Apple, Microsoft, Facebook — in the world did not come through mobile devices, these attacks are getting closer and closer to your handhelds. The hack came through a Java weakness from a website for developing iPhone mobile apps.
Apple, Microsoft and Facebook have all confirmed that the infiltration of their networks came through a particular site that serves as an iOS developer forum. The site itself, unnamed here so that no one clicks on it, issued a statement that it too was hacked. Twitter has also seen suspicious activity recently, though has not identified the source.
All these companies have officially stated that no user data was compromised — this time, but it’s been made clear abundantly by industry experts and analysts alike, that the next wave of “cyber” attacks is coming soon to a mobile device near you. Not only is this a huge threat to your enterprise, it’s become a matter of national security.
Cyber security threats to the enterprise are, in fact, threats to the nation. To potentially bridge the gap, President Obama signed an Executive Order allowing declassified and classified information to be shared with U.S. businesses, when they are the subject of a threat. But what does the order really mean to your business?
Called "Improving Critical Infrastructure Cybersecurity," the order is designed to provide details of cyber threats directly to U.S. businesses, in a timely manner, so these entities may better protect and defend themselves.
Mobile Enterprise spoke with Michelle Syc, IT Consulting Manager at CohnReznick, about the order. A cyber security expert with more than 10 years' experience in risk management, Syc is excited to see "we are finally taking this seriously."
"Connectivity is our main focus. Security always tends to be an afterthought," she said. "The United States stands to lose the most because our economy has capitalized the most. We have the most information online, our businesses utilize the internet more than any other country in the world. We got the internet before we knew what to do with it."
How will businesses benefit?
"It's yet to be determined," she said, because as it stands, the executive order is somewhat vague and based on a voluntary framework. There are no stipulations around the reports at all, for example, from how they are disseminated to when they might be provided after a cyber threat becomes known. The order does not even define what "timely" may mean. (Perhaps ironically, while attempting to reach certain offices in Washington for clarification on the matter, some voice mails still had greetings from 2011.)
In addition, companies outside the "critical infrastructure" may not benefit at all. According to Section 9, Part B, of the executive order, the Critical Infrastructure Partnership Advisory Council will decide which businesses, if targeted, would have dire effect on the nation, whether resulting in a regional catastrophe or crippling the country as whole, from public health and safety to economic and national security.
Companies defined as critical infrastructure would then have access to cyber threat information, should they become targets. Using a risk model across various verticals, likely sectors include telecommunications, oil and natural gas, financial institutions, and food and agriculture. However, that doesn't write off retail or manufacturing as a non-issue.
Too Little, Too Late?
Critics of the executive order call it ineffective. Michela Menting, a cyber security senior analyst with ABI Research, thinks the solutions are weak and too little too late.
"The private sector is neither required to adopt or adhere to any of the proposed solutions," she explained by email. "The order requires the government to share unclassified information with private sector critical infrastructure operators, but those same operators are not required to share anything back. The Order is mostly supporting information sharing, and encouraging the creation of a framework, all of which should have already been implemented 10 years ago."
Menting believes the ideal solution is legislation, to regulate security measures on the part of operators. "This could be in the form of adhering to and applying internationally recognized standards, such as ISO/IEC 27000 series, or even just NIST approved standards," she said. "Also, operators should be liable in case of breach – they should be required to report serious breaches to law enforcement, and face fines if the resulting investigation reveals they had not applied mandatory security measures."
She noted the EU has extensive data protection legislation in place since 1995, which extends to digital data. "That means data controllers are required to secure personal and sensitive data by law."
In the House
House Intelligence Committee Chairman Mike Rogers (MI) and Congressman C.A. Dutch Ruppersberger (MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA) on February 13. The bill received 112 bipartisan cosponsors during last year's session.
In comparison to the recently signed executive order, CISPA is also aimed at cyber threat information sharing but more of a two way street. Instead of just the government providing info, it would "allow" companies to share data with the government.
Syc said the bill raises some questions, however. If a company shares details about security breaches, how will such info be disclosed to competitors? Will it be disclosed? Those companies who are non-compliant, do they become non-preferred for government contracts?
Proponents of the bill generally cite privacy issues, the same arguments made against the revised ITU regulations that call for the United Nations' overseeing the internet, a treaty the United States refused to sign. "The ideal lies somewhere in the middle of privacy rights and intelligence gathering," Syc said, referring to two opposing issues which rarely meet in the middle.
Bottom Line for Business
"It's a landmark order," Syc said of Improving Critical Infrastructure Cybersecurity. "It's a great first step. We are running a marathon and we just passed mile marker one." The order may only provide a framework but at least it's being addressed, she added.
Does the fact it is a voluntary framework affect the success of the nation's overall cybersecurity? "The real problem isn’t information sharing," she said. "The real problem is the critical infrastructure is outdated. We need to start focusing not just on cyber threats but providing companies with incentives to boost their own security efforts."
As of today, the executive order has not been fleshed out, and details are still to be determined. Hopefully we will know by end of the 120 days, when governments are supposed to start providing cyber threat reports to businesses, Syc said. "But you can't sprint the marathon," she concluded, "you have to continue running the miles."
More on mobile security:
Mobile Security: Bridging the Gaps
Next Gen IT Preps for Mobile Security Battles
Surprising Stats About Mobile Security