European IT security experts are divided on the success of cyber security, it emerged at the 6th International Forum on Cyber Security in Lille, France.
Seven panelists failed to reach a consensus in the sometimes heated debate on the topic in the opening session of the conference.
He was joined by Jérémie Zimmermann, co-founder of the Paris-based La Quadrature du Net, a citizen advocacy group defending fundamental freedoms online.
“Cyber security is a failure at all levels, including compliance, methodology, skills and technology,” said Lacey.
While agreeing that regulatory compliance is necessary, he said it tends to encourage organisations to come up with the cheapest response.
Lacey said regulation does not encourage innovation and tends to recognise outdated standards and models that give the attacker the advantage.
The old “plan, check, do” model is too slow-moving and needs to be replaced with a military-style “observe, orient, decide, act” model that enables the faster response times required, he said.
More on cyber security
Time for a security rethink
For this reason, Lacey predicts 2014 will see movement against existing standards because of their failure to help organisations deal with the threats they are facing.
He also predicts that regulators will eventually be forced to rethink the standards required to achieve effective security.
“Cyber security needs new skills, attitudes and technologies,” said Lacey, drawing support from the audience when he added that nothing would change until the world is hit by a 9/11-type cyber incident.
According to Lacey, one of the biggest problems with cyber security is that most organisations use the same security products, making it easier for attackers.
“A greater diversity of innovative technologies would be much more effective because they will present new challenges to attackers,” he said.
Cyber skills gap needs addressing
The lack of cyber skills is another challenge, and Lacey predicts that the cyber security skills gap will continue to grow.
“It's because skills such as high-speed reverse-engineering require a special kind of person. Training courses can't fix this problem, especially those that teach outdated approaches,” he said.
People with the right skills cannot be produced through training. They have to be sought out, and that is a more difficult challenge, said Lacey.
He also said there needs to be a focus on skills such as crisis management and a greater focus on the cyber security of supply chains.
The old “plan, check, do” model is too slow-moving and needs to be replaced with a military-style “observe, orient, decide, act” model that enables the faster response times required
David Lacey, IOActive
“Boards can also improve cyber security by empowering the chief information security officers to override business decisions in the interests of security.
“Also, governments need to invest a lot more in cyber security because there is no alternative,” said Lacey.
Restore user trust in technology
According to Zimmermann, one of the main reasons cyber security has failed is that individual users of technology and online services have not been put at the heart of security.
He said trust had been lost because service providers have been abusing user data for their own gain, while governments have invested in mass surveillance and offensive cyber capabilities.
“Revelations that the US National Security Agency (NSA) sabotaged technology by inserting back doors has weakened our relationship with technology,” he said.
Referring to allegations that Google and Facebook played a role in enabling the NSA’s mass surveillance operations, Zimmermann said there is an urgent need for trustworthy technology.
“The time has come to pool public and private resources to develop technology that will help people regain their trust,” he said.
Zimmermann used the opportunity to call for free and open technology as the only way forward. “Citizens must take over control of technology, rather than being controlled by it,” he said.