The characteristics of the Cybersecurity war in which we are now engaged are not dissimilar from any team sporting contest. Whether in football, baseball or basketball, the game is won or lost on four key elements. Winning almost always comes down to offense, defense, coaching and playbook execution.
In baseball, offense is defined as hitting, pitching and base running. In football, offense is passing, running and blocking. In basketball, it’s shooting, passing and ball movement. Defense is defined in baseball as fielding – catching the ball and throwing the ball accurately. In football, it’s tackling. In basketball, the team that blocks the most shots and steals the most passes often wins.
Coaching is the same in all three sports; other elements notwithstanding, the team with the better coach is usually the winner. The ability to consistently execute a well-thought out playbook also defines victory more often than not.
In Cybersecurity, winners and losers are defined by their ability to beat their opponent in education, information, technology and economics. We have seen over the recent past that the U.S. government and U.S. businesses do not possess a superior advantage in any of those four key categories.
In education, our Universities have failed to develop and deliver Cybersecurity programs to their students on such a mass scale that it is hard to find Cybersecurity courses even within Computer Science programs in all but a small handful of colleges.
Businesses have failed to educate their employees on the fundamental Cybersecurity issues surrounding their specific job duties. Inadvertent insider threat (meaning an employee who carelessly clicks on a malicious link in a disguised email or website) is still the leading category of Cyber-threat. According to the Verizon 2016 Data Breach Investigations Report, 77% of last year’s breaches were caused by careless insiders. We have tons of educational programs aimed at social sensitivity training but none targeted toward an understanding of common Cyber-threats or the precautions necessary to avoid being hacked.
While we possess none of the knowledge and skills necessary to compete with a global Cybersecurity threat, our adversaries have focused enormous energy and expense on building a trained workforce with extraordinary skills to not only deal with threats but to militarize that knowledge as part of an active Cyber-offensive that is prepared for global conflict.
As an example, North Korea began training electronic warfare soldiers well before the Internet era, and selected math prodigies when they were 12 or 13 and trained them to become software developers, online psychological warfare experts and hackers. They are also trained in foreign languages so they could operate abroad as well as conduct Cyber-attacks in fluent English. North Korea sends students to study in Russia, China and, more recently, India to learn modern Cybersecurity software technologies and advanced programming techniques.
Our State Department estimates that there are over 10,000 trained Cybersecurity hackers embedded in units of the North Korean military busily executing a variety of global offensive Cyber-attacks, many of which we hear about on a weekly basis. And of course, North Korea is not alone.
Information in Cybersecurity means the intelligence each adversary has at its disposal for use in attack planning and strategy. It’s a little like the book a pitcher and catcher maintain on opposing batters in baseball. Without it, the catcher is unable to call the pitches that the batter is least likely to hit. While it is impossible for people in the private sector to know the extent of the information our national security agencies possesses about our enemies, a quick review of large scale cyber-attacks during the last four years would imply that we know very little about out attackers, while our attackers know a whole lot about us.
A simple example would be the Sony Pictures attack where forensic analysis seemed to point at the North Koreans, but many in the InfoSec community believe that it was the Chinese who conducted this attack as a social media exercise to gauge the U.S. response.
Most pedestrian observers don’t understand that attribution for Cyber-attacks is virtually impossible as skilled hackers regularly use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail, while fingering another entity. Most of today’s Cyber-attacks are sophisticated and the malware strains are meta- and poly-morphic, changing form and shape as they enter our networks and penetrate our defenses. It’s like a batter who can robotically adjust his swing in real-time for each new pitch, regardless of who’s throwing.
So, as we witness countless Cyber-attacks on both private and public-sector entities, it is hard not to conclude that the actors have much more information about their targets, our defenses and the technology we use to detect and protect than we have about their attack styles. In spite of the 400+ software products in the Cyber-security markets, none of them are able to defend against these ever-changing malware strains. If we knew what we were supposed to know, we would see much fewer zero-day attacks than we witness and have a much better set of Intel about attack styles well before they launch.
On the technology front, you would think we would be blowing away the competition as we are always seeing claims of how we are the superior innovators and how countries like China regularly and blatantly rip-off our proprietary designs and copy them. But of those 400+ software products in the space, only a very few of them are designed to detect modern and advanced malware, while most of them were engineered several years ago and are still targeted to stop host-based viral infections.
And I am not alone in that depiction. It is exactly what retired RSA Chairman Art Coviello meant when he said during his keynote address to the annual RSA conference, “The single-purpose, perimeter-oriented tools aren’t smart enough and the security industry hasn’t been able to keep up with new threats.”
For example, of the twenty-five plus products that claim to be in the Cybersecurity Artificial Intelligence (AI) space, many are currently working to integrate AI technologies to aid with threat detection, threat modeling, and anomaly detection, yet these are only very recent developments and only a few have actually brought commercialized product to market.
If we were to track the technological progress made by the threat actors against the progress made by the defenders, we would see a broadening gap over the tail of the time line. IBM’s Watson may be quite good at Jeopardy and Chess, but predictive analytics are usually most effective inside a finite space where the rules are known and the variables while many, are limited. Also, unlike in games like Go where again, Watson has proven to be masterful, our counterparts in Cybersecurity don’t follow any rules at all.
According to the marketing messages, our technology vendors would appear to believe that man and machine working together as cyber security centaurs will create teams capable of tackling the most difficult cyber adversaries, but the facts on the ground tend to contradict that claim. In fact, some of the most recent phishing scams are already using AI to generate convincing social engineering campaigns while we have no counterpart technology on the detection side.
The economic picture is even less heartening as we watch threat actors using increasingly commoditized Cybercrime-as-a-Service tools costing as little as $25 for a fully functioning exploit kit to wage successful attacks against behemoths like Chase Bank who are spending a half billion a year on Cybersecurity defense measures. It’s $25 vs. $500,000,000 and the guy with $25 is winning. It’s Billy-ball beating up the New York Yankees.
And no, I haven’t forgotten the fifth essential key. It may be the most important key of all and it is the one that is definitely missing for the home team. The fifth essential key is leadership.
There is no Bill Belichick, no Coach K, no Sparky Anderson in Cybersecurity. Businesses in the private sector do what they have always done in a capitalist system. They maximize revenue, speed to market and profit. Manufacturers of hardware and designers of software are only interested in satisfying consumer demand. And right now there is no demand for security. We are for the most part an entitled and optimistic society who would rather focus on desired outcomes rather than on attendant risk and vulnerability. We like the fact that we have plug and play stuff and we don’t like having to figure out how or whether to change the default passwords in our home routers.
If Steve Jobs were alive, he might have said that we’re going to get a fully secured iPhone when he is ready to deliver it and we will love it. He’s no longer with us and neither is his Apple.
We do however have a maverick in the White House and for better or worse, he may decide to don the leadership cape and head out onto the playing field with an agenda for change. Change in the way we manufacture Internet connected devices. Change in the way we design and deliver software applications. Change in our national security policy and processes so that the software manufacturers cease becoming the last to know that there are vulnerabilities in their products. Change in the way we interpret International law during a time of war so that we may pursue our adversaries and weapons dealers in cyberspace as we would on a physical battlefield. Change in our education systems so that our brightest young students can prepare themselves for a future that will be defined by existential threat.
And finally, a change in leadership so that this single and perhaps most potentially devastating danger to our national interests is elevated to a level of policy definition on equal footing with our defense, healthcare, social and economic agendas. If we fail to do this and instead continue to ignore the tremors along the fault-line, we will soon reflect back on the last few years as a day at the beach compared with what we will be facing in the future.