Global Security, Privacy, & Risk Management

“New cybersecurity reality: Attackers are winning” – You don’t say? February 29, 2012

The title of this blog was taken from a CNN article published today which quotes RSA chief executive Arthur Coviello.  The article, and Mr. Coviello, finally concede that the bad guys (cyberthieves, hackers, hactivists) are “winning”.  Forgive my cynicism but this has been well known for some time and loudly proclaimed by numerous people.  “In the area of cybercrime, it’s the criminals who are winning.”; “The criminals are absolutely ripping us to shreds, We’re not even slowing them down.” ;“We’re losing the battle, That’s the reality of it.” This was not a comment by RSA from 2012 rather a comment by me (Chris Mark) in October 2010 at an InfraGard meeting at which I was speaking.  You can read the Salt Lake Tribune Article here.

The point is not for me to attempt to say “I told you so” rather to point out that what RSA is, in 2012,  finally conceding has been well known, and acknowledged for some time by numerous others within the area of cybersecurity.  It is not until RSA experienced their own breach of their vaunted SecureID system that they recognize that they are as fallible as the rest.  As stated by Mr. Coviello: “Our networks will be penetrated. We should no longer be surprised by this.”   RSA further states: “The reality today is that we are in a race with our adversaries, and right now, more often than not, they are winning.”

The issue at hand is one that is familiar to those who have worked in the payment card or other industries for any amount of time.  It is a sense of arrogance and infallibility until it is your own network that is penetrated.  At that point we often see companies conceding what it appears RSA is conceding here.  (not their quote) “If we can be breached then there is no hope for anyone.”  The point is security should not be reactive.  Companies need to recognize the threat before it hits their own networks and should take steps to address the vulnerabilities and mitigate the risk.  I am personally a fan of SecureID and two-factor authentication and have recommended RSA more times than I can count.  That being said, there appears to have been a degree of complacency on their part and now their mea culpa is to concede that “we are losing the battle”.