Why haven’t we ‘solved’ cybersecurity?
By Gregory Conti
About 15 years ago a friend told me cybersecurity would be solved in a few years. I disagreed at the time and I disagree today. While I do have some optimism, I wish the situation was better. The root causes of cyber insecurity are very difficult to resolve. A recent interesting publication described cyber security as a wicked problem due to complexity. It is hard to disagree.
We’ve been working on cybersecurity by various names for many decades, but holistically solving the overall problem is still on the (far) horizon. We see point solutions, ambitious research initiatives, innovative start-ups, a lot of snake oil, and no real master plan. Let’s look at what holds us back from faster progress and how we can chip away at the problem in a more organized and effective way. Here are some of the big picture challenges.
Complexity Guarantees Vulnerabilities
The developed world has raced to adopt network-based technologies for consumers, businesses, the military and government. These technologies brought massive new efficiencies, but also global dependence. It is difficult enough to create and operate large-scale IT/OT systems without considering security. The complexity of these large systems is effectively beyond human comprehension. This complexity guarantees vulnerabilities. When we add an intelligent, motivated and well-resourced adversary to the equation we’ve got a problem. Attackers enjoy an asymmetric advantage over defenders in terms of reduced complexity and fewer resources required to achieve their goals. This calculus favors the adversary almost every time. Throwing more money at the problem doesn’t guarantee success and reducing the complexity of IT/OT systems isn’t likely any time soon.
Cybersecurity-related incentives are misaligned and often perverse. If you had a real chance to become a millionaire or even a billionaire by ignoring security and a much smaller chance if you slowly baked in security, which path would you choose? We also fail to account for, and sometimes flat out ignore, the unintended consequences and harmful effects of the innovative technology and ideas we create. Who would have thought that a 2003 social media app, built in a dorm room, would later help topple governments and make the creator one of the richest people in the world?
Cybersecurity companies and individual experts face the difficult challenge of balancing personal gain versus the greater good. If you develop a new offensive tool or discover a new vulnerability, should you keep it secret or make a name for yourself through disclosure? Concerns over liability and competitive advantage inhibit the sharing of best practices and threat information that could benefit the larger business ecosystem. Data has become the coin of the realm in the modern age. Data collection is central to many business models, from mature multi-national companies to new start-ups. Have a data blind spot? Create a new coffee pot that monitors coffee consumption or a TV that tracks viewers’ reactions to advertisements. Keep the data forever. Data breaches are a natural outcome. An undergraduate course in ethics won’t overcome misaligned incentives rooted deeply in human nature and business competition.
Lots of Noise and Little Signal in the Marketplace
Paradigm shifting security solutions are rare in the security marketplace. There is much noise and little signal. If you’ve walked the vendor floor at any major security conference you’ll know what I mean. I’ve enjoyed free beer and popcorn, and even met Ozzy Osbourne* on the vendor floor. However, I’m not alone in saying it’s difficult to identify the few interesting standout technologies from the crowd. The free market can be a powerful source of cybersecurity innovation, but opportunity for profit, driven by the critical need for security clouds the environment.
A National Leadership Vacuum
Addressing cybersecurity challenges requires strong leaders who are empowered and resourced. The private sector has largely figured this out. CISOs and CSOs report directly to the CEO or CTO and spend frequent time with the Board of Directors. They create roadmaps to take their organization from its current level of security maturity to a higher level. All too often, however, there is a cybersecurity leadership vacuum at the national level. Many countries have a high-level strategic plan for cybersecurity and a leader with responsibility, but not the authority and resources, to accomplish the mission. National commitment is essential, but even the most committed nations have room for improvement.
Policy makers can be an essential part of the solution, but their ability to create change is constrained by election cycle timelines at best, and news cycle timelines at worst. Polarized politics make matters worse. A long-term, sustainable vision is elusive. We also have to be careful to defend our democracy without undermining its core principles in the name of cybersecurity. Our democracy is a precious thing, but there is a real limit to what a democracy can dictate in terms of cybersecurity.
Black Swan Events
A black swan event is a surprise with a major impact. A textbook example is the COVID-19 pandemic, which shifted many to remote work, vastly increased the attack surface of companies and serves to provide cover for malicious activities. In security we feel black swan-type pain regularly due to dangerous assumptions or failure to conceive the possible. We’ve seen attacks that disable cars, collect cryptographic keys from volatile memory despite a reboot, cause robotic vehicles to drive off the road, exploit bit flipping cosmic rays, and monitor heat, light, sound and power consumption to collect sensitive information. The list goes on, and there are many more surprises lurking. Just wait.
Those Pesky Humans
And then there are humans, perhaps the most pernicious problem of all. Humans created every computing system on the planet. Humans are fallible and make honest mistakes that compromise security. Some are lazy and take shortcuts that weaken defenses. Others are uninformed and don’t apply proper security hygiene. Some work around security to get their job done. Many share “news” stories via the misinformation tire fire that is social media. Others can be coerced through threats and blackmail to subvert security. And some are malicious and attack systems. We can educate people, create better tools to reduce errors, and disincentivize improper behavior, but at the end of the day, humans can’t be patched.
Cybersecurity challenges are legion. The root causes spring from all but irresolvable contradictions and dilemmas. We are making progress, but we must continue to chip away at the underlying causes to achieve a holistic solution. There is a long and challenging road ahead of us, one that requires new paradigms in cybersecurity. Here are three suggestions.
1.Strong and Empowered National Leadership
Every country needs a single, long-term leader who orchestrates security initiatives as whole-of-nation effort. This very senior individual needs the background, responsibility, resources and authority to get the job done. Choose whatever title you want, but they should report to the highest levels of government, ideally the president. Importantly, each nation’s highest leader must make cybersecurity a priority. Look to Estonia for an example of how this is done right.
2.A Clear and Long-Term Cybersecurity Roadmap
Point solutions alone will not solve cybersecurity. These solutions are part of a larger cybersecurity puzzle where we don’t fully understand the final picture. Every country needs a robust nation-wide master plan to identify and solve key cybersecurity problems as a whole-of-nation effort, or even better, via global partnerships. I’m not talking about just a high-level strategic plan, but a serious long-term effort by the best and brightest to identify and prioritize key foundational cybersecurity problems, allocate resources, generate and share solutions, and most importantly, understand the ultimate holistic objective. This vantage point must be bigger than what exists at DARPA and the National Science Foundation today. Yes, some problems will be too hard or too expensive for now, but we need to at least know the need exists and tackle the ones we can, and push toward solutions step-by-step in a deliberate way.
Today there are literally armies operating in cyberspace, but we are defending as individual organizations, not as teams. A disjointed defense against a state or state-sponsored collective offense is a recipe for defeat. The ISACs have made a great start and shown that teamwork is possible. We need to build upon this foundation to create real-time threat information sharing, collaborative analysis, collective exercises, and standardized operating procedures and interoperability. Importantly, private companies have to work with government to bring government’s levers of power to bear, else private organizations will have no access to the necessary deterrents that stop dangerous behavior. Government must respond in kind.
The United States and other leading nations are taking cybersecurity seriously, but we have to focus our efforts and increase collaboration. We won’t achieve holistic cybersecurity anytime soon without empowered national leadership, an understanding of the problems we need to solve, a comprehensive roadmap for prioritizing efforts that illustrates the desired end state, and a national-level collective defense that bridges the private and public sectors and forges international cooperation.