A cybersecurity expert suggests looking deep below the surface to find the cure for our lack of digital security.
Gregory Conti, Ph.D., senior security strategist at IronNet, in his Federal News Network article Why haven’t we ‘solved’ cybersecurity?, takes on a very difficult subject. To answer his own question, Conti, who gained significant cybersecurity experience working for several US security agencies and West Point, not only offers what he sees as big picture cybersecurity challenges, but big picture solutions designed to level the playing field.
“We’ve been working on cybersecurity by various names for many decades, but holistically solving the overall problem is still on the (far) horizon,” writes Conti. “We see point solutions, ambitious research initiatives, innovative start-ups, a lot of snake oil, and no real master plan.”
Conti then suggests, “Let’s look at what holds us back from faster progress and how we can chip away at the problem in a more organized and effective way.”
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Complex systems increase the likelihood of vulnerabilities: Like the printing press, the internet is now considered to be a disruptive technology. Interconnectedness has improved just about every facet of our lives, though there is a dark side. “The complexity of these large systems is effectively beyond human comprehension,” mentions Conti. “This complexity guarantees vulnerabilities. When we add an intelligent, motivated, and well-resourced adversary to the equation, we’ve got a problem.”
Misaligned incentives: Conti does not pull any punches when it comes to decision makers missing the boat. “If you had a real chance to become a millionaire or even a billionaire by ignoring security and a much smaller chance if you slowly baked in security, which path would you choose?” asks Conti. “We also fail to account for, and sometimes flat out ignore, the unintended consequences and harmful effects of the innovative technology and the ideas we create.”
Then there is the challenge of balancing a company’s gain versus the greater good. For example, if a cybersecurity company finds a new and troubling vulnerability, should someone at the company immediately announce it or sit on it until the company can monetize the fix? “Concerns over liability and competitive advantage inhibit the sharing of best practices and threat information that could benefit the larger business ecosystem,” adds Conti.
A national leadership vacuum: According to Conti, the private sector could use some help from the federal government. “All too often, however, there is a cybersecurity leadership vacuum at the national level,” explains Conti. “Many countries have a high-level strategic plan for cybersecurity and a leader with responsibility, but without the authority and resources, to accomplish the mission.”
Black swan events: A surprise with a major impact is called a black swan event; the COVID-19 pandemic would be considered such an event. Because of our rapid transformation to digital technology and the untrod paths that creates, black swan events are likely. “We’ve seen attacks that disable cars, collect cryptographic keys from volatile memory despite a reboot, cause robotic vehicles to drive off the road, exploit bit flipping cosmic rays, and monitor heat, light, sound and power consumption to collect sensitive information,” contends Conti. “The list goes on, and there are many more surprises lurking.”
The human element: We all get this–humans tend to be the weak link. Conti is not very optimistic about strengthening the link either. He contends, “We can educate people, create better tools to reduce errors, and disincentivize improper behavior, but at the end of the day, humans can’t be patched.”
Possible solutions to these cybersecurity issues
Conti, along with other experts, admit progress is being made, but he says that progress could be compared to the Whac-A-Mole game. As soon as an attack vector is stifled, cybercriminals shift to another. “We are making progress, but we must continue to chip away at the underlying causes to achieve a holistic solution,” writes Conti. “There is a long and challenging road ahead of us, one that requires new paradigms in cybersecurity.”
As to what can be done to reduce or eliminate the above concerns, Conti offers the following suggestions.
Strong and empowered national leadership: Just as C-level executives in a company need to be onboard with cybersecurity, so do high-ranking government officials. Conti suggests looking to Estonia as “an example of how it’s done right.”
A clear, long-term cybersecurity roadmap: Something Conti stresses is that whatever action is taken, it must be long-term. Every nation needs to implement a master plan. “I’m not talking about just a high-level strategic plan, but a serious long-term effort by the best and brightest to identify and prioritize key foundational cybersecurity problems, allocate resources, generate and share solutions, and, most importantly, understand the ultimate holistic objective,” writes Conti. “This vantage point must be bigger than what exists at DARPA and the National Science Foundation today.”
Collective defense: Conti talks about the importance of banding together, as a disjointed defense is destined to fail. The Information Sharing and Analysis Centers “have made a great start, and shown that teamwork is possible,” admits Conti. “We need to build upon this foundation to create real-time threat information sharing, collaborative analysis, collective exercises, and standardized operating procedures and interoperability.”
In his conclusion, Conti reiterates the importance of increased collaboration that bridges the private and public sectors and creates international cooperation. What Conti suggests is something cybercriminals are already doing–they cooperate. The bad guys have an easier task because cybercriminals only need one way in. Cyber-defenders must guard every conceivable weakness.