The U.S. and U.K. are relatively well prepared for cyberattacks, compared to many other developed nations, but everyone has more work to do, according to a new cybersecurity study from McAfee and Security & Defence Agenda (SDA).
The report, which ranks 23 countries on cybersecurity readiness, gives no countries the highest mark, five stars. Israel, Sweden and Finland each get four and a half stars, while eight countries, including the U.S., U.K., France and Germany, receive four stars. India, Brazil and Mexico ranked near the bottom.
No country is ahead of cyberattackers, said Phyllis Schneck, CTO of the public sector for McAfee. The bad guys are “faster and swifter” than the good guys, she said.
Cybercriminals don’t have to wrestle with legal and policy questions and freely share information with each other without worrying about competitive issues, she said. “We’re up against an adversary that has no boundaries, and we have to go to meetings and write reports to put data together,” Schneck added. “We’re at a huge disadvantage.”
SDA, a cybersecurity think tank in Brussels, interviewed 80 cybersecurity experts for the report and surveyed an additional 250. Fifty-seven percent of survey respondents said they believe a cyber arms race is happening, and 36 percent said they believe cybersecurity is more important than missile defense. Nearly half, 45 percent, said cybersecurity is as important as border security.
A common theme among the cybersecurity experts was a need for real-time global information-sharing about cyber-threats. Cyber-experts have long called for the better sharing of information among companies and between private businesses and government, Schneck said, but the report opens up the idea of new global agreements — short of difficult-to-approve treaties — that can lead to information sharing.
Countries can work together to establish information-sharing “rules of the road,” Schneck said. “While you can’t have a free for all — just throw it all out there — there should be a way to take the most egregious information and make it actionable by a man on a machine.”
Companies are worried about endangering their customers, lowering their stock prices and other problems that come from sharing too much information, she added. “I think every rational person on the planet would agree that, if you put all our information together, we get a better threat picture,” she said. “By the time we figure out the crumb that we can share, it’s no longer even valuable.”
But real-time information sharing is one way legitimate groups can gain an advantage over cyberattackers, Schneck said. “That’s what the adversary cannot do,” she said. “The adversary does not own the network infrastructure; the good guys do. They can’t do anything real time, as far as putting data together, we can.”
In the country rankings, cybersecurity experts interviewed for the report praised U.S. efforts, including the creation of a U.S. White House cybersecurity czar last year. In recent years, the U.S. government has focused more on cybersecurity, they said.
Countries ranking in the middle of the pack included Japan, China, Russia and Canada, while Brazil, India and Romania received two and half stars and Mexico just two stars.
“In India, we went straight from no telephones to the latest in mobile technology, and the same with Internet-connected computers,” said Cherian Samuel of the Institute for Defence Studies and Analyses in New Delhi. Samuel was quoted in the report.
The ratings are based on the Cyber Security Maturity Model developed by Robert Lentz, president of Cyber Security Strategies and former deputy assistant secretary for cyber in the U.S. Department of Defense. Lentz’s model pushes for resilient, predictive defense capabilities as opposed to reactive and manual or tools-based defenses.
The report makes a number of recommendations. Among them: Companies and governments should work together to set up trusted information-sharing groups and pump up public education campaigns focused on cybersecurty. The report also calls on companies to focus on smartphone and cloud computing security.