The way we think about cybersecurity is changing. Back when we were all younger and more naive, we believed a fortress around our information was sufficient. Firewalls and Anti-virus, and controlling device access would do the trick. Just like the castles and fortresses of old though, the bad guys found ways to blast through the walls, or tunnel under them, or introduce Trojan horses to open the doors from the inside. The Civil War ended the era of fixed forts, the Second World War ended the era of trench warfare, and the early cyber wars ended the era of CyberFortresses.
So the paradigm shifted to risk management. We can’t stop them all, but we can find them faster, stop them before they get too far, and limit the damage they can cause. Sounds good in theory, and doesn’t actually make those old approaches obsolete as much as realizes their limitations.But, there are some big issues with Risk Management. First, it makes small businesses and their Intellectual Property (IP) particularly vulnerable to the implied “acceptable level of loss”. Second, episodes like the theft of the Joint Strike Fighter F-35 plans or the Snowden affair call into question whether even big players with lots of resources can actually manage their risks effectively.
The move from prevention to risk mitigation, with the realization that not all attacks can be prevented, is a healthy trend overall. But the meaning of risk mitigation is now changing in what can only be described as a second paradigm shift. Risk has now split into two pieces, with the addition of the reinvigorated category of insider threat to the older notion of external bad guys. And what we are doing to address each of these categories is also changing.
Used to be that “insider threat” meant watching for people who hung out with weirdos, bought expensive cars out of their price range, or joined shady organizations. These days it has become much more “Big Brother-ish”, based on behavioral modeling of “normal” versus “suspect” network behaviors, and of course implying widespread collection by organizations of a large set of network behaviors of their users for analysis and classification. Maybe it even works, although distinguishing normal from suspect behavior is a statistically difficult task, and on the practical side it seems unlikely that organizations would, say, preemptively fire employees identified as suspect by some tool…lawsuit city, that one. Perhaps these techniques will evolve to become more of an intrusion detection capability, finding bad external actors who have made it inside the network.
For external bad guys still outside the network the rules have also changed. Used to be we would watch for bad packets or signatures or known bad IP addresses (well, ok, we still do that stuff too). Now we are increasingly using global sensor networks to spot attacks early in their spread and trying to find countermeasures before they get too far. The new trend though seems to be based more in counter-insurgency techniques. Identify the bad actors individually, determine the tools they use, their individual precursor activities, favorite locations to attack from, people in their social network as funders or buyers or collaborators, hours of the day when they work, and so on. Then take action.
Ultimately however, these measures are reactionary to an ever-more-effective adversary, and the gap keeps growing. While these measures are likely to help manage risks over the short and medium term they won’t solve they problem. Eventually one could hope this sets the stage for the most radical paradigm shift of all…fixing the underlying problems. We have a pretty good handle on how to do it technically (see next Friday 31 October post “Can We Win?” for more), but so many people are making so much money on the current poor system (not only selling leaky boats but also the pumps to keep them afloat and the cranes to pull them out of the water so they stop leaking temporarily…) that this may be the hardest paradigm shift of all.