For those of you who have seen Matt Damon in The Martian, there is a great line following the character Mark Watney’s discovery of his rather dire predicament, where he states, “I’m going to have to science the (expletive) out of this.” It’s a great line and eerily representative of how many of us feel when we are about to tackle a huge, perplexing problem. Over the last decade, the tech field has experienced an explosion of firms in the Cyber Security arena. Attendance at nearly any vendor based symposium/seminar will show you that there is no shortage of products being developed which claim to offer the singular solution necessary to protect networks against the ever-present dangers of hackers and the Advanced Persistent Threat posed by nation states. Here is the problem, the tech industry can’t completely science or tech their way out of this dilemma. It is the clear truth which we are long to embrace.
There is a part governments, think-tanks, industry intelligence groups and others can play in closing the loop on the Cyber Security problem. In the early 1600’s the world had been changed radically by the development of sailing ships. These ships allowed new and developing nations to begin to trade their goods in far off lands. These ships created the ability for man to explore the far reaches of his surroundings, gather goods and resources and bring them home to be seen by those who could not travel; more importantly sold to those who needed the goods. These ships, in fact, made the world a bit smaller, by bringing nations and people closer together through commerce, travel and education. Out of this trade the face of criminality began to take on a new look. Competently trained and skilled sailors (it’s not easy to operate large sailing ships and to navigate the globe) decided to use their technical skills and target these ships as they traversed the open ocean for the purpose of theft and other violent acts. It was the birth of a special kind of criminal enterprise. It was the golden age of piracy.
Piracy has in fact been around for thousands of years. I use it now as an analogy because the similarities are striking. Sailors, in these times, were essentially the skilled workers of their day. It’s odd how they are characterized in writings and stories as rather short on intelligence and long on desire to obtain gold. They were in fact very skilled. But, they decided there was a living to be made on the edges of society by using their skills to steal the physical property and wealth of others. Beginning to sound familiar? There was even a time where existing nations began to use these pirates to conduct their bidding on the high-seas thereby providing repudiation. Sounds even more familiar.
The scourge of piracy had a definite impact on commerce. It also gave rise to other industries. Lloyds of London, established in the early1600s, was a product of the times and created the worlds first global risk management enterprise. Not only was there a chance that sailing ships, carrying valuable cargo, might fall victim to violent seas and other acts of nature; there was also a great possibility that their valuable cargo and the entire ship my simply be stolen by raiding marauders. Insurance is still around, and beginning very aggressively to craft policies to cover data breaches and the cyber security industry continues to grow by leaps and bounds. Current estimates include expectations of nearly $90 Billion on Cyber Security globally during 2017. All to protect us from these skilled and talented criminals who have decided to use their technical proficiency to steal from others.
Piracy still exist today. It has been relegated to a few rogue regions on the world’s oceans where companies now know to expect this activity, but it is still largely safe to sail the oceans of the world. This did not happen because of security on ships. The golden age of piracy came to an end when the governments of the world (largely the British Empire) decided that allowing this practice to continue no longer worked in their interest or in the interest of any other trading nation in the world. Governments do have a part to play in solving this dilemma.
The solution to the cyber security problem requires an all hands-on deck effort. The key players are the world’s leadership (governing, law abiding nations), the private sector and yes, technology. But what part does each have to play in securing our networked environments? First, governments need to establish some baseline of what is accepted behavior on the internet and it needs to extend beyond simple horrid criminal acts, such as the exchange of child pornography. An international agreement, by the world’s leading nations needs to better define behavior and acceptable practices, so that we may all then develop laws that protect the web environment and its activity. Until there is international agreement on the rules of the road, there can be no agreement on what constitutes out of bounds behavior or suitable punishments reflective of illegal behavior. These proposed borderless agreements need to cover the spectrum of both active cyber activity (hacking, the development and use of malware and even spear phishing) and that which we might see on the horizon. As I will tell anyone, the technology is moving and developing at a pace which outpaces the legal and regulatory side of the house. Technology development should not have to wait, we should learn to move faster in protecting it.
There should be an international agreement on the establishment of baseline security frameworks (ISO, NIST, COBIT). This requirement should find its way into trade requirements, product development and daily network operations. In order to drive business into these frameworks there should be a security grading system that allows businesses access to certain markets. So yes, there needs to be some level of regulation. I envision a time when the requirement to have been audited, maintain a certain level of insurance and the utilization of baseline frameworks becomes the norm to do business in the global markets. We have the same level of government involvement in nearly every facet of life, from the vehicles we drive, to the airplanes we use to travel for personal and business reasons.
What can the private sector do? Well, the private sector has an important role to play in this solution. The first would be to participate in the process of developing the regulatory framework from which they will all be operating. Nothing could stall this faster than private sector lobbying to prevent the adoption of protections and regulations which are meant to safeguard both business and consumers. By participating in the development of these boundaries we are much more likely to happen upon the solutions which create an agreeable balance between regulation and business practices.
The development of protective technology, AI, the increased use of encryption, defense-in-depth, intelligent/heuristic based protection systems all play a role in hardening the environment. I’m not sure there is one simple solution, but because there are so many nodes and vectors of access there clearly needs to be walls and barriers to prevent threat actors from easily gaining access to important information. Is the encryption of all data at rest and in transit the key? I’m not certain and there will be many who view this and offer opposing and support opinions alike.
I am a lover of technology. I have always been fascinated by it and its ability to close the gap on many of mankind’s both important and unimportant issues (we could have all done without the ever prolific selfie). I believe technology and science will lead us to fascinating discoveries, many of which I won’t be around to see. But if the past 30 years is any indication of the level of advancements ahead of us, the future looks amazingly complex and digital. The world had better get a hold of this beast before it gets a hold of us.
Twitter: @mk_palmore
Website: www.security-leadership.com