News

The CIO’s Role in Establishing a Cyber Resilience Strategy

Oracle CIO Jae Evans hosted a special security edition of CIO Exchange in which cybersecurity experts assessed how the threat landscape has evolved in recent years—not only the increased number and sophistication of the attackers, but also the enhanced capabilities of defenders.

Current threats emanating from nation-state actors are immense. Many countries have been building up offensive cyber capabilities, and they see few bounds in attacking—either directly or through criminal proxies—Western corporations, governments, and critical infrastructure.

​Such hacks have wrought substantial and ramping economic damage in recent years. They also have made national security vulnerabilities glaringly apparent.

“This is a real and dangerous threat that we’re facing, from nation states, from terrorists, from criminal operations, from hackers who can not only destroy businesses, hurt businesses, but can literally undermine our national security,” said former U.S. Secretary of Defense and former CIA Director Leon Panetta.

Not so long ago, the situation looked dire; hackers became more advanced and better funded just as many organizations were building IT environments so complex that securely managing them exceeded human capacity, said Oracle’s Chief Corporate Architect Edward Screven.

“It seemed the roof was caving in,” Screven said.

But that all is changing with the broad appreciation that mutual defense can be achieved by aggregating workloads in the cloud, then letting experts at companies like Oracle automate security at scale. By concentrating the world’s most important data in the cloud, the “advantage shifts from attacker to defender,” Screven said.

But to work to defeat this threat to our economy and national security, business and technology leaders must better understand it.

Nation-state hackers have become a lot more sophisticated

Ten years ago, around the time Nicole Perlroth began covering cybersecurity for the New York Times, she got a front row seat to a state-sponsored cybercrime when a foreign hacking group penetrated the network of her employer. Perlroth embedded with the newspaper’s security team and watched the intruder for months.

The threat landscape has dramatically changed over the decade since, said Perlroth, author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.

Now, state-sponsored attacks aren’t just going after IP, but also target critical infrastructure, like oil pipelines. Optimists thought those attacks were still economic in nature, Perlroth said, but a recently declassified U.S. intelligence report described them as “the first stage of battlefield preparations.” Today, there’s no country in the world not investing in offensive, cyber capabilities, Perlroth said.

And while the United States “is still the world’s leading cyber superpower,” we’re also the most targeted and vulnerable nation, she said, “because we have digitized our precious data and critical infrastructure at a speed our adversaries have not.”

The escalation of ransomware attacks against corporations has highlighted that vulnerability. And the increasing costs of mitigating those attacks (often by paying off the criminals) is affecting the economy of the U.S. and its allies.

“Ransomware has evolved into its own economy,” said Yonatan Striem-Amit, CTO at Cybereason, a leading endpoint security vendor.

And just like with any legitimate industry, a number of new vendors and brokers are looking to seize the emerging opportunity. There are even Ransomware-as-a-Service providers, selling full product suites for automating attacks, even offering help desks to their clients, Striem-Amit told Oracle’s Jae Evans.

Ransomware will cost the United States six trillion dollars in 2021, with an attack staged every 11 seconds, former Defense Secretary and CIA Director Panetta said.

And some recent attacks have really exposed the national security implications, Panetta said.

The latest, an East Coast oil pipeline shut down in a ransomware attack, was “without question a national security incident,” Panetta said, the closest thing he’s seen yet “to an act of war.”

The same could happen to our electric grid, transportation systems, refineries, and petrochemical systems. “We can literally be paralyzed by an adversary,” said the former CIA director.

That escalation made clear that not only do corporations have to do a lot more to protect themselves, but the U.S. government must act more aggressively to thwart the threat, he said.

“We are at war. I believe we are at war in the cyber arena,” Panetta said. And this war must have an offensive component.

Panetta said the government should not only help private interests mount a stronger defense, but also use its own capabilities to retaliate against the attackers.

“I think those who are attacking us, ransomware or cyberattacks, they need to know they are going to pay a price. It isn’t just a convenient way for them to make money,” Panetta said. “It’s about deterrence, it’s about resilience, but it’s also about retaliation.”

Cloud creates economies of scale for advanced security

Consider how much a large bank might pay to feel confident it has secured its customers’ financial data, Oracle’s Screven asked.

It would certainly be a substantial sum. But since that bank is only guarding its own interests, the economics are very inefficient.

Hackers have leveraged automation tools to scale their operations—they attack lots of places at once. Only an infrastructure provider like Oracle, responsible for protecting a large number of clients at once, and at-scale, can invest the enormous amounts truly needed to thwart state-sponsored actors.

Oracle can “spend once and secure tens of thousands of customers,” Screven said, in effect, “amortizing that spend” across all those customers. That economy of scale allows Oracle to harden the greatest soft spot in cyber defenses: people.

The history of cybersecurity breaches presents a “pattern of breakdown in human behavior,” Screven said. People are the reason for systems going unpatched, storage buckets being left exposed, coding errors, administrative errors, and plain failures to manage systems correctly.

“Almost every single incident has occurred because of the failure of human beings,” Screven said.

And by automating their attacks, hackers have pushed further beyond the limits of even the most capable administrators to manually secure IT systems. That’s why there’s an “inevitable breakdown when you have human beings performing a lot of labor to try to secure a lot of systems,” he said.

At the end of the day, the only way to be truly secure is “to rely on systems that secure themselves.” Automated defenses are the key “to prevent administrators, even truly smart people, from making mistakes,” Screven said.

To that end, Oracle has a unique advantage in that it has built its own servers, storage, networking elements, Platform Services, all the applications, and the security protocols across them.

Being the industry’s only full-stack services provider allows Oracle to deploy a tightly integrated set of security technologies—comprehensive defenses are deployed at every layer of the stack, and they are highly automated to help counter attacks of any magnitude.

With security built into its cloud as a first principle—an approach to engineering stemming from the company’s earliest engagements delivering software to U.S. intelligence agencies—Oracle can implement a true zero trust model to protect customers. The technical challenges of deploying that kind of integrated security are insurmountable for on-premises environments, Screven said.

That’s why every major ransomware attack that’s ever happened has happened on-premises, Screven noted. So, the easy solution for organizations large and small is: “make it Oracle’s problem.”

Perlroth, of the New York Times, said companies have started thinking about the cloud differently as the cyber threat has become more apparent to business leaders.

Today they are asking themselves if they should really be expected, within their own budgets, to mount security that defends against nation-state threats. “Or, are we going to be more secure if we offload that to the big cloud providers that in effect have been able to build up their own mini intelligence agencies over the last decade to track and defend nation-state threats,” Perlroth said.

The cybersecurity battle is winnable

With the growing number of malicious state actors, their proliferating web of alliances with criminal organizations, and the ramping sophistication and brazenness of their attacks, the fight against cybercrime seems daunting.

But it’s important to remember “the battle is absolutely winnable,” said Cybereason’s Striem-Amit.

We have the security tools, methodologies, and strategies to defeat the hackers. And recent high-profile attacks have made clear to business leaders the importance of making the necessary investments.

“The cost of preparation is always going to be substantially lower than the cost of a crisis,” Striem-Amit said.

Winning this battle requires not only adoption of modern solutions that deliver greater visibility and control, but also a shift to a “forward-looking” security posture—one that extends across “all our new IT frontier” of cloud infrastructure, Software-as-a-Service, and identity and access management, he said.

Attackers have become more ambitious in scope, looking to penetrate entire networks rather than individual endpoints. That gives defenders a new advantage, as every time malware moves between machines, it leaves traces that can be flagged by behavior-based detection solutions.

“Every time they do something, we as a defender have an opportunity to capture them, eliminate them and completely root out past weeks or months of effort on their side to get that control of the environment,” Striem-Amit said.

The threat landscape has substantially escalated in recent years, Sri Shivananda, executive vice president and CTO of PayPal, told Oracle’s Jae Evans.

These days, “attackers have bosses, budgets and paychecks too. It’s not just a source of threat but it’s actually an industry by itself,” Shivananda said.

Fintech companies are particularly attractive targets, he said. That’s why security is part of every design consideration at PayPal—the first feature built into our products and services. 

“There are new and sophisticated methods of compromise that we see every single day,” Shivananda said. “We see attacks on us every single second.”

But innovations in secure architectures, methodologies and controls should give companies confidence that they can successfully thwart those threats.

Attackers are “using the most sophisticated methods” to attack systems, Shivananda said. “But, at the same time, so are all of us in the industry to help protect our customers.”

Panetta said the government can play a large role in helping the private sector be better prepared than it has been in the past. Legislation should be enacted to help nurture cybersecurity talent and motivate companies to implement best practices and adequately train their employees in cyber hygiene. Despite the spate of unnerving attacks, the former defense secretary believes we are on the right track.

By Joe Tsidulko, Oracle Corporate Communications