Part 1. Rethinking cybersecurity from the viewpoint of risk
Did we get cybersecurity wrong? Thirty years after the infamous Internet Worm was loosed upon an unsuspecting world, ravaging the global computing network of 1988 in a matter of hours, we seem to have made little or no progress in protecting computer systems against intentional attack. Attacks have become increasingly sophisticated and criminalized. Today, there are thousands of products and companies engaged in cybersecurity, yet for all this effort what have we really achieved? Breaches are as common as ever. Perhaps we are just thinking about it wrong. Rather than trying to plug the holes, should we instead be thinking about how to deal with the inevitable?
Recent years have seen a resurgence of headline incidents on high value targets, this time from so-called “supply chain” attacks, delivering spyware and ransomware as a new global pandemic in cyberspace. The Solar Winds infiltration used core dependencies in management software; the Kaseya breakin exploited a printing service backdoor to infiltrate a trusted Managed Service Provider. Just when you thought it was safe to use a computer, it turns out you should be afraid, very afraid.
Most depressing perhaps is that it’s still the same old “usual suspects” that lead to breaches, in spite of regular patches applied to the most common business operating systems, a dearth of compliance frameworks, and advice from all quarters. It’s always careless configurations, or missing validations in the same old core services that let us down. That’s an issue for software development to resolve. Then, add in password attacks, social engineering (phishing), Trojans, and viruses, and multiply that by a growing population of devices around the planet. Responsibility could be placed all over the field, but ultimately, responsibility to protect ourselves starts at home.
One answer is that we are indeed thinking about defence and responsibility incorrectly. What about when there is no defence? Cybersecurity is ever-destined to be a Lewis Carroll “Red Queen” race — an arms race of running to stand still. There will always be new holes to plug, new diseases to avoid, new weapons to protect against. So why not simply manage that risk, as you would manage your money matters, or choose suitable clothing in daily life?
When you rent a car, you have a choice to make about what kind of insurance to buy. You might think–well, I’m a safe driver, I only need minimal coverage. Then a drunken hooligan purposely runs a key along three panels of paintwork and suddenly you’re faced with a $10000 bill for something you thought no decent person would dare to do. Crying about the injustice is useless, when you could have simply paid a hundred dollars extra for insurance coverage.
We find unusual events hard to imagine. There’s a concept of normal wear and tear, unusual accidents, and bizarre black swan events, and we can always overestimate our ability to fend off the normal, while dismissing the unusual entirely. In all of these cases, we need to have a plan. The fact that something is unlikely doesn’t mean we shouldn’t plan for it. Winging a response on the fly is difficult at best, impossible at worst. Preparation is everything.
Everyone knows they should make a backup of data. But how often do we do it? Do we know how to get the data back quickly? What about services? Do we have smoke detectors for fire damage? Are there rehearsed procedures for dealing with a crisis? What about upstream and downstream dependencies in a supply chain? What if the delivery doesn’t arrive or is damaged?
Thinking in terms of risk isn’t at all hard, but it requires a different approach to security — something more systemic than technical. What is it you stand to lose? Will you have enough money in your account at a critical moment, or are you flying close to the sun, showing off? Will you lose the basis for your livelihood? Will your reputation be in tatters?
If attackers approach through a trusted channel, you can easily fall into their trap. But, the usual response in cybersecurity is to challenge trust itself. Marketing phrases like zero-trust computing sound nice, but they confound common sense. There is no world without trust. Trusting “zero trust software” is the kind of oxymoron that sets us back, rather than helps us forward.
The pandemic can be another eye-opener about human behaviour. If we can’t prevent disease, even with all the vaccines, border rules, and medicines, then how do we manage a pandemic? If no one is willing to observe the smallest disciplines for the greater good, where does that leave us? Security experts can’t understand why the general population doesn’t rush out to vaccinate their devices. Even then there’s no guarantee of immunity.
The simple answer is that there is always a risk. No matter what you do, something bad can happen. So be ready to survive that rather than trying to plug every possible leak.
There’s a growing realization that we need to shift our thinking from security hardening to Risk Management. Two developments are interesting to watch: the rise of realism surrounding “promise thinking” (see my book Thinking In Promises), i.e. a shift from obligation and compliance to voluntary cooperation without guarantees.
Patrick Debois and I introduce the risk-based approach to cybersecurity in a new book. It’s based on research I carried out in conjunction with Orchestra, to provide a workbook that bridges the worlds of executive and cybersecurity manager to implement Digital Risk Management.