With all of the cybersecurity legislation activity in Washington, GAO Director of Information Security Issues, Gregory Wilshusen, testified before the Homeland Security Committee in the House of Representatives this week. Director Wilshusen described sources of cyber threats including botnet operators, criminal groups, hackers, insiders, and nations.
Which of these pose the greatest threat? Wilshusen didn't say but many experts have been sounding the alarm around nation states, specifically the People's Republic of China. It is interesting to note however, that enterprises have greater concerns with other adversaries. In a recent survey of 244 enterprise security professionals (i.e. those working at organizations with 1,000 or more employees), ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat). The results were as follows (note: multiple responses were permitted):
- Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience), 46%
- Organized crime, 42%
- Competitors conducting industrial espionage, 41%
- Nation state, 34%
- Terrorist organization, 28%
- None of the above, 5%
The research was focused on APTs so ESG also segmented survey respondent organizations into three categories: Most prepared for APTs, somewhat prepared for APTs, and poorly prepared for APTs. Those most prepared were also paranoid. For example, 54% of the most prepared organizations thought nation states posed the biggest threat as compared with 34% of the total survey population. Clearly, security professionals, those with the most experienced cybersecurity experienced, are very concerned.
This data can be added to Director Wilshusen's expert testimony and hopefully help to educate congressman about the cyber threats our nation faces. Based upon ESG data and years of experience, I believe that cybersecurity legislation should be governed by facts, common sense, and public safety rather than political or financial agendas.
You can read Jon's other blog entries at Insecure About Security.