I’m back blogging after a lengthy break due to extensive writing and consultancy commitments. Nothing much has changed in the cyber security sphere during that time apart from a very slight broadening of public concern as citizens became a little more aware that their information systems are vulnerable to hacking and that some governments seem keen to do it. This concern has yet to compel the average citizen or business manager to change their cyber behaviour, but the press has certainly become more preoccupied with cyber security. Throughout June we’ve been swamped with newspaper and TV reports about allegations of US, UK and Chinese cyber espionage, not to mention a steady trickle of data breaches.
Does anyone actually care enough to actually try and fix the problems? Not really, though we can begin to detect the start of a long public debate on what precisely should be done and who should do it. But it will take a long time to educate everyone, and even longer to care enough to respond to the challenge. The UK Government thinks the answer is to advise executive boards to take ownership and implement a risk management process. Perhaps they don’t realise that most Fortune 500 companies did this years ago but it didn’t make a blind bit of difference: they still got hacked.
To stop advanced threats we need advanced countermeasures, not corporate governance systems. Unfortunately these measures are beyond the demands of current accepted practice and regulatory compliance standards. We will need some new thinking and a major change in perception to change the existing order. One might expect the fact that intelligence agencies, criminal groups and activists are able to wander at will through our databases to be scandalous enough to compel citizens to demand solutions. But people only respond to threats that are personal, immediate and certain. And an outside risk of an obscure foreign power stealing information doesn’t quite pass the criteria.
There’s an even bigger barrier however, and that’s the question of precisely what to do about the threat of a professional attack. In practice organisations have four realistic options.
The first option is to ignore the danger, i.e. to rate it as an insignificant risk. And many do. After all if a major intrusion hasn’t happened in the last ten years, it’s not an unreasonable judgement for a manager to expect it not to strike in the near future. And you won’t get sacked for getting it wrong as long as you documented your reasoning.
The second option is to implement a security management system. It won’t stop any sophisticated attacks but it’s cheap to put in place and it will satisfy the auditors and lawyers.
The third option is to take critical or valuable assets off the network. It’s an effective solution but nobody wants to do it; even when they should. A decision of this type is far above everyone’s pay grade. It’s an action that could well get you sacked.
The fourth choice is to invest in a small army of monitoring staff, equipped with an arsenal of state-of-the-art security technology. It’s practical though expensive. But it’s the smartest approach for any enterprise that’s serious about security. Unfortunately you can only justify such an option in the wake of a major incident.
The biggest challenge to justifying an adequate set of measures is that the major driver of corporate spending on security, regulatory compliance, lags too far behind the technology and security curves. We can satisfy auditors by assigning responsibilities and formalising procedures, but these actions will not stop an advance persistent threat (APT) in its tracks. To combat an APT we need stringent monitoring tools, specialist technical skills and a professional secure operations centre equipped by experienced security staff.
We can prevent and stop known forms of professional attack. That should be the today’s baseline. Buts it’s not. Much harder is to anticipate and prevent new forms of APT. That demands fresh research and ambitious solutions that stretch beyond our current academic efforts, too many of which are obsessed with breaking today’s products rather than building tomorrow’s solutions. It’s not difficult to do, but it requires a transformation in security philosophy and techniques, because our current model of security management based on industrial age quality management concepts is no longer fit for purpose.
There are some excellent new ideas however lurking in the wings waiting to take centre stage. If we can ditch our legacy baggage and start to experiment with new technologies then we might be on to something. Malware detection software, for example, is progressively decreasing in effectiveness yet still deployed. There are superior modern solutions that have yet to catch on. Check out Cipher‘s approach for example. But such technologies are just scratching the surface of what could be conceived with a touch of imagination and a basic understanding of the underpinning drivers of the information age.
To get there we need a modern, forward looking vision that specifically addresses the new challenges of scale, diversity, volatility and complexity. My view is that we should look to nature for such solutions. The human body for example is an excellent model of simplicity and sophistication in defensive techniques. The immune system exhibits scale, detail, richness and evolution. At the turn of the century I sponsored an ambitious project to develop a model of the human immune system for fraud detection. My researchers developed a prototype which worked, though it was too clunky for prime time application. Typically, the research funds ran out before we could refine the technique. And as usual the software and learning points were lost in time.
Many visionary projects end up this way. It’s the innovation we urgently need to build the solutions of tomorrow. But who will sponsor the journey from blue sky thinking to everyday product deployment? It won’t come from industry and it’s not yet coming from academia or government.
We need two things to make this work. First we need a creative environment, something like the equivalent of an MIT Media Lab for security. Nicholas Negroponte’s brainchild has been highly successful for new technologies. But it’s not fast enough. It’ s taken almost two decades for ideas such as electronic paper, 3D printers and wearable technology to emerge as viable products.
So the second condition is that we need a commitment to investment in product development. We can’t wait two decades for venture capitalists to develop emerging ideas. It’s a challenge that’s now far too important and way too ambitious to be left to market forces. Is anyone listening? I hope so though I doubt it.