U.S. Defenses Insufficient vs “Major” Government, Critical Infrastructure Cyberattack
U.S. cyber defenses may not be able to withstand a withering security attack aimed at government and critical infrastructure targets, top security professionals say. Within the next two years, hackers are likely to go after government agencies and vital industries such as utilities, health care facilities and financial services, according to a survey of 600 security experts in the Black Hat report, Portrait of an Imminent Cyber Threat.
The report, which encapsulates results from the third annual Black Hat Attendee Survey, assesses cyber threat risks, the Trump administration’s cyber policy, nation-state attacks and the dangers faced by U.S. enterprises. The next Black Hat USA 2017 summit, by the way, is scheduled for later this month in Las Vegas.
In the meantime, let’s just say the experts believe it’s scary how much cybersecurity work remains to be addressed. Here are their operative points:
1. Saying isn’t doing: U.S. government and cyber defenses are ill-equipped and staff are under-trained with little improvement in sight. Only 26 percent of surveyed security pros are confident that the U.S. government and defense forces are ready to handle an oncoming attack.
Perhaps most important is the vote of nearly half (47 percent) of the participants who believe that the Trump administration’s impact on cyber defense will fall far short of what’s needed. Some 26 percent see a positive result while 27 percent aren’t swayed one way or another.
2. Confidence is waning: State sponsored attacks are the eye of the storm, say the security pros. Recent high-profile, nation state cyber attacks targeting the U.S. elections, cyber espionage on U.S. corporations and the WannaCry ransomware are doing as intended–eroding IT security pros’ confidence in critical infrastructure security.
Nearly 70 percent of respondents contend that attacks from Russia and China have made U.S. enterprise data less secure. Some 60 percent believe corporations should develop special online defenses to protect their critical data from state-sponsored hacking.
3. Trust is eroding: Leakers and whistleblowers aren’t necessarily synonymous. The study’s findings indicated that a majority of security pros believe WikiLeaks’ release of stolen documents has chipped away at the community’s trust in the U.S.’s ability to defend itself.
About 60 percent of the survey respondents said they believe WikiLeaks is affecting how corporations and government agencies conduct operations. But it’s not a one-color canvass–while more than 30 percent of security pros are critical of WikiLeaks and 31 percent favor its activities, 37 percent are neutral.
4. Listen up: Security pros have been warning businesses for the past two years that the cyber tornado is coming. And even with frightening incidents landing national exposure, serious issues are still going unaddressed, they say.
Nearly 70 percent of respondents are fairly certain that their own enterprises will be hit by a breach in the next year. Most telling is their concerns are the same as ones they expressed in last year’s and 2015’s report: A shortage of skilled security professionals, lack of prioritization from upper management, security budgets and spending.
5. All signs point in one direction: Black Hat concluded that the study’s findings puts the onus on government and business leaders to step up their games to secure defenses and prioritize security. Otherwise, they and we better run for cover.
For those who want more granules from the study:
- 36 percent of security pros believe the increasing prevalence of ransomware is the most serious new threat they face.
- 50 percent pointed to phishing and social engineering as their greatest concerns, while 45 percent fear sophisticated attacks targeted directly at their own organizations.
- Nearly 70 percent of respondents said they lack staffing to meet the threat of a major security breach in the next 12 months, and 60 percent believe they don’t have enough money to counter the offenses.
Stay tuned to MSSP Alert for live coverage of Black Hat USA 2017 later this month — direct from the show floor and private meetings in Las Vegas.