I'm back blogging after a lengthy
break due to extensive writing and consultancy commitments. Nothing much has
changed in the cyber security sphere during that time apart from a very slight broadening
of public concern as citizens became a little more aware that their information
systems are vulnerable to hacking and that some governments seem keen to do it.
This concern has yet to compel the average citizen or business manager to change
their cyber behaviour, but the press has certainly become more preoccupied with
cyber security. Throughout June we've been swamped with newspaper and TV
reports about allegations of US, UK and Chinese cyber espionage, not to mention
a steady trickle of data breaches.
Does anyone actually care
enough to actually try and fix the problems? Not really, though we can begin to
detect the start of a long public debate on what precisely should be done and
who should do it. But it will take a long time to educate everyone, and even
longer to care enough to respond to the challenge. The UK Government thinks the
answer is to advise executive boards to take ownership and implement a risk
management process. Perhaps they don't realise that most Fortune 500 companies
did this years ago but it didn't make a blind bit of difference: they still got
To stop advanced threats we
need advanced countermeasures, not corporate governance systems. Unfortunately
these measures are beyond the demands of current accepted practice and regulatory
compliance standards. We will need some new thinking and a major change in
perception to change the existing order. One might expect the fact that
intelligence agencies, criminal groups and activists are able to wander at will
through our databases to be scandalous enough to compel citizens to demand
solutions. But people only respond to threats that are personal, immediate and
certain. And an outside risk of an obscure foreign power stealing information doesn't
quite pass the criteria.
There's an even bigger barrier
however, and that's the question of precisely what to do about the threat of a
professional attack. In practice organisations have four realistic options.
The first option is to ignore
the danger, i.e. to rate it as an insignificant risk. And many do. After all if
a major intrusion hasn't happened in the last ten years, it's not an
unreasonable judgement for a manager to expect it not to strike in the near
future. And you won't get sacked for getting it wrong as long as you documented
The second option is to
implement a security management system. It won't stop any sophisticated attacks
but it's cheap to put in place and it will satisfy the auditors and
The third option is to take
critical or valuable assets off the network. It's an effective solution but nobody
wants to do it; even when they should. A decision of this type is far above
everyone's pay grade. It's an action that could well get you sacked.
The fourth choice is to invest
in a small army of monitoring staff, equipped with an arsenal of state-of-the-art
security technology. It's practical though expensive. But it's the smartest approach
for any enterprise that's serious about security. Unfortunately you can only
justify such an option in the wake of a major incident.
The biggest challenge to
justifying an adequate set of measures is that the major driver of corporate spending
on security, regulatory compliance, lags too far behind the technology and
security curves. We can satisfy auditors by assigning responsibilities and formalising
procedures, but these actions will not stop an advance persistent threat (APT) in
its tracks. To combat an APT we need stringent monitoring tools, specialist
technical skills and a professional secure operations centre equipped by
experienced security staff.
We can prevent and stop known
forms of professional attack. That should be the today's baseline. Buts it's
not. Much harder is to anticipate and prevent new forms of APT. That demands fresh
research and ambitious solutions that stretch beyond our current academic efforts,
too many of which are obsessed with breaking today's products rather than
building tomorrow's solutions. It's not difficult to do, but it requires a
transformation in security philosophy and techniques, because our current model
of security management based on industrial age quality management concepts is no
longer fit for purpose.
There are some excellent new
ideas however lurking in the wings waiting to take centre stage. If we can ditch
our legacy baggage and start to experiment with new technologies then we might
be on to something. Malware detection software, for example, is progressively
decreasing in effectiveness yet still deployed. There are superior modern
solutions that have yet to catch on. Check out Cipher's approach for example. But
such technologies are just scratching the surface of what could be conceived
with a touch of imagination and a basic understanding of the underpinning
drivers of the information age.
To get there we need a
modern, forward looking vision that specifically addresses the new challenges
of scale, diversity, volatility and complexity. My view is that we should look
to nature for such solutions. The human body for example is an excellent model
of simplicity and sophistication in defensive techniques. The immune system
exhibits scale, detail, richness and evolution. At the turn of the century I sponsored
an ambitious project to develop a model of the human immune system for fraud
detection. My researchers developed a prototype which worked, though it was too
clunky for prime time application. Typically, the research funds ran out before
we could refine the technique. And as usual the software and learning points were
lost in time.
Many visionary projects end
up this way. It's the innovation we urgently need to build the solutions of
tomorrow. But who will sponsor the journey from blue sky thinking to everyday
product deployment? It won't come from industry and it's not yet coming from
academia or government.
We need two things to make
this work. First we need a creative environment, something like the equivalent
of an MIT Media Lab for security. Nicholas Negroponte's brainchild has been highly
successful for new technologies. But it's not fast enough. It' s taken almost two
decades for ideas such as electronic
paper, 3D printers and wearable technology to emerge as viable products.
So the second condition is
that we need a commitment to investment in product development. We can't wait
two decades for venture capitalists to develop emerging ideas. It's a challenge
that's now far too important and way too ambitious to be left to market forces.
Is anyone listening? I hope so though I doubt it.