Cyber threats are currently outpacing the defenders but it does not need to be the case. Attacks are increasing in number and type, with the overall impacts are becoming greater. Cybersecurity is struggling to keep our digital lives and assets protected from the onslaught of attacks but facing great challenges. By understanding the root causes, we can adapt and change the equation for everyone’s benefit.
There are three aspects which are contributing to security currently losing the battle against cyberthreats:
Combined, this situation creates an environment like a perfect storm, enabling the threats to outpace and out maneuver current defenses. This is driving changes to expectations and market forces, which will fuel more security innovation and acceptance into play. Out of the chaos we will ultimately see a new equilibrium established where the risks, costs, and usability of technology are at an acceptable level for our security, safety, and privacy. It is up to the security industry and public to decide how fast we get there and what that optimal balance will look like.
Rapid growth and importance of the technology landscape
The Internet is getting crowded with the proliferation of new users, devices, and usages. Over a billion more people and tens of billions of devices will get connected online in the next few years. New users are typically not very security savvy, making them easy prey for spam, phishing scams, and even the most basic malware. More websites and online services will sprout up to meet the demands and take advantage of these new markets. In the rush to connect, security tends to fall to the wayside, as businesses prioritize market position and visibility over protective controls.
The Internet of Things (IoT) will comprise the vast majority of new devices, with some estimates exceeding 20 billion by 2020. These are not fully fledged computers like the PC’s, laptops, tablets, and phones which are designed to run lots of different software and support advanced security capabilities. Instead, these IoT devices are more specialized to specific functions. Televisions, cameras, DVR’s, automobiles, kitchen appliances, medical devices, industrial sensors, and even clothing will all be connected to the Internet. They will gather data and process commands, but in a limited way. Every imaginable type of normal machines we use today, will be enabled to communicate and in many cases be controlled remotely.
This opens up tremendous new usages and experiences for the benefit of users. Imagine wearable or implantable medical sensors which monitor health and intervene when needed to save lives. Autonomous vehicles will transport passengers wherever they desire, while they focus on other activities. Fully automated homes will configure and stock themselves for the customized needs of its occupants. It is an exciting time where technology will connect and enrich the lives of people all over the globe, but there are risks.
For every new usage, connection, or technology tool, there is a risk it may be used against us by cyber threats. Those same connected devices can be controlled by hackers for a variety of nefarious purposes, none of which are for our benefit. As we relinquish control of certain aspects that could pose life-safety risks, such as transportation, healthcare, and industrial functions, we inadvertently trust our safety to devices which may be maliciously manipulated by others. Autonomous transportation is a wonderful advancement, as long as it is not hacked, resulting in crashes and fatalities. Medical devices and data could be altered, resulting in catastrophic outcomes.
Even simple home devices are at risk. We have seen a flood of recent attacks against IoT devices where cybercriminals are taking them over to be used as part of a botnet. These botnets can cause parts of the Internet to crash, take down specific websites, support illicit markets, create fraudulent social media accounts, and harvest personal data of their owners.
This is just the beginning. As our technology ecosystem continues to grow at breakneck speed, with more devices, users, and usages, we create an environment rich with easy targets and capabilities crucial to our security, safety, and privacy.
Rising complexity, costs, and organizational challenges for defenders
Businesses, governments, organizations, and individuals struggle with the complexity, costs, and knowledge necessary to improve security, safety, and privacy. Cybersecurity is not easy to understand. It must comprehend the technology, threats, and varying demands of users. It is a complex challenge within a constantly changing chaotic environment.
Security must protect the breadth and depth of the technology landscape at every place data exists, is being transported, or is in use. Any weakness will be exploited. Like a fence, it must protect against all the locations of attack and be high and strong enough to repel the craftiness and persistence of outsiders trying to get in.
Cyber threats are intelligent adversaries who are driven by motivations to achieve their objectives and are both creative and relentless. This challenge creates a desire by defenders to institute massive and formidable controls, but that would greatly impede the end-user’s desired functionality and performance of these systems. Every good security program must align to the ever changing expectations of users, within the limits of what is possible and at a reasonable cost.
Security is only desirable when there is a perception or reality of negative impacts. Risks are the expected impacts over time. As no system is perfect, there will always be some losses, therefore some risk. The key is to reach an optimal level where the costs of security achieve an acceptable level of risk and usability. Cybersecurity must strive to identify where this point is, but is stymied as future losses are near impossible to estimate. Much of the industry is based upon fear, even if it is supported by numerous incidents, examples, and a tremendous amount of data. The perception of risk is a very personal matter. It makes the job of protecting computing systems, that service many people, very challenging.
Other requirements are clearer, such as regulations which govern specific industries, technology, and services. There are two main problems in being compliant with such laws. First there are a multitude of different regulations from across the globe. With little consistency, it is a costly challenge to remain aware of changes and to comply with them all. Then there is the second, more important aspect, as compliance does not equate to being secure. One of the biggest misconceptions is that adherence to regulations will ensure security. This is simply not true. In fact, most major breaches are with companies which have meet required standards. Regulations are simply the lowest acceptable level of basic controls. They should be considered the starting point, not the end state of a good security program.
The last major challenge is understanding what should be done. This requires talented individuals to understand the risks, the technical environment to be protected, and the user’s expectations which must be satisfied. They must determine the best technical solutions, behavioral policies, and process controls. It is no easy task.
Security professionals are in great demand as the technology landscape continues to rapidly grow. This has created a tremendous market with very few capable people to fill all the roles. Cybersecurity is a relatively new field. Only in the past few years have higher education institutions recognized the need. Academia is rushing to establish programs to train the next generation of cybersecurity professionals. In the meantime, there are an estimated 1 to 2 million unfilled positions. This gap will likely grow before supply begins to reduce the number of vacancies.
The result is most organizations do not have the necessary talent to secure their products, services, infrastructure, or assets. The costs, complexity, and lack of talent makes cybersecurity a tremendous challenge to tackle. Although many organizations have chosen to ignore the risks in the past, the new devices, usages, and expectations are forcing recognition, accountability, and a real commitment to security, safety, and privacy.
The improvement of attacker’s tools, capabilities, and collaboration
Cyberthreats consist of a broad community of different Threat Agents (TA). Architypes range from thieves, hackers, organized criminals, hacktivists, and even nation-states. Some act alone with little skill, while others have vast resources at their disposal. The most advanced threats possess expertise in both technical and behavioral disciplines. Most threats however, are simply reusing or customizing tools and methods developed by others. Overall, it is a diverse community, vast and global in nature, which has tremendous collective power to disrupt, steal, undermine, and take control of computing assets anywhere in the world. These intelligent adversaries are what makes cybersecurity truly challenging, and they are getting better every day.
The key to threats agents are their motivations. Every potential attacker is driven by an internal drive which dictate the objectives they will pursue. Activists want change in the world, criminals want financial gain, disgruntled employees want revenge, nation-states want to influence political and military outcomes, and so on. These people and groups have always been part of society, but with the rise of technology they see hacking as a set of new opportunities. So they leverage weaknesses in the electronic ecosystem to achieve objectives that satiate their motivations. The apparent ease and bountiful rewards fuel these acts, reinforcing the behaviors, and forging continued persistence. These threats are at the heart of every cyber-attack.
Every piece of technology is simply a tool, which can be used for good or for malice, and cyber threats are masters at using tools. This is a huge advantage attackers have over defenders. The more complex and capable a device or service, the more opportunities for hackers to find a way to undermine, compromise, or misuse it. So the rise in our technology landscape simply opens tremendous doors for those looking to conduct attacks.
Successful attacks reinforce the behaviors with rewards and supply more resources for the threats to use in follow-on activities. Hacking a network exposes systems behind it. Successful ransomware campaigns returns financial assets which can be reinvested. Stealing user credentials then allows access to those resources and the ability to impersonate others.
Rewards can be significant. A recent analysis of the ransomware campaign Cryptowall v3 showed how one cybercriminal crew was able to successfully extort over $300 million from victims in a short period of time. The greed of thieves is insatiable, which prompted a version 4 to be released shortly thereafter. With such successes, there is no end in sight to ransomware activities.
One major difference between the attacker and security communities is the willingness to share information. The hacking community has a long history of sharing code, best practices, victim data, and assisting each other in overcoming barriers. They actively help each other with problems and openly give advice. There is very little perceived competition which opens the floodgates for a community to actively collaborate. Security companies, businesses, and even governments on the other hand have shown little desire to share information or work together in practical ways. Only recently has some of the isolation been removed and security groups are slowly beginning to share threat and attack data. Still seen as competitive or potentially impactful to customer confidence, most companies remain pensive. The result is a major barrier to innovation, intelligence, and collaboration for security. This disparity between how these two communities act, provides a huge advantage to the attackers. They work together to share knowledge and resources. Until the good-guys can set aside apprehensions, it is unlikely they will ever be able to keep pace with an ever growing and powerful hacking community.
Turning the tide
The challenges are now daunting and changes must be made to slow the attackers pace while accelerating protection capabilities. Recent reports estimate the overall damages of cybercrime will reach $6 trillion by 2021. Malware is currently being created at a mind-boggling rate of 400 thousand new samples each day. 2016 will likely be the worst year for data breaches and we have only begun to feel the pain of IoT attacks.
Consumers, businesses, and governments all play a role in making security better. Consumers must take the security of their devices and assets more seriously. This includes proper digital hygiene of good password management, using quality security solutions, only installing trusted software, and keeping systems updated with latest patches. They must be critical before opening potentially harmful messages, attachments, texts, and web links. Most importantly, consumers should make security and trust a factor in their purchasing criteria for new products. Voting with their wallets, to reward those companies that invest in good security practices, is a powerful force to drive more secure products.
Businesses must raise cybersecurity to an executive level necessary for responsibility and accountability. They must invest not only in protecting the business infrastructure, but also their products and services. Having a well-trained and resourced team is required to build and sustain a security program.
Institutions and industry sectors must share more information on threats, attacks, and best-known-practices. Security is a collaborative effort. It is the good guys against the threat agents. Without teamwork, we don’t stand a chance against the attackers.
Governments must unify and make regulations easier to understand. They are a part of the picture but do not satisfy the entire need. Organizations must be compliant as a start, but continue to pursue more advanced controls as they seek an optimal balance of security. Improvements in law enforcement’s ability to investigate attacks and prosecute offenders is also needed within and across jurisdictions. Cybercrime is a global epidemic, not bound by traditional borders.
Overall, we must all work to protect the safety, security, and privacy of our data and community. We must maneuver with forethought as this problem will not go away on its own. We are all participants and custodians of the internet connected world. It is time we step up and collectively fulfill our roles as members of the digital society and work together to make it a more secure place.
My original post was featured on the Heimdal security blog: Expert Roundup: Is Internet Security a Losing Battle? as part of the 30+ cyber security experts which shared their insights on our chances to succeed against cybercrime.