1 November 2018

How To Prevent Your Business Becoming Collateral Damage Of Geopolitical Cyber Conflict

Davey Winder

According to Bryan Becker, an application security researcher at WhiteHat Security, the United States is "woefully behind the entire developed world in terms of cybersecurity." Defensively, he insists, it would "easily take us a decade" and then some to catch up with allies and competitors alike. Does this mean that it's up to the cybersecurity industry, rather than the military, to protect systems and data from nation-state attack? I've been exploring the role of cybersecurity vendors when it comes to cyberwarfare, and what business needs to do in order to prevent becoming a collateral damage statistic in the ongoing geopolitical cyber conflict.


Mention cyberwarfare and most businesses tend to sigh and move on to something less weighted down with the baggage of hyperbole. Which, truth be told, is a huge mistake. While there are plenty of opinions out there as to what is actually meant by cyberwarfare from the intellectual and theoretical perspective, in the real-world the distinctions between a cyberwar play and a cybercriminal attack are precious few. The cyberwarfare label can make a threat look far removed from something that a mainstream business might imagine being a target for. That relevancy disconnect is actually pretty damaging. Zeki Turedi, a technology strategist with CrowdStrike, told me that "the techniques and approaches used by state sponsored actors are often the same as used by cybercriminals, so the motivation is less important in many ways than the need to spot and deal with these incidents in a timely and proactive manner."

This blurring of tactics used by nation states and cybercriminals alike is something that Turedi calls the 'democratization of cyberwarfare.' If evidence were required to show why business needs to take this stuff seriously, then the CrowdStrike Observations From The Front Line Of Threat Hunting report published earlier this month is it. This highlighted that China was the most prolific nation-state actor, actively engaging in persistent and highly targeted intrusion campaigns against economic sectors including mining, pharmaceutical, professional services and transportation amongst others. Which isn't to say that China is necessarily the biggest threat in this attack realm. "Russia clearly poses the largest threat, both immediate, and long term" says Becker. He told me that both Russia and North Korea have been investing in and growing their cyber-operations continually since the cold war and are now decades ahead of the rest of the world in terms of their experience. This conflicts somewhat with the view of Trevor Reschke, head of threat intelligence at Trusted Knight, who I mentioned in my earlier analysis of likely cyberwar outcomes as saying North Korea doesn't possess any real cyberwarfare capabilities but rents these from others. "North Korea tends to focus their efforts on stealing money for the regime" Becker says, while Russia is more focused on destabilizing the liberal West. Part of the problem in attributing attack capabilities is that false flags are so commonplace. From the perspective of the security researcher, attributions requires the discovery of artefacts such as time zones where the code was created, language specific keywords buried deep within it and so on. "However, these artefacts can also be deliberately planted to throw researchers off track" according to Liviu Arsene, senior e-threat analyst at Bitdefender who continues "which is why attributing a cyberattack to a declaration of war is something much more than just a technical analysis of the malware itself."

So what is the role of the cybersecurity industry in protecting the West from geopolitical attack and ultimately our nation states in times of cyberwar? Trevor Reschke pulls no punches with his answer to that question. "The security industry is essentially the new mercenary force" Reschke told me "as governments expend next to no effort in protecting their country's citizens. It's on the back of the security industry that all the countries are mounting their defense." Isidoros Monogioudis, a retired colonel from the Hellenic defense forces with a background in cyber-defense and now senior security architect at Digital Shadows, agrees that it is "widely accepted by the Western militaries that industry has the edge in terms of expertise, both on the offensive and defensive." He goes on to explain that Critical National Infrastructure (CNI) might be regulated by the national authorities but is frequently operated by the private sector, and more broadly speaking defensive technology is almost exclusively developed by the private sector. Within the CNI space the physical and virtual are converging, resulting in legacy machinery now being connected to the internet. This, says Justin Fier, director for cyber intelligence and analysis at Darktrace, "creates new entry points for well-resourced nation-state attackers." The worrying thing is that geopolitical attacks increasingly cause collateral damage with victims along the exploit chain from small organizations right to those companies providing CNI. "This means security has to be a board level priority for all organizations" Fier warns, adding that "cybersecurity vendors will have to be able to keep up with this demand and develop solutions that can protect all kinds of digital infrastructure."

All of which means that cooperation between the cybersecurity industry and the public sector is increasingly critical when it comes to protecting CNI, but also rebounds back into the realm of protecting business itself. "Information sharing in this partnership has been too slow while our adversaries are sharing information much faster and attack us at network speed" according to Arno Robbertse, cyber security director at ITC Secure. A collective defense strategy needs to extend into the supply chain, says Robbertse as this is a space where "the integrity of our operations rely on the cyber security of others, and where industry and government need to come together in a unified message and awareness of the risk." Once you accept the inevitability of a cyberwar scenario being far broader than just a military versus military concept, and that the soft targets most at risk are within a mostly commercially operated infrastructure space, the challenges become clear. Not least that when these commercial organizations are effectively on the frontline of any cyber-conflict the notion that 'if state-sponsored hackers wants to get into your network then they will' has to be confronted. "That simply is not true" says Henry Harrison, co-founder and CTO at Garrison, one of the participating companies in the UK-US cyber security Atlantic Future Forum on-board HMS Queen Elizabeth, adding "private businesses need to step up and recognize they need to play their role in keeping our nations and our way of life secure." A sentiment echoed by Tom Huckle, and ex-Royal Marines captain and now lead cyber security consultant at Crucial Academy. "The cybersecurity industry in the UK is developing talent who, in the future, will be guarding our critical national infrastructure, building the next generation of monitoring tools, and educating future incident managers" he told me, adding "whether enough businesses are taking this responsibility to heart is another question."

Not that this vision of cybersec vendors as heroic defenders of the nation seen through rose-tinted spectacles is a universal one. While most vendors I spoke to agreed that the industry has a huge role to play in terms of national defense against a potential cyberwar threat, some were franker than others regarding how that role is working right now. Take Rick McElroy, a security strategist at Carbon Black, who thinks that vendors need to make products that actually tip the advantage to defenders by allowing them to proactively hunt the adversary in their own environments. He cites Google Project Zero as having had a massive impact in decreasing vendor and consumer patch cycles for example. Carbon Black has a user community that talks on a daily basis about new attacks and how to better detect and respond to them; bringing the power of crowds and community into the data defense equation. "The industry needs more of this" McElroy insists, "more cooperation from vendors and less fighting amongst competitors. We need to refocus on the adversary and less on taking shots at each other." Gary McGraw, vice president of security technology at Synopsys, agrees there needs to be what he calls a focus on information users instead of plumbing. "Civilian, government and military systems are deeply entangled as the WikiLeaks episode demonstrates in no uncertain terms" McGraw told me, continuing "the nature of the entanglement is the people who interact with the systems, not the technology, sets of wires, or physical infrastructure."

Defensive capabilities are one thing, but what about the role of the cybersecurity industry when it comes to attack? Should cybersecurity vendors be involved on the offensive frontline as well? This whole subject is a very scary topic according to Chris Stoneff, VP of security solutions at Bomgar. "Not even taking into account legal aspects, where something as benign as a honey pot could be considered entrapment and thus illegal, actively attacking your attackers is often a good way to escalate a problem or show the would be attacker another route into your network" Stoneff says. He's happier letting the government and "other clandestine organizations" create and deploy the offensive tools on the basis that "their reputation for behaving well and being concerned with fallout is already low." Not everyone agrees that offensive has to mean unethical within the cybersecurity space. Some point out that with attackers seeing increasingly successful conclusions to their operations there is a renewed interest in offensive solutions. "The US has recently passed new cyber security legislation that gives more focus and powers to offensive cyber security" Tom Huckle argues, adding that "the Industry is currently researching and testing the market with offensive capabilities and it won't be long until this becomes the norm."

Talking of norms, some nation-states are known to enlist what you might call cyber-militias in order to provide plausible deniability for their attacks. The line between cybercriminal and state-sponsored threat actor is increasingly blurred when looking in the direction of China, North Korea or Russia for example. Although the West isn't thought to follow this particular strategic lead, Rick McElroy told me that there are discussions underway in the US to create "a reserve force of responders that can be called up in the event of a major cyber disaster." Outside of the cyberwar scenario, and therefore inside the business of defending systems and data against all threats, any 'hacking back' strategy is tricky to say the least. "This practice would need a lot of clarification first" McElroy warns, concluding "companies should focus on defense and getting the basics right before considering launching offensive cyberattacks against nation-states or another organization..."


I have been covering the information security beat for three decades and Contributing Editor at PC Pro Magazine since the first issue way back in 1994. I contribute to the Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Infosecurity Magazine and Digital... MORE

If you’ve been on the job hunt lately, you might have noticed that many positions call for industry certifications, occupational licenses, or postsecondary education certificates. These credentials aren’t degrees, but more employers are requiring them, and more Americans are earning them to increase earnings and advance in their careers. Yet despite the decades-long growth in the numbers and types of nondegree credentials, little is known about exactly who earns them, how people acquire them, and how much labor market value they have.

Earlier this month, New America released a report, Paying More and Getting Less: How Nondegree Credentials Reflect Labor Market Inequality Between Men and Women, which details how nondegree credentials correlate with employment and earnings for the 60 percent of U.S. adults with education below the bachelor’s degree level. Using data from the 2016 Adult Training and Education Survey (ATES), my colleagues and I found that just over a quarter of adults in the United States held at least one certificate, certification, or license, and that these individuals were more likely to be employed and earned more money than adults who did not hold a nondegree credential. But our research also unearthed that these top-level findings mask significant differences in the value of nondegree credentials, especially based on gender and occupational area.

Men with nondegree credentials fare better than women

While women and men without bachelor’s degrees were equally likely to have a certificate, certification, or license, men were more likely to be employed than women who held the same credential type.

But here’s the rub: consistent with past studies, men often earned substantially more than women with the same type of credential. For instance, 46 percent of women who held a nondegree credential made less than $30,000, compared with 25 percent of men. And while 17 percent of men with a nondegree credential earned more than $75,000, just five percent of women earned that much.

Earnings by Nondegree Credential Type and Gender


*Figures include adults who are not in the labor force.
Source: New America analysis of the National Center for Education Statistics 2016 Adult Training and Education Survey. Values pertain to adults with less than a bachelor’s degree.

How much does occupation matter?

The different earnings for male and female nondegree credential holders can partly be explained by occupational choice. In fact, in 10 of the 16 occupational areas we analyzed, more than 70 percent of workers without a bachelor’s degree were of a single gender, either male or female. The earnings associated with all types of nondegree credentials were substantially higher for individuals in male-dominated (e.g. computers; construction, installation, and repair; and science, architecture, and engineering) than female-dominated occupations (e.g. education and library; administrative support; and healthcare). Even with a certification or license in hand, workers in female-dominated healthcare and education occupations are much more likely to earn poverty-level wages compared with workers in male-dominated occupations like IT and construction.

Share of Certification and License Holders Earning Above and Below $30K, by Select Gender-segregated Occupations

Paying more and getting less

The economic value of a credential is not determined solely by its effect on employment and earnings. It also depends crucially on the cost to the person who earned the credential. For an individual’s educational investment to “pay off,” the employment and earnings return needs to be higher than the cost of the education or training. These considerations are particularly important given how often students are taking on debt to finance their education and how much they’re borrowing. Poor employment outcomes make it more difficult to repay educational loans, which can actually leave students worse off than before they enrolled in school.

Our analysis suggests that in addition to earning less, women without a bachelor’s degree tend to pay more to obtain the nondegree credentials required for their careers. Men were more likely to access employer or union-funded training, which is often provided free of cost to the student. A majority of women, on the other hand, prepared for their most important nondegree credential by enrolling in a college, technical school, or trade school. Our analysis of data from the 2015-16 National Postsecondary Student Aid Study indicates that among students who earned a certificate and did not already have a bachelor’s degree, 73 percent of women took out student loans to pay for their studies, compared with 56 percent of men. In addition, on average, women pay higher tuition than men after grant and scholarship aid is accounted for. The difference is likely due in part to the fact that women are far more likely to enroll in for-profit institutions that tend to charge more for tuition than public two-year colleges.

What does this mean?

Gender inequality in the labor market has been well-documented. Most recently, a study by the Pew Research Center of median hourly earnings of both full- and part-time workers in the United States found that women earned 82 percent of what men earned. While the degree of inequality declines as workers obtain bachelor’s degrees and beyond, inequality exists at all educational levels. Although workers who have nondegree credentials make, on average, more than those who don’t, the earnings difference is significantly less for women and workers in female-dominated occupations. Women appear to pay more for – and get less from – nondegree credentials, particularly if they do not have a bachelor’s degree.

How can we begin to address the disparities in labor market outcomes of men and women with nondegree credentials? As a start, there needs to be greater transparency about the cost and returns to nondegree credentials. Clarity about return on investment will help individuals decide whether it is worth pursuing a nondegree credential and, if so, which ones. It will also help states, cities, and professional bodies evaluate the impact of credential requirements on workers in skilled but low-wage occupations. Finally, this critical data might inform whether public funding, in the form of federal student financial aid, is used to subsidize education and training programs that lead to credentials with little value.

No comments: