Many companies assume they are safe from data breaches simply because there is no evidence of an attack. As a result they are going without such vital defenses as encryption, former White House cybersecurity czar Richard Clarke told a gathering of IT security professionals at a recent breakfast.
The growing data breach risk and need for encryption was the main focus of the breakfast, hosted by Waltham, Mass.-based vendor Liquid Machines during last week's Gartner IT Security Summit in Washington D.C. Michael Ruffolo, CEO of Liquid Machines, said in his opening remarks that his customers live in constant fear that they will lose data and become the focus of a TJX-style media firestorm.
"They tell me they're afraid to push send because when they push send, they lose control" of the information, he said. "If your business is such that you have to share information, you're in a difficult position because of the data loss epidemic. There's constant concern about information getting out because of insiders -- not necessarily malicious insiders."
Clarke, who has kept a high profile as a writer and security consultant since his well-documented falling out with the Bush Administration a few years back, said that while many companies fear the prospect of a data breach, not all are doing what's necessary to prevent one.
"It typically costs someone 100 hours of time to deal with the theft of their identity," said Clarke, who is currently chairman of Arlington, Va.-based Good Harbor Consulting. "Companies need to remember that identities are stolen every day and no network is 100% secure."
Clarke compared the attitude of some corporate executives today to that of U.S. Defense Department officials 10 years ago when White House cybersecurity officials pushed the Pentagon to adopt intrusion defense systems (IDS). The Pentagon added the IDS and the service chiefs came back annoyed because, as they put it, the IDS technology had caused them "a hell of a problem." They ranted that they were being attacked all the time and that they weren't being attacked before IDS was deployed, Clarke said.
"That illustrates the problem," he said. "It's about what you don't know, or what you don't see or can't prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn't in front of you doesn't mean it's not a problem."
There may never be 100% security, he said, but companies can minimize the damage with encryption. If data is encrypted, it's of no use to the person who steals it. Unfortunately, he said, some companies fail to take encryption seriously until after they've been compromised.
"You have enormous companies like DuPont where an insider is able to copy information and commit industrial espionage," Clarke said, referring to the case of former DuPont senior chemist Gary Min, who stole approximately $400 million worth of information from the company and attempted to leak it to a third party. Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually acknowledged his guilt in the matter.
Clarke said companies must find ways to detect where data is sitting on the network and establish rules for who can or can't access certain documents.
"Stop worrying about protecting the network and worry instead about protecting what's on the network," Clarke advised the breakfast attendees. "Putting a barrier around that information -- credit card numbers, designs, customer lists and the like -- will help prevent a compromise."
Also at the breakfast was Michael Sheehan, former deputy commissioner of counterterrorism for the New York Police Department. During his tenure, he said the department investigated an attack against a cyber institution that to this day has not been disclosed. Investigators ultimately found that the attack came from six to eight countries and was exceptionally sophisticated and coordinated.
Clarke said people think the catastrophic event will never happen. Sheehan and other investigators told Clarke the company would have been brought to its knees if the attack had been 5-10% more sophisticated.
"The bad guys are a little bit behind the good guys, but they're catching up," he said. "People think the catastrophic event will never happen, but we've seen that it does."