No one chooses to be a cyber victim. No company tells its workforce to click on fraudulent web sites. No parent of a teenager wants their child to be bullied in cyberspace. No one likes the burden of rescuing a grandparent from identity theft. And certainly no company pardons paying extortion money to ransomware syndicates operating in Russia. Yet these features of cyberspace intrude on us daily. They are surfeit and accelerating exponentially. Why then are there not more calls to action?
To begin with no discussion about the cybersecurity challenges in Hampton Roads can take place without first acknowledging the very unique nature of our region. Hampton Roads is a vast military industrial complex and home to the largest military concentration anywhere in the world. This unfortunately is a double-edge sword. While we enjoy an enormous bounty of defense work and access to a tremendously professional work force, our ties to the military draws the attention of cyber criminals and hacker countries that want to steal ideas, plans, and money. For our military-idustrial complex, it is the “malware industrial complex” that sees us as opportunistic targets. Nationstates realize that “cyber island hopping” from one contractor to the next is made easier by a wholey inter-connected and closely aligned public, private, and defense network.
For cyber criminals it is a simple and financially rewarding prospect. For the business community, it can be devasting. Take for instance, the Business Email Compromises (BEC) as reported by the FBI, “the BEC scam continues to grow and evolve and it targets businesses of all sizes.” There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries. Nearly $800 million dollars were lost to this scam alone. Unfortunately, so far law enforcement of cybercrime has not been very effective.
That leaves businesses faced with a shocking reality, when it comes to protecting the company from cyber crimes they are, more or less, on their own. And it will only get worse. The coming Internet of Things (IoT) will spawn 27 octillion new possible connections enabled through IPv6. Certainly these technologies offer salient financial and real-world opportunities. While we may soon enjoy such freedoms as a smart refrigerator that notifies the store when ketchup is low or a car that drives itself while communicating with other self-driving cars to prevent accidents, these new capabilities come at a price.
As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the internet also increases the target space for malicious cyber actors. Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety.
From the Hampton Roads Chamber of Commerce perspective the scary implications are many: (1) Cybersecurity spending is seldom aligned with business objectives, with allocation of resources tied to risks. (2) Business partners ﬂy under the security radar and third party attacks are tradecraft of hackers. (3) Supply chain flows of data often don’t comply with privacy and security policies. (4) Mobile technologies risks are proliferating but security efforts are not keeping up. (5) Most businesses fail to (or don’t know how to) assess the threats. (6) External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others in cybersecurity. (7) Cybersecurity incidents carried out by employees are both serious and seldom addressed with the same rigor as external threats like hackers. (8) Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.
So what should be done? According to the Secretary of Homeland Security Jeh Johnson, “Cybersecurity is a shared responsibility.” So everyone needs to work on this: government officials and business leaders, security professionals, academics, healthcare providers, and anyone who envisions using the IoT -- which is everyone. But what does this mean in practical terms. First, we must elevate the cybersecurity discussion to the boardroom and make cybersecurity an operational and risk management priority. Second, we each must design and implement incident response plans and include a ‘cloudy day’ backup. Third, we must share information to create a united response. Organiziations such as the non-profit Cyber Protection Resources (CPR) advance these goals, while the 2015 Commonwealth of Virginia CyberSecurity Commission Report sets objectives for what CPR should focus on.
The role of the Hampton Roads Chamber of Commerce is to ensure businesses are successful. This is why we are in full support of CPR and its efforts to provide advocacy, support, and coordination on all aspects of cybersecurity education and training, cybercrime, cyber research, while helping coordinate the development of an advanced cyber workforce. CPR provides a cyber-bridge between Virginia’s expansive military industrial complexes, the premier academic institutions, and the thriving tourist and port economies. These cyber-bridges connect experts in cyber security with entities that lack resources, lack access to resources, or who are trying to establish a corporate foothold in the region. They also provide cyber and STEM scholarships, provide online cyber resources, keep current with cyber legislation, and reach out to communities where cyber training may be less popular.
CPR also hosts comprehensive cyber symposiums. The next Cyber Security Symposium is at the Virginia Beach Westin on March 24th where State and National government and business leaders will provide insights on the way ahead in Cyber for the region.
Hampton Roads has a very high demand for cyberservices and the demand will only increase. The number of Hampton Roads companies providing Cyber Security services in both the federal and commercial sectors is now over 100 and growing. It is a work space where over 500 jobs are advertised on a daily basis.
The time has come for us to develop a collaborative regional approach to protect ourself and our business community from cyber threats. Let’s let the Cyber Symposium on March 24th serve as a rallying call for the Hampton Roads business community to organize and unify around this important issue. We must step up our cyber hygiene now!