As tens of thousands of the world’s top security pros gather at RSA Conference 2017 they are being called upon to watch out for a new threat: their own data.
By corrupting data that is used for making decisions, attackers can cause all kinds of problems, says Chris Young, general manager of Intel Security. “Now data is manipulated and used against us to affect the decisions we make,” he says.
He calls this corruption “data landmines,” which when factored into decision making, can result in bad choices, missed opportunities and economic losses.
He says stolen and manipulated data combined to disrupt the 2016 presidential election, for example, and the consequences of similar manipulations could be high for businesses whose big-data analysis is undermined by altered small data that makes it up. With inaccurate input to draw on, the outcomes will be faulty, he says.
“We need to pay attention to small data used in models or it can be turned into a weapon,” he says.
Another new attack surface is home networks, he says. These largely insecure networks that include internet of things devices such as DVRs and security cameras can be compromised and used as weapons, as in the case of the gigantic Mirai botnet attack last year.
But because more and more people work from home, these networks become a threat to the corporate networks employees connect to, Young says. “Is the home taken into account when we design cyber security architectures? We need to make sure the internet of things doesn’t become the internet of terrorism.”
He says the problems are large and cooperation among security pros is needed to address them. “None of us can go it alone.”
Microsoft President Brad Smith, another RSAC keynoter, takes this one step further, calling on the technology community to band together as “a digital Switzerland” to protect civilian cyber assets from the acts of criminals and nations trying to exploit them.
He says the community should commit to principles similar to those adopted by the International Committee of the Red Cross in its defense of civilians in war-torn areas.
In the cyber realm, these should include:
- Focusing solely on defense; no offensive activities;
- Collaborating to respond to attacks;
- Assist and protect all customers everywhere;
- Refusing to attack civilians anywhere, regardless of who asks.
A digital Geneva Conventions should pledge no attacks on the private sector and no attacks on civil infrastructure including power grids, water supplies and political institutions.
Further, governments should not stockpile software vulnerabilities to use as weapons rather than disclosing them so they can be patched, Smith says.
Countries should form an international agency similar to the International Committee of the Red Cross only for cyber issues. Made up of respected members of private, public and academic institutions, it should monitor nation-state attacks and seek to attribute them to the perpetrators.
Sign up for CIO Asia eNewsletters.