Government can take greater lead on IT security, says Gartner
Gartner VP warns of worsening cybersecurity, says government can play bigger role
Governments are struggling to find their role in tackling the worsening cybersecurity environment, according to Gartner research VP Greg Young.
Speaking at the Gartner Security & Risk Management Summit in Dubai this week, Young said that the overall security situation is getting worse as organisations face an increasing number of threats across different vectors coupled with a shortage of skilled IT security professionals.
Among the threats to IT security is the ongoing failure to address known security issues, with many incidents caused by exploits of old flaws in systems, although the security industry is more focused on unknown, ‘zero day' threats. Three-quarters of all web servers are not secured properly, and with the rise of mobile devices and the Internet of Things, the number of different systems that can be attacked or used as a platform for attack is increasing rapidly.
"Today things are pretty bad," Young said. "One of the concerns that we have is that when we look at the timeframe, 2014 onwards, it is not only that we haven't got better at securing all these problems, but that the problems that we are finding are more serious; the spike in the criticality, how severe these holes are, is even greater. We are getting a lot worse at security overall.
"As a security person, I have always really disliked FUD - fear, uncertainty and doubt - but a practical look at the facts says this is not a great message," he added.
Many organisations are turning to encrypted communications, which provides a degree of privacy and security, but it is also having a negative impact on security, Young added, and encryption is also being used by attackers. By 2017, more than half of network attacks versus enterprise will use encrypted traffic to avoid detection.
"One of the downsides we are seeing is that a lot of the encryption blinds security technology. Anti-virus and so on that looks for the threats, can't see through encryption. It can make us less secure as well," he said.
Lack of IT staff with security skills is becoming the most severe issue for security, with around 40% of all security positions unfilled at present, with Gartner predicting this could rise to 50-60% within the next few years.
Young said that the issue was not one of spending on security, which continues to increase, but rather that there are simply not enough staff to make effective use of all the security tools and applications that organisations are deploying.
"You can't keep giving the same number of staff more and more tools and expect them to do the task, it is overwhelming them. In some of the biggest attacks we've seen, people had a lot of tools, but it was just too much for them," Young said.
There are a number of areas where governments could take a better lead on security Young explained, such as more advice to companies instead of just implementing rules, better information sharing, and more encouragement for training.
"What is clear is that government has a role, but many governments are struggling with it," he said. "Too often governments want to tell people to secure things, rather than help them how to secure them. Instead of providing guidance on, say how to make your web server better they say ‘if you don't secure your web server there is going to be a fine', without giving any guidance or assistance or resources, especially for small and mid-sized businesses who are really struggling with that."
He gave the example of the US National Institute of Standards and Technology's (NIST) Computer Security Resource Center as a good example of government assistance for small businesses.
Young also said that government surveillance of citizens and government espionage is "hurting more than helping us". After the leaks made by Edward Snowden revealing the extent of government surveillance, the use of encryption for legitimate and illegitimate means has increased.
Backdoors in IT products or in communications systems that are put in place by government, can equally be exploited by hackers he also warned. Export controls and bans of products from certain countries were weakening the overall security landscape as well. By 2020, Gartner expects 10% of RFPs for network security products and services will exclude US or Chinese products, and by preventing deployment of best-of-breed solutions in some countries the security infrastructure overall is weakened.
State-sponsored attacks against businesses are also an area of concern for Gartner.
"State-sponsored spying, we are not taking sides here, all of the big countries are doing it; but it is mostly when a company gets targeted by a state, then it is kind of unfair. Countries fight countries - that is one thing, but if a company gets hit with that state-sponsored level of attack capability, it is so high and so advanced that it is often unfair," Young said.
The level of damage that can be inflicted by a state-sponsored attack could put companies in a difficult position as well, being forced to choose whether to reveal they have suffered an attack if they are not legally obliged to, and risk damage to reputation and share price, and keeping an attack secret to preserve reputation.
Lack of information sharing is also a problem going the other way, from government to the private sector, Young added.
"Governments are really good at intelligence gathering, but really bad at sharing it. It is often a hole that a lot of really useful information goes into, that could be used to stop attacks, and it wouldn't really be a big problem to share it, or to let a company know that it is being targeted. It is a really difficult cultural change for them to make, even helping their own citizens and own companies. Often companies will get hurt when somebody in government maybe knew that was coming. That is a shift that is slow, and difficult, but I think that could change."
Government could learn from organisations in the critical infrastructure and financial sectors, that have developed ‘grass roots' communities to share threat intelligence, protection information, best practices, and so on, Young noted.
In the GCC, Young said there is an excellent level of security awareness among government, primarily because of the higher rate of cyberattacks and the importance of protecting critical infrastructure and national industries, but that staffing was still an issue.
"What I am encouraged to see is that there is such interest, I think through necessity there has been an incredibly good interest and investment in security. The challenge again is the staffing, not just for the government, but for everybody, there are just no people, it is a real limitation," he added.
"Overall, how we have been doing staffing, training of security people, that has to change. It is necessarily difficult, but I think government can have a really interesting role in supporting and promoting it. That is one thing we haven't seen much of around the world yet, there is more training and promotion that could go on."