As 2014 comes to a close and government business winds down for the year, one thing was made very clear: Cyber security is going to play a major role in 2015.
First, President Obama nominated a major supporter of increased cyber security capabilities to lead the Pentagon. Ashton Carter, former deputy secretary of defense, has been influential in reorganizing U.S. Cyber Command over the last few years and his nomination suggests the administration is ready to aggressively build out its capabilities in fighting cyber criminals.
During the 2013 Aspen Security Forum, Carter said that cyber security is an area of “great importance” and noted that the Department of Defense was continuing to invest in it despite budget cuts. Nominating someone as head of the Pentagon who has made cyber security a priority is in line with the plan the agency set in place last year to increase the number of those serving at Cyber Command fivefold in the near future in order to defend against increased threats from state-level malicious actors.
“It’s a new field of warfare,” said Carter during the forum. “Obviously, we want to do things as we try always to do, in a way that is lawful and in a way that our population can support and is consistent with our values.”
Cyber security legislation comes to the president
Second, Congress approved multiple bills related to cyber security, at least one of which should be signed into law before the new year. While none of the bills dealt with the broader, more contentious aspects of cyber security, such as the prospect of immunity for companies that offer the federal government information on cyber threat information. However the proposed legislation does help to create a framework for federal agencies to deal with cyber security-related issues.
Two of the bills are focused on creating centralized processes for the government’s cyber security efforts by enhancing information sharing with private-sector organizations. The other two pieces of legislation are centered around strengthening the recruitment efforts for the Department of Homeland Security’s cyber security workforce.
One of the bills headed to the president’s desk for a signature is the National Cybersecurity Protection Act of 2014. This piece of legislation will likely have the largest impact on the private sector as it will codify the efforts of the National Cybersecurity and Communications Integration Center, part of DHS’ current cyber threat defense strategy. Under the new law, the NCCIC would offer private sector institutions a platform through which to share information on cyber threats with the federal government and vice versa. Under the bill, the center will be required to include representation from federal agencies, state and local governments and the owners and operators of private sector critical information systems.
One of the four bills passed by the House in December was the Federal Information Security Modernization Act of 2014. The new act amends the original act from 2002 which served to centralize the management of federal government cyber security within DHS. The amendments maintain the authority of the director of the Office of Management and Budget to oversee federal civilian agency information security policies, as well as giving the Homeland Security secretary the authority to implement such policies. The bill also codifies the directive given by the OMB in October that gave DHS the authority to scan federal civilian agency networks for cyber threats.
The two bills dedicated to strengthening the government’s cyber security workforce – the DHS Cybersecurity Workforce Recruitment and Retention Act and the Cybersecurity Workforce Assessment Act – are also awaiting the president’s signature. The pieces of legislation would improve the hiring procedures required and salary ranges offered at DHS, as well as develop a strategy through which to enhance the recruitment and training of cyber security employees within the agency.
Increased government attention good sign for enterprise security
While the new bills focus on the government side of cyber security and threat protection, the increased attention being paid to the issue by the U.S. government signifies a bigger overall movement within the country to increase the protection of online assets. The attack methods being employed by cyber criminals are growing more sophisticated, and relying on defense techniques created almost three decades ago won’t sufficiently protect sensitive information. Government agencies are starting to deploy next-gen security systems and enterprises would be wise to do the same.
The majority of cyber threats facing businesses today are advanced persistent threats that are focused on gaining financial information and other sensitive data. Researchers with Trend Micro predicted that companies will see an increase in social engineering attacks in 2015, as well as campaigns focusing on gaining access through point-of-sale systems. As the amount of Wi-Fi enabled devices continues to grow, the number of entry points running vulnerable firmware will also increase.
In a white paper entitled “Cybercriminals Use What Works:Targeted Attack Methodologies for Cybercrime,” Trend Micro researcher Loucif Kharouni noted that business networks are more frequently being invaded by cyber criminals through non-traditional entry points. In order to effectively protect against attacks from all sides of an enterprise, IT decision-makers need to implement security solutions that use comprehensive monitoring and detection. Defense programs like Trend Micro Deep Discovery and Trend Micro Titanium Security enable organizations to protect against targeted attacks and cyber criminal campaigns. Employing such programs provides companies with increased system monitoring and threat detection, dramatically improving security and peace of mind.