Bad Guys 1, World 0
The past few months have exposed what many of us have been anticipating for the past decade: widespread, successful cyber attacks aimed at disrupting critical infrastructure, supply chains, basic systems of food production, transportation, banking, energy and health care delivery.
It’s a bleak picture:
- Timed for the Fourth of July holiday weekend, the supply chain ransomware attack by Russian hacker syndicate REvil disrupted operations at more than 200 U.S. companies.
- Computer manufacturer Acer’s recent $50 million data ransom demand from cybercriminals (one of the highest demands to date) will be one of many such high-dollar data hostage scenarios this year.
- An Eastern European group known as Ryuk has hit at least 235 healthcare facilities in recent months, raking in more than $100 million, suspending some surgeries and delaying medical care, according to the Wall Street Journal (registration required).
- The Guardian recently reported that the hack of the Colonial Pipeline in May 2021 was just one of a series of cyberattacks worldwide, targeting Brazilian-headquartered JBS (the world’s largest meat processor) and disrupting the global meat market, closing schools in Iowa and disrupting health care in Ireland.
We need to stop pretending the cybersecurity “war” is ongoing: It’s not. The bad guys have won. Cybersecurity as we know it has failed. At best, we’re attempting an organized retreat in a lopsided conflict with an enemy we can’t see or stop. At worst, we’re completely overrun and occupied — and we just can’t admit it.
What does our collective defeat look like? When cybercrime includes nation-state subsidies and logistical support, supply chains, subcontractors, multitier competitive differentiation, integrated marketing, sophisticated revenue sharing, reusable tooling, robust technical support and professional recruiting and career development programs — it’s no longer accurate to call it “cybercrime.” It’s a global industry.
At The Inflection Point
What’s at stake? For starters, the post-pandemic economic recovery. Concerns about supply chains and inflation will pale in comparison to panic over the integrity of our banking, health care, transportation and energy infrastructure. The scope and scale of the crisis transcend geo and domestic politics, national borders, class distinctions and ideologies, and it’s difficult to overstate.
Things will likely get worse in the final six months of 2021. Why? Because the leadership mistakes that have enabled the cybercrime crisis — decades in the making — can’t be fixed quickly or easily. In the 20 years between the late 1990s and the late 2010s, the cybersecurity industry, politicians, public policymakers, and organizational leaders embraced growth over resilience, compliance over security and technology over people:
We focused on externalities like attackers, threats and zero-day exploits, instead of internal, controllable items, like data protection, access controls and identity management.
- We worked to comply with lists of regulatory requirements (i.e., HIPAA, FISMA, SOX, GLBA, PCI-DSS) instead of securing our highest value, most-at-risk organizational assets.
- We attempted to secure everything the same way, instead of differentiating and prioritizing assets, risks and protection mechanisms.
- We invited security product vendors — many of them startup companies — and the venture capitalists and private equity firms who invested in them — to dictate our cybersecurity priorities.
Gartner projected that in 2020, roughly $123.8 billion would be spent on security for applications, networks, the cloud and infrastructure protection.
Promises Made, Promises Broken
The promise of strong, resilient networks and endpoints, next-generation, automated threat detection and response and AI-driven security intelligence hasn’t been realized. The reality is organized cartels of bad actors have an almost unassailable advantage. Many are located in criminal sanctuaries that don’t prosecute or disrupt them. They fight in an asymmetric conflict against unprepared organizations who principally rely on technology solutions to defend against attacks. They focus their attacks on human beings who are notoriously difficult to educate, train and protect.
In fact, it only takes one click from one user on one bad email link to compromise many organizations’ digital assets. As the well-worn (but controversial) cybersecurity saying goes: “Defenders have to be right 100% of the time and attackers have to be right once.”
Admitting Is The First Step
How do we turn the tide and develop a sustainable defense that stands up to the future? In short: We stop playing the traditional cybersecurity game. We pick up our ball and walk off the court. These four ideas are critical:
- Stop pretending cybersecurity can “win.”
- Stop obsessing over attackers and attacks.
- Stop purchasing technology to fix our problems.
- Develop real resilience in our data core.
Data, Data, Data
We need to stop playing offense and focus on defense, true defense, in-depth. The other pieces of the puzzle we focused on in the past can’t be easily or adequately secured (threats/attackers, human behavior, networks); change too much, too often; or are largely outside our control (endpoints, mobile devices, cloud infrastructure); and/or aren’t intrinsically valuable (servers, applications, computing resources).
We must protect the target of attacks — our sensitive data — and build up and around that asset:
- Figure out what data we have.
- Assess our data resilience.
- Embark on a hearts-and-minds campaign.
We must stop looking for easy answers. Until we reshape our priorities and admit the cybersecurity “war” is lost we will never move past the current crisis and begin rebuilding.