Opinion: What cybersecurity pros can learn from 'Ocean's Eleven'

Remember "Ocean's Eleven,"where George Clooney's character Danny Oceanmasterminds an elaborate heist of the posh Bellagio casino in Las Vegas?

Mr. Ocean and his accomplices used social engineering, technical smarts, and strategically placed insiders to penetrate the Bellagios comprehensive, state-of-the-art security system and abscond with $160 million.In"Oceans Eleven" even the best defenses could not immunize the organization against penetration by concerted adversaries.

Itis in this regard that"Ocean's Eleven"should serve as a cautionary tale to cybersecurity policymakers.

For more than a decade, US cybersecurity policy has focused on defense using stronger locks and taller fences to protect government and corporate crown jewels from cyberintruders. A great deal of time and money has been spent beefing up cyberdefenses to prevent network intrusions.Andthere's reason to believe that certain defensive actions significantly enhance network security.

Consider, for example, the so-called Australian Top 4."Those are the four defensive measures the Australian Signals Directorate says could prevent at least 85 percent of the targeted cyberintrusions to which it responds.TheTop 4 requires, among other things, patching high-risk vulnerabilities within 48 hours and minimizing administrative privileges. Sure, defensive measurescan prevent some cyberintrusions.

But eventhe best cyberdefenses are no match for certain intrudersnation-states such asChina, Russia, Iran, and North Korea and other concerted adversaries willing to go to almost any expense to penetrate specific networks of value to them.

Get Monitor cybersecurity news and analysis delivered straight to your inbox.

Imagine, for example, a group of Chinese government-backed hackersaretargeting a specific US defense contractors data. The hackers will not give up and move on to a different target simply because the defense contractor hardens its networks.More than a decade has passed since the discovery of Operation Moonlight Maze (1998), Byzantine Hades (2002), Operation Titan Rain (2003), and other cyberespionage operations allegedly orchestrated by China. Yet,despite ever increasing government and private sector investments in network defenseswe dont appear to have made much headway on the nation-state sponsored cyberespionage problem.

Recent media reports allege that a number of foreign hacking groups Dragonfly, Newscaster, Axiom, and Unit 61398 to name just a few are engaged in sophisticated, multiyear cyberespionage campaigns against a variety of US military and commercial targets.

Reports from US cybersecurity firms have offered a rare glimpse into the activity of these hacking groups. We have learned, for example, that Dragonfly (a.k.a. Energetic Bear) is a well-resourced, likely Russian government-backed, group of hackers engaged in a multiyear cyberespionage campaign that targeted defense and aviation firms before turning its attention to the energy sector in 2013.

More:
Opinion: What cybersecurity pros can learn from 'Ocean's Eleven'