The Cybersecurity Long Game

The Cybersecurity Long Game

One constant in cybersecurity is that as quickly as technology advances, so does the cyber threat.

To understand the scope of how things might play out in the coming years, four cybersecurity experts with different perspectives weigh in and give their insight.

The National Security Dilemma

Richard A. Clarke’s cybersecurity experience spans three decades. His service ranges from the State Department, to the Pentagon, to counseling three US presidents. Today, he is an advisor to countries and businesses on cyber risk and is one of the preeminent thought leaders in the space.

In regards to National Security, Clarke believes the US government is well-organized for cyber defense.  However he feels they often time fall short of providing adequate funding. He believes that criminal hacking organizations around the world could probably be shut down by organizations like the NSA, CIA, FBI and Cyber Command “if only the US was willing to expand the resources it now devotes to counter-cyber warfare.”

Nation-state cyber terror is different. “Iran, Russia, China all have cyber vulnerability. But so do we,” Clarke points out. Richard worries that in regards to the current conflict between Russia and Ukraine, he worries that every non-cyber move by the US – for instance, shutting down Russian access to the SWIFT messaging system – could initiate a retaliatory strike against US infrastructure.

“The problem is that we don’t know how to handle the escalation of cyber warfare between countries,” Clarke said. New strategies need to be developed. In reference to On Escalation, by Herman Kahn, he notes that “we need a similar roadmap for managing escalation in cyber attacks.”

Clarke is concerned that a situation like the SolarWinds attack could happen again, where it went undetected for months. “The biggest threat to most companies is a cyber attack that comes through the software supply chain. That’s what happened to SolarWinds. Today, every company gets a staggering number of software updates every month.”

Companies are vulnerable with no clear place to seek help. “The US government would likely come to the aid of a major defense contractor hit by a cyber attack,” Clarke said. “Large banks might also expect support. But other companies need more clarity about whether or when US government resources would be deployed to help them recover from an attack.”

The Problem of Cybersecurity Complexity

Founder and CTO of Palo Alto Networks, Nir Zuk, is frustrated by a fundamental truth of cybersecurity: customers have no way of knowing whether the products they’ve purchased actually work. Failures are only discovered after an attack has breached their security.

Zuk believes this is one of the reasons why cybersecurity conversations have moved up the ladder of the enterprise hierarchy, from engineers to the CISO to the CEO and the board. There is growing awareness at all levels of business. Buying the latest vendor “solution” only is not the best strategy anymore. Enterprises need to better understand why cybersecurity is both growing more sophisticated and becoming difficult to manage.

According to Zuk, customers are not able to keep up with the volume of information generated by cloud and machine learning technology. An alert about a potential breach could show the whole chain of attack, going back into the architecture of the interconnected components in the cloud. “It’s very hard for any human to absorb and respond to all that information,” Zuk says.

This dynamic makes automation of security crucial. Zuk believes that autonomous products should be created first, while adding a human factor second.

Two threats concern Zuk the most. First, ransomware continues to spread with impunity. There is no foolproof system against attackers who breach your system. He argues that the best way to combat ransomware is to focus on detecting a breach once it has penetrated the system, because that is when an attacker must hide 100% of the time. Although he does acknowledge that good backup and data protection plans may still be the best way to go.

The second major concern Zuk has are supply chain attacks. They are hard to prevent because the organization affected is not the first target of the attack.  Hackers instead target vendors in their supply chain, which is exactly what happened in the SolarWinds attack.

Zuk believes that the challenge in cybersecurity is how companies respond to attacks.

The New Corporate Imperative

When Phil Venables, Google Cloud CISO at Alphabet, assesses today’s risk landscape, he sees organizations looking at cybersecurity the wrong way.

“Compaines are rushing to invest in cyber software without modernizing their underlying technology. They are effectively trying to build a fortress on sand.”

Venables argues that the cloud should be viewed as a “digital immune system.” He describes the cloud’s persistent ability to update, adapt, and respond to shifting threats as “an accelerating feedback loop” for enterprise IT leaders.

Venebles thinks that in the coming years, executives and corporate directors will need to become more sophisticated not about technology itself, but about how to build security into products and processes. He argues that businesses need to be able to talk about digital underpinning and security of a product just as confidently and knowledgeably as they would about supply chains or customer relationships. They need to “think about secure products, not security products.”

Venables suggests an exercise for any board to practice. Rather than asking if CEO’s and their teams about the latest patches or security scanners, directors should ask how often the organization updates its software. He suggests that leading companies are typically updating software multiple times a day, or more.

The Next Frontier

Dan Boneh, is a professor in applied cryptography and the co-director of Stanford’s computer security lab. He has a unique perspective in cybersecurity: he knows what problems fascinate his students.

In his case, students are interested in problems around blockchain security. One issue with blockchain centers on scalability of crypto such as Bitcoin or Ethereum – which are both restricted to conducting about 15 transactions a second. But as demand goes up, these limitations will make transaction fees rise. The problem to solve with this issue is – How do you move beyond 15 transactions per second without compromising the integrity of the system.

A second security issue with blockchain is privacy. The nature of blockchain requires that information can be viewed by others. This presents a challenge for companies that want to pay suppliers or employees through a blockchain system.  Researchers are currently investigating ways this can be done without compromising competitive or personal information.

Another issue that Boneh and his students have been focused on is adversarial machine learning. Engineers refine machine learning algorithms so that robots or vehicles can reliably recognize patterns. Boneh notes that “a growing number of results show how to attack these models.

Some are breaking into the training data algorithms that make machine learning possible. Others extract the model and effectively steal it with malicious intent for the purpose of infiltration. As machine learning becomes more essential, it becomes more vulnerabe.

Boneh views the fundamental problem as the fact that “the security industry is reactive. It is always focused on last year’s problems.” His research and students are a valuable counterweight to that tendency.

Cybersecurity Remains Foundational

Each of the four experts have a different perspective, but they all agree that cybersecurity remains foundational, growing and complex. AI, Machine Learning, Security and Privacy, Supply Chain vulnerability, and more security areas are fueling frenzied activity in this space.

Any single breach has deep ramifications and the potential to create havoc. Cybersecurity remains a long game.

 

Story via Forbes

Joint Advisory Issued as “Sophisticated, High Impact” Ransomware Surges

Joint Advisory Issued as “Sophisticated, High Impact” Ransomware Surges

3 AI Trends to Watch for in 2022 K-12 Environments

3 AI Trends to Watch for in 2022 K-12 Environments