[Posted on Behalf of Steve King, Director, Cybersecurity Advisory Services at Information Security Media Group (ISMG) ISMG]
We have made a flawed assumption about cybersecurity and based on that assumption we have been investing heavily on people, processes and technologies that are taking us in the wrong direction and causing us to lose the war against cyber-criminals and terrorists.
The evidence is irrefutable. The world spent more than $124 billion on cybersecurity in 2019; an increase of 9% from 2018 and in addition, the federal budget for cybersecurity adds another $25 billion (that they can disclose publicly) to that spend rate. Yet in spite of that spending, in 2019 alone, 7.9 billion consumer data records were stolen by cyber-thieves through 5,183 data breaches which was an increase of 300% over the prior year and represented an estimated cost to companies of more than $2 trillion – all record highs.
The cost of the average data breach to companies worldwide increased to $3.92 million (USD) while the cost of the average data breach to a U.S. company climbed to $8.19 million (USD) and the average time it took to identify a data breach rose to 206 days.
Every single metric points to an increase in successful cyber-crime, more breaches, new and improved malware and threat vectors, and increased spending to detect, prevent and mitigate cyber-crime, breaches and malware. (All data from Ponemon Research, Verizon and ForgeRock studies)
Net: We spend more each year and produce worse results.
If you are a consumer, you should assume that your data has already been confiscated and made available for sale on the deep or dark web. Following the Equifax breach, there are few Americans remaining whose data has not been stolen.
If you are a business, hospital, charity, airport, government agency, educational institution, or rely in any way upon the internet, you should assume that you will be hacked, and your systems will be breached.
If you are a geo-politically conscious citizen, you should be worried that international cyber-strikes carried out by bad actors targeting America’s critical infrastructure (energy, water, transportation, communication and military grids) will be used as an alternative to kinetic conflict and will serve to escalate real-world tensions.
We are badly losing this cyber-war across all theaters of combat. From education to economics, from technology to intelligence, and from managerial approach to the psychology of engagement.
Earlier in my career, I ran large scale data centers for a living. Initially, a couple of local data centers for Memorex and later a national network of big data centers for Health Application Systems (HAS). Memorex manufactured large computer storage systems, communications peripherals, “mini-computers” and audio recording tape cartridges. HAS was the second largest health care claims processor behind EDS at the time.
I mention these two companies because one of the themes surrounding Cybersecurity in the modern era addresses the complexity facing today’s Information Security practitioners, who are generally known as chief information security officers (CISOs).
The role of the CISO may be the most difficult and challenging of all corporate governance responsibilities. Not only are they tasked with preventing cyber-crimes and data breaches which evolve daily and present as zero-day threats (those never seen before), but they must also do this work in disparate organizational cultures and complex and evolved technical environments not initially designed to protect the broad variety of information asset classes that reside within those eco-systems.
Memorex thought of themselves as an innovative “fast” company, yet they ran conventional discreet and process manufacturing operations, supported by conventional information technologies. Their secret sauce was innovation and it was supported by scads of patents but cranking out cassette tapes and digital storage systems was pretty mundane stuff and was framed in a fairly static organizational structure.
HAS on the other hand, was driven entirely by a governmental and commercial contracting system that required new providers to be up and running within 90 days of the contract award with a data center presence located in the state in which the contract was granted. We opened new, behemoth data centers at such a pace that IBM had to continually knock other customers out of the queue in order to satisfy our needs. A pace that would have made heads spin at Memorex.
In addition, Memorex possessed digitized assets that reflected a deep library of patented chemical, engineering and manufacturing processes representing high value intellectual property while HAS instead held enormous volumes of what today is known as PHI or personal health information and other personally identifiable information on all of its customers’ patients. The data vault at Memorex would not require regulatory compliance in today’s terms, but the HAS data would have been protected under penalty of fine by HIPAA and other regulatory agencies at the state levels in 2020.
The processes involved in data protection and the cultural differences were like night and day and each required an entirely different set of skills and policies to succeed.
The CISO of 2019 is faced with a far more sophisticated and variable set of circumstances under which to manage and working with a complex set of moving parts in a static environment as it was in the Memorex and HAS days is nothing like managing the same moving parts in a dynamic and rapidly changing environment like the current world of cybersecurity.
Running cybersecurity at the City of Atlanta is quite different than running it at JPMorgan Chase Bank.
In the middle innings of IT, running data centers also meant managing systems programming teams. Systems programmers were the glue that kept the early mainframe operating systems maintained, updated and running properly. Which was necessary so that data centers could continue processing data without crashing. IBM owned the large-scale data center market at the time and their computing architecture was designed in such a way that the hardware and the operating system were separate components. This enabled IBM’s customers to run various flavors of operating systems depending upon their needs. A bug in the operating system that was not properly patched led to frequent and confusing outages, unhappy end-users, and a continuous dependency upon the systems programmer.
Systems programmers worked in a language known as Assembler which was a lower-level language than that used by programmers who built accounting and manufacturing applications in, (which was usually) COBOL at the time. Lower level means closer to the operating system and thus much harder to learn and apply. Systems programmers were perceived to be the elite athletes or the “real” computer jockeys and were generally given a much looser length of rope than their counterparts on the business application programming side.
While at Memorex, I had the unique pleasure of “managing” one very smart young system programmer from the University of Michigan by the name of William (Shawn) McLaren.
Shawn was able to solve the mundane daily challenges of keeping the operating system and associated software running with relative ease, which gave him plenty of time to think about larger issues like more efficient ways to utilize storage (disc) space and a better way to assure that sensitive data was protected from people who should not have access.
This thinking led to the development of an innovative disk space management capability, which led to Shawn’s departure and to our creation of the Cambridge Systems Group, the commercialization of that storage archival capability (ASM2) and ultimately to the productization of a data security solution which would become ACF2, and which quickly overtook IBM’s competitive product (RACF) to become the market leader in that space.
ACF2 was arguably the first broadly successful data security product for the commercial markets and became the standard against which subsequent data security products were judged.
Anyone running a main-frame data center at the time would recall their first meetings with the Internal Audit team who suddenly wanted to understand how all of this digital representation of information was being protected. It was the beginning of modern information security as I knew it and while it would not be until 1994 when Citigroup suffered a series of cyber-attacks from a Russian hacker and created the world’s first formal cybersecurity executive office, led by Steve Katz, the world’s first CISO, we had nonetheless embarked on the path toward consciousness about the protection of digital assets.
Back in those first few innings, none of my friends or former classmates understood what I did for a living. IT was (and remains today) a mystery to most people, including many CEOs who run large companies whose success depends increasingly on a digital world made possible through information technology innovation and management. IT was always perceived to be a dark dimension in which stuff happened that frequently resulted in reports being both wrong and late, systems crashing in the middle of the night and the creation of mysterious worms and viruses snaking their way through the network and taking control over end-user terminals and workstations.
The fellow (as was almost always the case back then) who ran IT usually possessed a fairly shallow skill set focused on technology alone. Most people in corporate sort of kept their distance as while IT was necessary, no one knew how it did what it did or where to place it in the organization. Most often it reported to the CFO which was a safe choice based on the premise that if you had something weird and too hard to understand, the safest place to put it would be with the finance guy.
That person who never loses anything and never lets bad stuff happen.
I mention this because as you will see, the evolution of today’s CISO and the CIO roles and personality types along with their relationships within the organization has evolved through similar paths and present a formidable challenge to the business of getting cybersecurity right.
In the middle innings, that consciousness about the protection of digital assets got suddenly elevated through the adoption of a technology known as the Internet that like electricity, changed our world completely.
The Internet overnight enabled the connection of all computing devices on a global network that ushered in an era of access by anyone to anything and the exposure of new vulnerabilities, threats and risk. The field that had been known as data security or information security was now being referred to as cybersecurity. It was one thing to protect information assets that were stored in a computer or on magnetic disk or tape and held in a secure data center facility whose access was controlled by physical security devices and armed guards. It was something else entirely to protect those same assets now that they were out travelling deterministically through cyberspace.
It got really hard, really fast.
Threats suddenly spiked. From the first computer worm created as a programming assist in the 1970s which was manipulated to destroy and alter data, to morph into a handful of self-modifying viruses in the 1990s. Following that 20-year span where the evolution of computer viruses went unaided by the Internet, came an onslaught of Microsoft Word-based viruses using macro commands that spread across the world, an epidemic of “Solar Sunrise” denial of service (DoS) attacks that successfully targeted hundreds of government, military, and private computer systems in the late 1990s to more advanced distributed denial of service attacks (DDoS) that crippled Amazon, Yahoo and eBay’s websites later in the decade.
These multiple flavors (D and DDoS) of website attacks used a flooding technique to hammer the sites with so many requests that they ceased to function and crashed. In the DoS version, a single computer and one Internet connection is used to flood a targeted site. The more advanced DDoS attack uses multiple computers and Internet connections to flood the targeted site. I point this out because it is a classic example of how easily and rapidly bad actors can advance their art from one form of an attack vector to its next logical extension.
DoS attacks became much more powerful DDoS attacks in under two years.
Fast forward to the next decade and by the mid-oughts, as the world connected to the Internet in unprecedented numbers, widespread infection rates exploded as well. In 2007, multiple advanced viruses were using email and social media platforms as spreading mechanisms, successfully infecting millions of computers. By 2009, sophisticated malware like Conficker and Heartbleed which took advantage of vulnerabilities in security software libraries, were able to steal passwords, administrative credentials and customer data.
In order to accommodate the Internet, computer software and operating system architecture evolved to provide logical interaction with the pipes that the Internet provided and in so doing, created a natural complexity with vulnerabilities that were easily exploited by bad guys. The first major breach that received global notoriety and caused the dismissal of the top IT and Information Security officers was the successful attack in 2013 on the Target Stores’ retail point-of-sale system servers that resulted in the theft of 70 million customer records.
After that seminal Target breach, an escalating string of ever-more advanced cyber-attacks over the ensuing years began to successfully hit big technology companies like Yahoo, Facebook and Google, big financial services companies like CapitalOne, JP Morgan Chase, and Heartland and big healthcare companies like Anthem, Banner, Blue Cross and Community Health Systems.
These attacks have combined to represent hundreds of millions of sensitive personal health and other personally identifiable information that were stolen and offered for sale on the dark web.
As these threats evolved and multiplied, we in the Cybersecurity industry found ourselves scrambling just to keep track of the techniques and technologies that were being used in each new breach and developing new software technologies, controls, policies and processes as quickly as we could to prepare for, detect, block and mitigate each new threat as it showed up in our environments.
This reactive, responsive and defense-oriented posture has been aptly described as a game of whack-a-mole.
If you have ever played or seen someone playing whack-a-mole, it becomes obvious immediately that no matter how many moles you hit on the head with your hammer, more moles will continue to appear. It is a comedic game played in the physical world only for laughs and only in arcades.
In the cyber-world, it is just as futile and deadly as a heart attack.
As I indicated at the start, as long as we continue to play this game by the rules established in the whack-a-mole world, we will continue to lose. We need to abandon the syllabus we have inadvertently created through our desperate requirement to respond and scramble to protect and defend as best we can, and start moving toward a new doctrine that is focused on offensive, proactive risk management.
What does that mean and how will that change the shape of the problem space?
There has been abundant discourse about the current theaters of battle in which we prosecute this cyber-war, debating the ways in which we have fallen behind and defining what must be done to reverse course. The battlefields are education, intelligence, technology, economics, psychology and management.
In each theater, we are arguably making the wrong choices.
And the more we continue doing it wrong, the more cyber-incidents, attacks and breaches will occur, more records will be stolen, more data and identities will be manipulated, more lives will be placed at risk, and more of our intellectual and competitive advantage will be squandered.
What we must change is our philosophical approach to Cybersecurity defense and prosecution.
Not unlike most wars in which we have participated since the clear global threat posed by WWII, we have operated under rules of engagement that were designed to limit collateral civilian damage and reduce the scrutiny of global consciousness, deflecting the horrors and casualties to limited attention on the very back pages of our media platforms.
The result of prosecuting under these limited ROEs, has not been dissimilar to our record on the war against Cyber-crime. Success regression, failure denial, increased cost, mis-management, a piling on of opponent victories all leading to the ultimate abandonment of objectives and an acceptance of defeat – while we’re not quite to Vietnam yet, we are definitely on the path.
This year, COVAD-19 arrives out of nowhere and becomes a lethal accelerant that fuels an explosive threat landscape expansion and increases the complexity and the scale of response difficulty, pushing the risk envelope to otherworldly dimensions.
Our response of course is to increase our defensive tactics and beef up our perimeter patrols.
Until we adopt different rules of engagement and begin aggressively pursuing our adversaries regardless of collateral damage in cyber-space, we will continue to repeat our year-over-year pattern of increased spending while we observe corresponding increases in lost and stolen data, PII and PHI, breaches and intrusions against even the best prepared among us, and a growing army of adversarial combatants continually discovering new attack vectors against which we are unable to defend – all from the sidelines.
Without a new direction, the future ain’t bright.
.png)
Comments