16 January 2017

Why We Are Losing the Cyber War

by Steve King 

For the better part of the last 10 years, we have been unwillingly engaged in a developing set of battles on several cyber-fronts, including business, healthcare, industry, education and government.

These have been largely a disorganized set of skirmishes that usually result in the attackers making off with valuable personal information, ransom attacks where money is extorted in exchange for abducted information or computing assets, the co-opting of business processes that have led to outright financial theft, and hacktivism that delivers havoc to political processes.

Lacking a unity of purpose, we compound our imbalances. We have no idea who the enemy is, and we possess only a vague notion of why we should be engaged.

Each industry sector has tried to defend against these attacks in a variety of ways from upgrading cybersecurity technologies to increased training and staffing to the hardening of assets and the adoption of new policies and strategies. Yet, in spite of sometimes extravagant efforts, the bad guys keep winning.

Why? It’s because we are fighting an asymmetrical war with expanding attack surfaces and we lack a unifying purpose.

The lack of symmetry plays out on a variety of separate fronts. Economic asymmetry pits a simple malware exploit kit available for $50 on the dark web and a self-taught teenage assailant with a PC and an Internet connection against a bank with a $250 million annual cybersecurity budget, and the teenager wins.

Informational asymmetry sets our siloed and segmented defenses up against masquerading attackers about whom we have almost no information who require very little of their own to be successful. A brute force attack is simple and easy to launch, turns almost all connected devices into an army of network bots and can result in the complete takedown of Internet access across much of the US for an extended period as we saw in the DDoS attack on October 21st, 2016.

Informational asymmetry results in our continuing failure to identify the exploitation of legitimacy or ability to correctly attribute the source or nature of our attackers. We are never sure whether Russia or Iran or China or young Harry White living in his Mom’s basement down on B Street is the actual attacker and it of course dramatically affects our ability to respond or even develop a policy for response protocols.

Resource asymmetry stacks up our small contingent of trained defenders protecting millions of applications and systems located in fixed positions against tens of thousands of unknown global cyber attackers examining tens of millions of dispersed targets. In terms of military tactics, state armies like ours generally fight in an orderly framework while non-state and individual terrorist organizations successfully use guerrilla cyber-methods designed to overcome the disparities in power.

Since we don’t know who we are fighting and we must defend fixed positions without specific rules of engagement, it makes it quite difficult to successfully engage.

Infrastructural asymmetry highlights the actual nexus of our physical vulnerability as the imbalance offers our attackers fixed and aging targets upon which all of us depend for the most basic of functions like heat, light, communication and power and water, food, health and transportation. Assuming we actually have technological superiority, it will be quickly cancelled by the destruction of the electric grid, roads, ports, food and water supply systems in highly populated areas, which will dramatically impact the economy and affect our national morale, while our attackers neither require nor depend on any infrastructure beyond the Internet and the dark web.

Lacking a unity of purpose, we compound our imbalances. We have no idea who the enemy is, and we possess only a vague notion of why we should be engaged.

The last time this happened, we lost a brutal war in a little country called Vietnam.

If asymmetric warfare doesn’t give us enough to worry about, we are also surging ahead with IoT (Internet of Things) device integration in all aspects of our daily lives. We are adopting increasingly complex mobilized access via our smartphones, our clothing is now connected, and we will soon be adopting driverless vehicles.

All of this technological advancement creates scads of new attack surfaces that we are not sufficiently addressing as we rush new products out the door. With the billions of objects that are expected to be networked within the next few years, issues of identity and trust, data protection, access control, and device control should all be areas of grave concern, not just for business, but for public sector agencies and personal safely as well.

Our failure rate in combating ransomware is a small example of how poorly we have been coping with the onslaught thus far. Imagine the terrifying convergence of ransomware and the expanding IoT raising questions like how much you would be willing to pay to regain access to your TV programming, or your refrigerator, you baby monitor, your car, or your defibrillator?

Today, over 75 percent of hospital network traffic goes unmonitored, putting connected devices with access to sensitive patient information at risk. Think about that number the next time you are being wheeled into surgery.

Do you think the future of cybersecurity defense will be [a] harder or [b] easier? And, given that in spite of increased spending of 15 percent per year on cybersecurity to the tune of $85 billion in 2016, our current success rate diminishes steadily year over year (16% more successful breaches in 2016 than in 2015), do you think we will be [a] more successful in the future, or [b] less successful?

So much is at stake now that if the incoming Trump administration does not make cybersecurity its number one priority, and fails to create a shared-vision, Cybersecurity-Moonshot to immediately address the gathering storm, I fear the only momentum we will gain will continue to be in the direction we are now headed.

Steve King is the COO and CTO of Netswitch Technology Management.

No comments: