Article contributed by alumni Senior Correspondent Jeff Grimes:
2014 was the worst year to date for cybersecurity. In the span of just nine months companies such as Sony, Microsoft and Target suffered crippling cyber breaches causing either major system outages or the compromise of crucial private data. With each new incident, the conversation about cybersecurity has taken an increasingly central position for both the general public and the US government; nonetheless, the overall readiness of the US to prevent and respond to cyber attacks has a long way to go.
To help move cyber threat preparedness in the right direction, Hewlett-Packard (HP) announced three security partnerships on April 21 at the RSA Conference, an annual cryptography and information security conference held this year in San Francisco. The partnerships are with FireEye, the publicly traded Milpitas, CA-based network security company specializing in cyber threat forensics and protection; Securonix, the private Los Angeles-based security intelligence company specializing in monitoring and detecting cyber attacks; and Adallom, the private Menlo-Park based cloud security company specializing in enterprise software-as-a-service (SaaS) application security.
According to HP, the partnerships represent a “new school of cyber defense” that will focus on protecting the interactions between users, applications, and data exchanges. This line of thinking may seem obvious, but it in fact represents a sea change from the traditional “perimeter defense model” that has dominated enterprise security for decades.
If we imagine an enterprise; which for the sake of simplicity we can define as a company’s servers, datacenters, applications, employee computers and internal networks; as a large circle, then the perimeter defense approach consists of surrounding the circle with a shield comprising of a firewall and an intrusion detection system. This strategy is cheaper and easier than its chief alternative, the act of protecting each individual entity inside the circle with its own smaller shield (that is, individually securing all networks and devices). Although industry experts have long believed that the “hard exterior, soft interior” approach of the perimeter defense model is vulnerable, the majority of tech companies have implemented it due to its cheap cost and ease of implementation compared to its laborious and expensive alternative.
The theory behind the perimeter defense model is that if a cyber incident occurred, then the firewall and application proxies, rather than the sensitive backend system (likely the attackers’ ultimate target), would absorb the impact of the attack. The intrusion detection system would alert the proper employees within the enterprise of the attack and they would respond to the attack before sensitive data was compromised or system outages began to occur.
While this system has always been far from perfect, the recent elevation of cyber incidents has made its fragility more apparent. According to the Identity Theft Resource Center, US data breaches reached a record high 783 incidents in 2014—a 27.5% increase from 2013.
HP’s bold effort must therefore be taken seriously—regardless of the subsequent implementation of its ambitious partnership plans, HP is the one of the first companies to make such a spirited and public effort to challenge the established norms of corporate cybersecurity. Rather than continue to focus on the perimeter, the company and its new partners will prioritize threat analytics and incident response for individual devices. Perhaps the biggest force in rendering the perimeter model obsolete has been the rapid increase over the last few years in the number of smartphones and internet-connected devices used by both individuals and corporations. Combined with tech companies’ reliance on cloud storage, this trend has created a plethora of easy targets for malicious hackers seeking to obtain private data. HP’s approach will focus on security for individual devices, meaning that companies will have more protection against cyber threats given their current IT configurations.
Of HP’s three partners, FireEye has made the most headlines recently. In December, the company closed a $1.05 billion cash-and-stock acquisition of Mandiant Corp, the Alexandria-VA based cybersecurity firm that rose to prominence with the release of its February 2013 report directly implicating the Chinese government in a series of cyber espionage incidents. Although the report lacked smoking-gun evidence, it was helpful in raising public awareness of the cyber threat posed by foreign governments. FireEye was also a key player in mitigating the damage of the Anthem Insurance breach in early February. In November 2014, CBS featured FireEye prominently in a 60 Minutes episode entitled “What Happens When You Swipe Your Credit Card.” The episode was the most watched 60 Minutes episode in two years. On April 12 of this year, CBS featured FireEye SVP-COO Kevin Mandia on the evolving cyber threat landscape during another episode of 60 Minutes entitled “The Attack on Sony.” FireEye’s continued publicity has helped thrust cybersecurity into the limelight for both the US public and for Washington. Cybersecurity’s prominence has been long overdue for too many years—the gravest threats that America will face over the next decade may well be in the cyber realm.
According to HP’s press release, the two companies will collaborate to develop an industry standard for advanced threat protection services and incident response capabilities. FireEye’s Mandiant investigative group will likely play a key role in the partnership. Mandiant’s services are typically expensive, but Mike Nefkens (Executive Vice President of HP Enterprise Services) stated that HP would focus on bringing a co-branded version of its services to smaller companies for a lower price so that the new approach to cybersecurity can have as broad an impact as possible. HP’s new product, if completed, would offer private companies a convenient and comprehensive level of security not previously achieved on such a large scale. Commonly held beliefs in cybersecurity circles specify that if all companies were eventually to upgrade their own systems to the same standard, then the US’s national infrastructure would become significantly less vulnerable to malicious cyber attacks.
HP also said in its press release that Securonix, the second of its three partners, will take on the role of helping HP’s customers to track and identify intruders who present cyber threats. The final partner of the deal, Adallom, will deliver enhanced security monitoring and enable customers to take direct control of cyber incident response.
At this point, none of the companies involved has released additional details on the nature of the deal. Such strategic partnerships are often ostensibly promising at the time of their announcement but fail to develop into anything meaningful; the US should be hesitant to believe that HP’s new partnerships alone can change the face of private sector cyber threat preparedness. HP employs 5,000 security consultants, many of whom manage outsourced security operations for the company’s large clients. If HP puts these employees to work with teams from its new partners in a significant way – that is, if the effort put in by all four companies matches the excitement with which they announced the deal – then this “new school” of cybersecurity defense may be the beginning of a much-needed shift in the private sector’s approach to mitigating the damage from attacks like the crippling incidents of 2014. The Target breach, the Sony Pictures hack propagated by the DPRK and the Lizard Squad Christmas Day hack were all theoretically preventable. The perimeter defense model itself is not to blame for these attacks; each of the victim companies should have been more prepared to detect and respond to cyber threats. Had they used HP’s approach to secure their infrastructures, however, the damage done to their systems may have been much less severe.
While I believe that a major shift in cybersecurity as a result of HP’s partnerships is unlikely and at best several years removed from resulting directly in any significant industry-wide change, HP’s new partnerships may also offer potential for the American government to boost its own expertise. The White House has recently intensified its efforts to bolster relationships with the private sector, sending Secretary of Defense Ashton Carter on a tour of Silicon Valley to network with and glean knowledge from tech giants such as Mark Zuckerberg, Sheryl Sandberg, Peter Thiel and Ben Horowitz. Its public responses to some of the cyber attacks of 2014 have underscored its failure to stay current with cybersecurity trends, and the HP deal, if fruitful, may provide a blueprint for future success.
The US government needs a closer relationship with the private sector to prevent repeat situations of some of the incidents of 2014. When the DPRK launched a crippling cyber attack against Sony in November 2014, the US government’s response characterized its inability to act properly in the wake of cyber incidents. President Obama publicly condemned Sony’s actions in a press conference, despite the fact that the company was attacked by a foreign government and could hardly have been expected to know how to respond appropriately. Furthermore, it took the FBI 26 days to determine that the DPRK was in fact behind the attack. Washington promised a “proportional response” but failed to take any significant action.
Sony could simply have been more prepared for both the prevention of and response to a cyber attack. On the prevention side, the new model that HP is championing provides a good template for tech companies to follow. On the response side, there was little that Sony could have done. To account for the increasingly likely scenarios in which foreign governments (as opposed to small hacker cells like Lizard Squad) are responsible for attacks, the US government needs a clearly defined action plan for collaboration with private companies. Washington essentially left Sony to fend for itself in the wake of the DPRK’s attack, and the results were embarrassing for both parties.
On the day of the attack, the White House should have facilitated a complete analysis of Sony’s network and gathered as much data firsthand from the company as possible. Ideally, enough monitoring systems would have been in place such that evidence of a foreign government’s involvement would have been at least a possibility. The White House should have coordinated the action plans of the FBI, CIA and NSA before sundown and issued a specific and clear message to private sector companies outlining the nature of the attack and describing preventive steps to be implemented immediately. It also should have issued a public statement explaining that Sony was the victim of a cyber attack propagated by unknown sources and that the US government would be working in close conjunction with the company to identify the hackers over the course of the next few days.
These steps may seem implausible considering the US government’s actual response, but the action required to make them a reality is reasonable. Washington needs to make cybersecurity a top priority not just in name but also in practice. Whether it will succeed in forming any meaningful partnerships with private technology companies is unclear.
The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.