ORLANDO — During yesterday’s cybersecurity panel discussion here at the CNS Partnership Conference, moderator Matthew Eggers from the U.S. Chamber of Commerce asked audience members whether they had ever been hacked. Using digital polling devices, 40 respondents said “no,” 23 said “I don’t know” and 23 said “yes.”
Another question asking whether attendees’ IT departments can prevent future hacks, the largest number of responses (44) said they had confidence that 75% to 99% of attacks could be thwarted today.
Those results, alone, should be cause for alarm across the industry, noted the panel of cybercrime experts, who later discussed the enormous vulnerability of most air cargo security systems. Faye Francy, a security expert from Boeing’s Aviation Information Sharing and Analysis Center (AISAC), said some “advanced persistent threats” are able to hack many systems for six to nine months before any IT expert could detect a problem. And by then it’s far too late.
Tom Mills, from the U.S. Department of Customs and Border Protection, told attendees that the web is rife with state-sponsored hackers, and many more “opportunity hackers” that do nothing more than look for “sloppy security systems” and pick the “easy to exploit” companies.
There are misconceptions about cybersecurity. Dallas Bishoff, a client security officer, information risk management, for HP’s Enterprise Security Services, said the biggest threat does not come from rogue states like North Korea, or even from mischievous teenager hackers on a lark – it’s from teams of professionals.
“You have to remember, they’re well-financed,” he said. “They pay their mortgages on the money they make. They’re automated and very fast, taking as little as 90 seconds to get in.”
As disquieting as the figures were, the panel did have some positive advice to give, including taking a more aggressive role with security and banding together with competitors to prevent future attacks. Francy encouraged the audience to get involved with AISAC and to move security to the forefront. “We want to move cybersecurity away from being just an afterthought,” she said. By taking webinars and other courses on real-time threat intelligence, many air cargo operations can eliminate some risks just by understanding their vulnerabilities. “Situational awareness is quite powerful,” she added.
An even better course of action is to gain “collective awareness” by banding together with other companies – even with your competitors – and setting up information-sharing committees, Francy said. For those concerned about sharing sensitive data, she said it’s possible to anonymize the data and either share with private-sector partners or give it to the government to disseminate.
Bishoff agreed that sharing best practices data is the most efficient course of action so companies are “not reinventing the wheel.” Businesses should have agreed-upon security profiles about how to secure a connection, for instance. Having a true security framework gives companies the opportunity to evaluate their most vulnerable areas. “Don’t do security just because it’s some scary thing out there,” he said. “Make sure it’s tied to your business objectives.”
Eggers noted that “nothing is a panacea” to the cybersecurity threat, but he did say “the cloud can provide better security” than more conventional means. He also warned the audience not to get too obsessed with security. “Don’t let paranoia stop you from making progress with your business,” he said.
Still, the panel got the audience’s attention. By the end of the session, another quick digital poll was taken by the audience. When asked the question, “Are you concerned about your company’s ability to prevent hackers attacking your system?” only four said they were “not concerned,” while 25 said they were “somewhat concerned” and 34 – the largest response – said they were “very concerned.” Perhaps the CNS session was a wake-up call for many.