BOSTON -- Industry leaders from the public and private sectors found common ground on the issue of information security, calling on researchers to investigate new ways to ensure system resiliency in the event of a serious cyberattack.
We really need to look at our research, technologies, techniques and tactics we're deploying and determine how hard we're making it for the adversary.
Steven King, deputy director for cybersecurity, Department of Defense.
Organizations need to move from a static, perimeter-based approach to a more analytical-based defense strategy, according to experts at the second annual Advanced Cyber Security Center Conference. The day long program highlighted ways the government can work with the private sector by funding early university projects that solve information security problems. During a panel discussion, representatives from the government and the financial industry identified funding priorities for further research and development activities.
Executives at the event spoke positively about information sharing initiatives and increased collaboration at all levels fostering innovative security research. But the event was shadowed by news Thursday that the Cybersecurity Act of 2012 failed to gain passage in the Senate, increasing the likelihood that the White House will implement portions of the cybersecurity legislation through an executive order.
Military systems are designed to be adaptable and flexible because in wartime situations, systems need to function even when damaged, said Steven King, deputy director for cybersecurity in the Information Systems and cybersecurity directorate of the Department of Defense.
"You need to be able to operate, even in degraded environments," King said. "We really need to look at our research, technologies, techniques and tactics we're deploying and determine how hard we're making it for the adversary."
The focus at DoD is also on research into better securing embedded systems and weapons platforms, King said. Red teams constantly test military systems. Metrics are equally important to test the outcome of simulations and measure cybersecurity funding in various ways, King said.
Advanced Cyber Security Center conference
Sharing practical threat data can reduce the "dwell time" of an attacker and better detect and contain problems, said Tom Heiser, president of RSA.
"There are real time systems with different sets of processors and unique OSes and we don't want cybersecurity to interfere with locking in on radar and electronic jamming to avoid a missile attack," King said. "You certainly cannot interrupt a system for a virus scan at that point."
Embedded systems security is also a priority at the Department of Homeland Security where officials are seeing network enabled devices being deployed around the country on a massive scale, said Scott Tousley, deputy division director, cybersecurity division at the Department of Homeland Security. DHS is interested in research into ways to systematically rip and replace outdated systems with security enabled systems that don't cause serious disruption or degradation of service, Tousley said.
"We can't massively replace everything all at once," he said. "We've got a real challenge of trying to go back and retrofit maybe in parts and I don't think anyone has gone back to look at this renovation."
In the financial industry, where financially motivated cybercriminals are continuously bombarding systems with automated attacks, security is top of mind at all levels of the organization, said Chris Perretta, CIO of State Street Corp. Executives are trying to weigh the company's risk posture while focusing on system reliability and resiliency of the applications and systems, Perretta said.
"It all gets down to being risk-based and being able to assess risk," Perretta said. "You want to be risk-based but you also have to be controls-based and do it in an environment where resources are limited."
Technologies that look to solve the problem of advanced-persistent threats or targeted attacks aimed at a company's intellectual property are the most serious concern in the private sector, said Maria Cirino, cofounder and managing director of .406 Ventures, a firm that has invests in technology start-ups. The firm invested early stages of Burlington, Mass.-based application security vendor Veracode and Waltham, Mass.-based whitelisting vendor, Bit9.
"It's about the recognition that things are inside and what action should you take to maintain a level of availability and security that will keep you doing the business that you are in," Cirino said. "We're focused on investments that enable continuous monitoring and inspection."