We each individually spend thousands every year on cyber-defence to ensure our cyber security. Enterprises spend, literally, millions of dollars annually protecting their data and business. So, logically, cyber-attack incidents should come down, right? At least critical incidents should show a significant downward trend, right? Right?
I am sorry to say, both have been growing and, to the best of our knowledge, will continue to grow for the foreseeable future. See the attached (slightly dated) chart – the trend is clear and has not really reversed in the intervening years.
So, why are we spending this $ 50 Billion per annum on cyber-defence as a community? (Take a moment to understand that number: 50 Billion; with a ‘B’!) The money is essentially being spent, not on any functional upgrade of a system. Nor is it building any lasting security for the system. It is, ultimately, a high tech form of ‘hafta’ or ‘mamool’ that we spend in the vain hope that it will somehow, prevent a cyber-attack.
(Note: ‘Hafta’ Or ‘Mamool’ is basically protection money that a vendor pays to prevent unsavoury things happening to him)
Let me state this categorically:
No Amount Of Money You Spend On Cyber Attack Prevention Will Prevent A Cyber Attack!
The problem is that cyber-defence is organized reactively.
The threat leads and the defence follows. This necessarily means that the threat has to be recognized before an appropriate defence can be mounted. However, the gap between threat and recognition is becoming increasingly higher due to the growing sophistication of the attackers and differing motivations for the attack. Today’s cyber attackers prefer to stay under the radar and do their work insidiously, without too much fanfare. For every WannaCry, there are hundreds of successful ransomware attacks that we never hear about since the parties settled out of the public eye. I give you the recent example of Uber settling with a ransomware attacker.
At this point, it is important to note that the threat has materialized and all actions subsequent to this result in damage mitigation rather than in threat avoidance. Cyber-defence is not applicable at this point.
(Aside: Handling attacks privately also has the effect of perpetuating the threat. The threat vector is not recognized explicitly and hence can probably be reused. The entire point in settling privately is to avoid publicity, resulting in the threat not being recognized & the vector not being widely neutralized, as a community. They can be reused on other, unsuspecting organizations.)
Even if the threat signature is made public, or at least propagated into non-affected enterprises by the cyber-defence provider, that defence is not very resilient. The response is normally based on specific threats and does not work if the threat mutates with even minor changes in signature. While intelligence in the cyber-defence solution does take care of some changes, it still does not address threats categorically.
So, we have a perfect storm of mutating & new threats being battled by a cyber-defence mechanism that works off a blacklist of known threats. Different solutions have differing layers of sophistication around this model but fundamentally, all cyber-defence is organized around a blacklist. Ergo, someone, somewhere has to suffer before the threat is recognized and a response neutralizing it can be crafted and propagated.
In this is a fight against cyber-attacks, the good guys show up with only a shield – no spear.
Surely there is something that can be done to improve this model?
Next Week … (You can read Part 2 here)
In the next week’s instalment, I will talk about a way to improve the cyber-defence model: create cyber security that is inspired by the body’s immune system.
We will talk about the possible benefits that that approach can bring. Of course, there will be also be downsides to that approach. On balance, however, I do believe that since nature has had 200 million years to perfect its defences to pathogens, we could do worse than to mimic her in handling a threat that is very similar in characteristics.