Is the answer to the cybersecurity challenge really a technical issue?

cyberspace - A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the internet, telecommunications networks, computer systems, and embedded processors and controllers. NIST 800-30 Rev 1

Send lawyers, guns and money, the sh** has hit the fan. Warren Zevon

To say that the cybersecurity world is at a challenging place is an understatement of monumental proportions. Coming off the news that numerous federal agencies and major corporations have been the victim of a major, persistent attack over nine months with the SolarWinds compromise, almost all sectors of the economy are reeling from another year of major cybersecurity losses. This is on top of record spending to improve overall cybersecurity. In a survey by insurance firm Hiscox, they found that companies surveyed spent over 39% more money and nearly doubled their readiness of the previous year. At the same time, the average loss of cyber events increased by almost six times and the firms surveyed reported a combined increase of cyber losses from $1.2B to $1.8B.  In other words, we are spending more, improving capabilities and still losing badly.

More importantly, the landscape is changing.

For those of us who have been working in this field for a while, the mantra has been to “protect cyberspace”. As shown in the NIST definition above, “cyberspace” is defined as the interconnected backbone that links our computer processing capabilities.  In other words, protect the network. What we have seen in the past eighteen months or so is that it is not just the network that is at risk, every form of computing device is a target for attack. From medical devices to electrical controllers to commercial software, everything is at risk and the form of attack is not necessarily the network. Attacks can range from manufacturing components to calling the CEO’s assistant and having them transfer millions of dollars just because they are tricked by someone.

In other words, “cyberspace” does not exist anymore. There is no boundary.

Why the SolarWinds Attack Is So Important

Many reading about the SolarWinds attack are probably assuming that this is just another attack along the lines of what you read about every day in the news. There are some fundamental elements in this attack that have much greater implications. As described in the Crowdstrike paper SUNSPOT, the attackers went to extreme lengths to embed themselves into SolarWinds software development processes and tools. They didn’t hack into developed code, they built and injected the code along with the SolarWinds developers. A foundational concept in cybersecurity is to look for anomalous behavior of systems, software and people to identify attacks. In the SolarWinds case, there is no anomalous behavior, the software works exactly as designed. The problem is the attackers did the design.

Even more disconcerting is that the product compromised was a network management and monitoring tool. If not discovered by Fireeye, it is hard to imagine how long this compromise might have gone on. Of course, this also brings up the question, what other tools have been compromised? How would we know? The very tools that are supposed to alert us to nefarious activity could, themselves, have compromised software. There has been a lot of discussion lately about going to Zero Trust. We may be there now whether we like it or not.

The other reason this attack has fundamental implications is where it occurred in the software life cycle. Over the past several years, everyone has touted rapid innovation due to agile software development and DevOps. We have all heard stories about companies having hundreds, if not thousands, of software releases a day. As security became more of a concern, the new trend was for DevSecOps. In other words, development to security to operations in record time.

Here is the problem, it now appears the security issue is the development process itself. Since the SolarWinds attackers embedded themselves in the development process, what would have been scanned by security tools would appear perfectly normal. Maybe we need a new acronym, SecDevOps. Acronyms aside, this is really a critical technical and business issue.

That new cell phone, website or military command and control capability is being created in record time with amazing features because of a culture of software development that involves reuse and sharing by software developers around the world. Code is pulled from open source libraries, company repositories and commercial vendors with the simple click of a mouse. This rapid and easy code reuse is a cornerstone of agile development. If adding security slows down, or even breaks, this paradigm, the impact goes directly to the speed, functionality and profit of those organizations.   

So what should we do?

Lawyers, Guns and Money

This is the part of this paper that will likely get people shouting at me. In July 2018, I wrote an article titled “Why the White House Cyber Czar Should be an Economist”. I got some interesting comments, and not all positive, by my suggesting that if we really want to change cybersecurity, we need to change the underlying economics. I guess you could say I am doubling down on that point now. 

Our continued attempts to solve the cybersecurity challenge by purely technical means is just not working. As I showed at the beginning of this article, the amount of money spent on cybersecurity is growing, the maturity of companies is getting better and still the losses are going up.  The answer just might be lawyers, guns and money.

Lawyers – what I mean by lawyers is law in general. Cybersecurity, and technology in general, is a rapidly moving environment. Having regulations and laws that were drafted in the 1990s, or in some cases the 1970s, just does not deter or incentivize any of the actors involved. The primary Congressional, federal and state actions taken so far have been regulations to punish those that get attacked. The theory being if everyone has better cyber hygiene, the attackers will be deterred and give up. That is not working. 

Many of the most fundamental legal areas need to be resolved. For example, who actually owns different types of data? What rights do they have on the movement, storage and sharing of that data? What is considered an act of war from a cybersecurity perspective? Should companies be required to have cyber insurance for different types of businesses? What should be the minimum jail sentence for hacking a system?

There are also going to new issues that arise. As an example from the SolarWinds case, here is an interesting question. If you read one of those long license agreement for software, it essentially says that the software “will work as designed.” In an odd twist, the SolarWinds software did work as designed. It is true the attackers created the design, but the software did work as it was supposed to.  I am being a bit facetious, but issues like this arise all the time. It has been about two years since the Mondelez – Zurich insurance company case over whether Not Petya was an act of war. We still do not have a ruling on that.  Lawyers need to speed this up.

Guns – There are two primary types of attackers in the cybersecurity space, cyber criminals and state actors. Contrary to common belief, these two groups are not necessarily clearly separated. Having said that, there needs to be greater international understanding of what are acceptable boundaries of military and intelligence actions. Given recent activities and the current state of technology, it does not take much of a stretch to imagine an airplane being crashed or major terrorist attack that is purely cyber based. Going back to the SolarWinds attack, what if the software development environment of a major defense contractor was similarly compromised? 

I believe this is an area where we may be heading for a cultural clash. For those that are either a) interested in the history of the internet or b) old like me and lived through the development and growth of the internet, the non-attribution nature of the early internet is what sparked its growth from an academia file sharing system to the engine that drove worldwide innovation. As described in Walter Isaacson’s book The Innovators, counter cultural groups latched on to the free expression and non-attribution components of the internet to fuel its explosive growth. 

It is hard to imagine addressing the acts of war and criminal culpability issues without changing the attribution elements of current computing. Again coming back to the SolarWinds attack, the primary objective of the attackers was the manipulation of credentials so that they could horizontally view assets within an organization, both cloud and on premise. Strengthening identity also means increasing attribution. Suddenly, being anonymous on the internet becomes significantly more difficult. As with many things, the tradeoff for security will likely be freedom and flexibility.

Money – I am sure those reading this assume I am about to say spend more money. That is part of the answer but I do, however, believe we cannot simply buy ourselves out of the cybersecurity challenge. As I mentioned in my 2018 article, what has to change is the core economics that is driving the hacking community. Right now, the cost to attack is very low and the return is very high. As described in the Hiscox paper, over the past year the number of attacks has actually decreased but the return on those attacks has increased six fold. In other words, the economics are getting even better for attackers. We have seen the move from stealing credit cards to ransomware to ransomware with data theft to business email compromise. The return on investment went from tens of thousands to tens of millions of dollars in just a few years. The attackers are evolving into new and better return on their activities.

We need to change the economic equations. As with the discussion in the Lawyers and Guns sections above, this will likely involve several fundamental changes including attribution and legal reform. Clearer definitions of what is legal and what isn’t combined with stiffer sentences for hackers is one way to increase the cost of hacking. Obviously, an overall increase in cyber hygiene across all organizations raises the cost to the hackers because they need more complex exploit technology.

I also propose another way of significantly changing the economics of the cybersecurity world; self-aware data. Michael Conlin, former Chief Data Officer at DoD, and I wrote a paper on this topic late last year. It can be found here Toward A Data Aware Cybersecurity Strategy. This paper calls for changing from a network based cybersecurity model to a data centric cybersecurity model. In other words, how data moves from point A to point B, how long it stays on a computing device, who can see the data and how it is monitored is driven by data objects, not by the underlying network. Why this impacts the economics is that the greatest amount of money can be spent on the highest value data. Hackers will have to likewise spend more money to capture the most valuable data.  It also makes data significantly more atomic and perishable, driving down the return hackers get with their attacks. This, too, has a cultural issue in fields such as auditing, data analytics and law enforcement by making it significantly more difficult and expensive due to the lack of consistency of data.  These are trade-offs, however, I believe are worth taking.

Obviously, stating that cyberspace is dead is a good attention grabber, but the core concept is true. We do not live in a world with network boundaries. The loss of boundaries and the threat to almost all elements of the technology spectrum forces us to think differently. As the song says, send lawyers, guns and money, get me out of this.