Talk of cyberwarfare meaningless to many companies, experts say

While government leaders often use attention-grabbing buzzwords like cyberwarfare, such expressions do not have much impact on security budgets within private industries, experts say.

[Export controls place cybersecurity on par with military weaponry]

The possibility of cyberwarfare has been in the spotlight for more than a year, when then-Defense Secretary Leon Panetta said in a policy speech that the nation faced the threat of "another Pearl Harbor."

In following Panetta's lead, other government leaders have also given speeches to draw the nation's attention toward the risk of having a wide-scale cyberattack take down a large segment of the nation's critical infrastructure, such as power plants or financial institutions.

In a recent poll conducted by DefenseNews, U.S. leaders in national security policy, the military, congressional staffs and the defense industry rated cyberwarfare as the most serious threat facing the U.S.

Republicans, Democrats and independents in the poll of more than 350 national security leaders held that view, while differing on the second most serious threat. Respondents who identified themselves as Republicans listed terrorism and Democrats chose climate change.

As the clear bipartisan winner, cyberwarfare has become a major concern among security leaders. However, that has not led to more spending on cybersecurity within the private sector, including industries that encompass the nation's critical infrastructure, experts specializing in industrial control systems, say.

"Yes, I've seen some industrial companies go above and beyond the normal practices," Jim Gilsinn, senior investigator for Kenexis Consulting, said. "Those are the examples of how things should get done if all things can be done right.

"In most cases, the companies I've dealt with have limited budgets and/or resources, so they are just trying to handle the minimum and maybe a little more to get themselves some level of protection."

The private sector is not going to increase spending because of a sound bite from a government official's speech, Kevin Coleman, strategic management consultant for SilverRhino, which specializes in government IT security, said. Companies need facts before agreeing to increase expenses that reduce profits.

"They're only going to spend what they absolutely have to and not a dime more," Coleman said.

[Adoption, privacy biggest topics as NIST cybersecurity framework nears February deadline]

Companies spend on what's considered "usual and customary" within their particular industry, Coleman said. During congressional hearings on cybersecurity, industry leaders will often tell lawmakers they are willing to do more if the government gives them the money to do it.

Most of the companies Gilsinn has worked with have never suffered a major cybersecurity problem, so they are cautious not to overspend.

"We work with them to implement a lot of very basic cybersecurity countermeasures in their industrial environments," Gilsinn said. "They aren't trying to defend against the threat of cyberwarfare or APT (advanced persistent threats).

"Mostly, they are just trying to implement a similar level of cybersecurity in their industrial environment that they may already have in their IT environment."

To get the private sector to spend more, Coleman suggested the government give security clearance to CSOs and CISOs, so they can examine the cyberattack intelligence to determine the risk it poses to their companies.

"Because they're not cleared, they do not understand the threat," he said.

Utilities and manufacturers are hesitant because of the enormous expense of replacing or upgrading security technology built into their infrastructure, Eric Cosman, co-chair of the Chemical Sector Cybersecurity Program at the International Society of Automation, said.

[3 reasons why America's security model is broken]

"If the IT and the physical components are highly integrated then it may not be possible to replace one without the other," Cosman said.

Industries are still working on finding a way to separate security systems, so they can be updated "without requiring total system replacement," he said.

In Gilsinn's opinion, the term cyberwarfare is more useful to the Defense Department and other organizations hoping to convince Congress to send more money their way.

"Cybersecurity is definitely sexy at the moment, and government agencies and (defense) contractors are all trying to figure out how to get as much of the budget pot as they can," Gilsinn said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about APT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place