In cybersecurity, sharp eyes and speed are the new padlocks
The author of this Op-Ed is a veteran technology industry executive and former president of Intel Security.
It's distressing to learn State Department computer experts - despite three months of trying - can't get hackers out of the agency's email system, even with the government's admirable commitment of money and tech prowess to cybersecurity. Pair this news with revelations of NSA malware burrowed within computer hard drives worldwide, and we can conclude one thing: a lot of old, clichéd security metaphors are obsolete.
Cybersecurity has been sold since the dawn of the PC era with images of brick walls, iron gates, and steel padlocks. But infiltration cases like these make those metaphors sound like empty promises. Like Hogan's Heroes within Stalag 13, both good guys and bad guys have long planted flags inside their opponents' secure zones, and the security industry knows it. Time for a new playbook.
The cyberintelligence spyware first reported by the Russian security firm Kaspersky - with subsequent media stories tying in the NSA - hides deep inside target hardware, missed by antivirus programs and unperturbed by eradication efforts. The 30-odd unwitting hosts include Iran, Russia, Pakistan, Sudan - a grand tour of the world's hotspots - plus computers in the U.S. and United Kingdom belonging to Islamic activists and scholars.
The secret program may have yielded - well, filched - troves of information, amid constant honing, for nearly two decades. One banner headline in Computerworld screamed: "There's no way of knowing if the NSA's spyware is on your hard drive."
But numerous innocent entities learn they've unknowingly hosted bad-guy malware, too. The Wall Street Journal says the State Department case bears Russian hallmarks. (Moscow is thought to have hidden cyberattack malware within computers of now-and-then adversaries such as the Ukrainian government - ready for remote activation, just in case.) The culprits behind last year's Sony hack worked undiscovered for weeks inside the corporate cordon, exfiltrating terabytes of data. Traces of the infection probably still reside on Sony servers - a familiar story. The next headline-grabbing breach is undoubtedly already underway.
Nobody's claiming today's defenses are no use. They are actually pretty effective, repelling numberless incursions daily. But it's the high-profile lapses that make the news. Toss them all onto the bonfire of big hacks that torches public confidence in Internet security. The regularity of black hat wins, including this month's disastrous Anthem health care hack, which may have compromised another 80 million customer profiles, makes the best case for change.
It's time to acknowledge the futility of setting out to defend pristine, impregnable data fortresses. Heresy? Only to those overinvested in past practice. It's time for a new, practical security strategy emphasizing high environmental awareness, lightning response, and constant learning.
President Obama told Re/code cybersecurity has become "more like basketball than football... there's no clear line between offense and defense. Things go back and forth all the time." This is a new kind of warfare. So it is disquieting that the new White House cyberinitiative, a $35 million "Cyber Threat Intelligence Integration Center," is viewed as "an attempt to learn lessons from the past," as a Washington Post editorial put it - the way Pentagon generals study old wars.
Pearl Harbor and 9/11 were old-school defense breaches. The attackers stormed us in broad daylight, unambiguously, like football fullbacks. Anthem, Sony, eBay, Home Depot, Target: these cases are more like basketball. The adversaries are more about deception, infiltration, and finesse.
So we must shake off the compulsion to study old war stories. They offer scant lessons for confronting today's threats. Already working the problem 24/7, governments and businesses must take decisive new steps together for an era with few rules and fewer precedents.
We will not resign the standard perimeter defense and leave our virtual front doors open. But with belt-and-suspenders redundancy, we must add new moves to the old football-style defensive strategy.
Four specifics:
- First, we need network security solutions that give complete visibility - so managers know every minute who's on the system, where they're located, and what they're accessing. Such software already exists and works well, but requires additional investment. There is little choice in a "bring your own device" world where work traffic is no longer confined to uniform, corporate-issued laptops.
- Second, security systems have to do more than alert you to breaches. We're developing the built-in capability to pivot toward threats, isolate them, and "remediate" - that is, kill them and fix things fast. (The velocity of your intelligence-driven "kill chain" is the next big success metric in cybersecurity.) Next-phase security software will operate in constant learning mode, adapting to adversaries' strategies in real time.
- Third, the good guys don't talk enough. Security systems collaborate more today, and we are smashing silo-style constraints that limit knowledge of bad actors. But we pay a high collective price because public and private actors alike share too little information. To play our best game we need statutory support from Washington for rapid information sharing between businesses and governments. We need legal, managed, mutually beneficial data-trading that inspires public confidence, not taxes it. Credit bureaus that help competing stores flag deadbeats are an apt analogy. President Obama's executive order promoting data exchange among security companies is a step in the right direction. But the Washington Post is right to warn, "[E]xecutive orders and new bureaucratic units are not enough. The country's cyber enemies... require a far more robust response than has been mounted so far."
- Fourth, we need a widespread culture shift. All users must take a measure of personal responsibility for data security. Our society has solved big issues from vehicle safety to containment of infectious diseases this way, and it's time for the security industry to promote a similar mindset in cyberspace. (You can equip a car with air bags and safety gadgets galore, but it's ultimately up to the driver to buckle up and drive safe.)
Real-time awareness, lightning remediation, collaboration, and responsible habits: the pillars of new-school security.
A great deal is at stake, more than the millions spent on data breach recovery, more than the hard-to-calculate brand damage victims suffer. Each fresh case is a new test of users' faith in the Internet-connected world. After 2014 it became old hat to warn all companies, with a dash of knowing glee, "You've been hacked!" - whether or not they know it. But a world seen as brimming with breaches and malware is no laughing matter. Unless we justify public confidence in the now virtually indispensable Internet, we face diminished trust, lost business opportunity, and a digital future that is a shadow of the promise.
Never leave the front door ajar. But when trouble plummets down your chimney, lurks in your hot water tank, and masquerades as the groceries you carry inside, you need more than a brawnier padlock. Security calls for intelligence, speed, and collaboration.