At an event hosted today by Atlantic Media, Nextgov’s parent company, an audience member asked a question that resonates well after the recent hacks of government and industry.
Why don’t we learn from these breaches, especially when we see the same type of malware used repeatedly?
The question was directed at Meg King, strategic and national security adviser at the Wilson Center, who said the problem isn’t so much that organizations aren’t learning -- it's more about cultivating public-private partnerships that can share cyberthreat information in real time rather than just "rapidly."
Currently, there is no legislation that mandates any type of cyberthreat information sharing between the government and the private sector. The Cybersecurity Information Sharing Act, which aims to make it easier to share threat information between the two sectors, has languished for years in Congress.
King, whose research at the Wilson Center includes examining ISIS’ cyber caliphate and confronting terror-affiliated hacktivists, also talked about whether cyberterrorists could potentially start using zero-day exploits -- a previously unknown software vulnerability -- to attack U.S. entities.
Last August, suspected Russian government-backed hackers compromised systems at JPMorgan Chase using a zero day vulnerability. The software bug Heartbleed, which affected millions of websites and was deemed “catastrophic” by security expert Bruce Schneier, was also a zero-day flaw.
Zero days require a certain level of expertise, King said, and though there is a possibility terrorists could hire someone who has the right skills, the chances are bigger that a nation state would use that type of exploit.
“It’s very hard to know, unless you go trolling the Dark Web,” she said, referring to the online underground. “But I think it’s much more likely we’ll see more and more zero days . . . in an act by a nation state."