Wise infosec pros know to assume not only that their organizations can be penetrated, but also that they already have been.
It’s worse than that, a former national security adviser to two prime ministers has told a cyber security conference.
“I want to assure you there are any number of attacks from [nation] states that you have never heard about and will never hear about,” Richard Fadden told the International Cyber Risk Management Conference on Friday in Toronto.
“A couple of countries are so sophisticated there’s no way you’re going to know you’ve been attacked,” he said. And, he said, infosec pros are wrong to think that no matter how good their IT security is they can always detect an attack. “That’s a real. real problem for us and the West more generally.”
“There’s one country in particular that uses the vacuum cleaner approach. They will vacuum up any bit of data they can find anywhere. That includes the private sector and civil society [non-governmental organizations.
“Many of you in this room are probably on a list somewhere where people are trying to keep track of what you’re doing.
“Given the last few jobs I have had,” — including heading the Canadian Security Intelligence Service (CSIS) — “I have no illusions that I have a great deal of cyber privacy.”
He also urged the private sector here to pressure all levels of government to be more open about how to deal with the cyber attacks. “The U.S. and U.K. are far ahead of us in ability to share information, including classified information, so you can have a reasonable dialogue … Our ability to share classified information in Canada is quite a bit more limited. You need to ensure that people in government permits at least the beginning of open dialogue so you will know what they know and they will know what you know.” The finalization of breach disclosure regulations will help, he said.
However, a senior government official at the conference said in an interview that release of those regulations for public discussion is still months away.
Attributing the source of an attack is difficult, Fadden added, given that states, quasi-states, criminals and terrorists have been known to use each other for cyber attacks.
And while there have been recent calls for countries to get together to fight cyber intrusions – last month, for example, there was a call from Israeli Prime Minister Benjamin Netanyahu for international co-operation on cyber security and Microsoft president Brad Smith called for a ‘Geneva Convention on cyber’ to prevent attacks on critical infrastructure – Fadden was sceptical.
“You lose nothing by trying,” he said, adding that because Canada is small we’d get better results working with other countries. But, he added, “the world really is divided into two camps. Those who think the Internet should be used the way it is now – open to discourse and not subject to content controls – and a large number of countries who believe the exact opposite. So is it worth trying? Absolutely.”
Fadden noted that former CIA and NSA head Michael Hayden recently told him that the September, 2015 deal China signed with President Barack Obama promising neither country would engage in cyber commercial spying had slowed attacks. But, Hayden added, state-sponsored attacks hadn’t stopped.
“I would not attribute a great likelihood success,” for an international pact, Fadden added. “For the love of God, we can’t do anything on trade because the WTO (World Trade Organization) is totally stuck in the mud.”
He recalled some of his security colleagues used to say ‘We need to do pound on the table and get them to stop’ cyber attacks. But Fadden said, Canada has economic, social and regulatory arrangements with some of these countries who can tell us to “take a flying leap. They will block tourism, they will stop investing, they will deal a whole raft of things.”
He also warned that China, Russia and many other countries have a different view of privacy than Western countries. “You have to be realistic. We’re living in a world where our conception of privacy isn’t going to prevail, and we’re going to have to come to grips with it sooner rather than later.”
China, he added, “is almost on the verge of developing its own Internet.” And if it and other countries block out the rest of the world then many of the benefits of the Internet will disappear.
Meanwhile domestically there has to be an open discussion on balancing privacy and national security, he said, including the controversial issue of police and intelligence agencies’ use of telecommunications metadata.
“I think both the privacy nuts and the security nuts have to compromise so we have something in the middle that increases our security and at the same time protects our interests,” Fadden said. “We’re not very good at talking about these things in this country. We talk about these threats after we have a crisis for two months, and forget about it….partly because we don’t feel particularly threatened. But we are more threatened than people think.”