The United States is more prepared than ever for a major cybersecurity attack, but a panel of prominent security experts warned Tuesday that more needs to be done to increase awareness about cybersecurity issues and better educate future IT pros.
"We need to provide resources for future problems," said Eugene Spafford, the executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "Patching the latest problem isn't getting us anywhere."
Spafford joined well known security experts Howard Schmidt, president and CEO of H&L Security Consulting and security luminary Bruce Schneier at the Information Security Decisions conference in Chicago for a discussion about cyber threats in 2008 and beyond. The panelists agreed that it would likely take a major cybersecurity event before the public becomes motivated enough to demand better security.
The panelists agreed that growing backdoor Trojan horse programs and herds of bots continue to be a problem moving forward, but it's unclear if they'll by used by cybercriminals to take down the electronic infrastructure of entire nations or in isolated targeted incidents for financial gain.
"We've had plans in place for a long time to minimize the impact [of an attack]," said Schmidt, who once served as a White House cybersecurity adviser. "There will be local events and I worry about those having an effect on a particular region."
Businesses have been preparing for an attack and systems would be initially disrupted, but they could be brought back online in time to minimize the impact, Schmidt said.
While businesses have been mainly addressing the threats from external sources, internal threats are becoming a growing problem. The panelists agreed that the drive for money among cybercriminals is still the basis of nearly all attacks, making data-level protection technologies a top priority.
"As we've noted there's a greater temptation for insiders … We've seen individuals more willing to take risks when they run into money issues," Spafford said. "Typical enterprises no longer have a typical perimeter … We have to move the defenses closer to the valuable data."
Web applications continue to be targeted and Voice over Internet Protocol (VOIP) attacks in which attackers can intercept and sell company meeting minutes, inject misleading spam messages or create massive outages could also pose a problem for enterprises, the experts said. Phishing attacks are also becoming more targeted and sophisticated tricking end users into giving up sensitive information.
The group lauded efforts by vendors to better educate developers on safe coding practices. A new SAFECode (Software Assurance Forum for Excellence in Code) organization was formed last month and is being led by industry giants, such as Microsoft Corp. and Symantec Corp., to highlight best practices in the security development lifecycle.
"Education should be driven by the market; it's the responsibility of the commercial vendor community," Spafford said.
The panelists stopped short of calling for government regulations to push vendors into making more secure products. Spafford said there likely isn't enough public outrage to force the Federal government to enact legislation. Also, the need to increase profit margins has done enough to push vendors into developing more standards and it could be the main driver to better educate their workforce on security issues.
Schneier took it a step further, saying electronic devices, such as computers, PDAs and cell phones have too many features opening them up to cyberattacks. While consumers want more features, they're not necessarily using them and software developers and engineers are failing to make devices with security in mind, he said.
"Attacks are now targeting people rather than the syntax of the software," Schneier said.