Why We Are Losing The Cyberwar

For the better part of the last ten years, we have been unwillingly engaged in a developing set of battles on several cyber-fronts, including business, healthcare, industry, education and government.

These have been largely a disorganized set of skirmishes that usually result in the attackers making off with valuable personal information, ransom attacks where money is extorted in exchange for abducted information or computing assets, the co-opting of business processes that have led to outright financial theft, and hacktivism that delivers havoc to political processes.

Each industry sector has tried to defend against these attacks in a variety of ways from upgrading cybersecurity technologies to increased training and staffing to the hardening of assets and the adoption of new policies and strategies. Yet, in spite of sometimes extravagant efforts, the bad guys keep winning.

Why? It’s because we are fighting an asymmetrical war with expanding attack surfaces and we lack a unifying purpose.

The lack of symmetry plays out on a variety of separate fronts. Economic asymmetry pits a simple malware exploit kit available for $50 on the dark web and a self-taught teenage assailant with a PC and an Internet connection against a bank with a $250 million annual cybersecurity budget, and the teenager wins.

Informational asymmetry sets our siloed and segmented defenses up against masquerading attackers about whom we have almost no information who require very little of their own to be successful. A brute force attack is simple and easy to launch, turns almost all connected devices into an army of network bots and can result in the complete take-down of Internet access across much of the US for an extended period as we saw in the DDoS attack on October 21st, 2016.

Informational asymmetry also results in our continuing failure to identify the exploitation of legitimacy or ability to correctly attribute the source or nature of our attackers.  We are never sure whether Russia or Iran or China or young Harry White living in his Mom’s basement down on B Street is the actual attacker and it of course dramatically affects our ability to respond or even develop a policy for response protocols.

As an example, it now looks like China likely recruited the hacker who pulled off 2015's massive cyber-attack on Anthem where 78.8 million consumer records were exposed ... but we don't know that for sure. Seven state insurance commissioners conducted a nationwide examination of the breach over the last 2 years and hired Mandiant to run its own internal investigation.

In spite of uncovering only the apparent source IP address, they concluded that the hack originated in China and began when a user at an Anthem subsidiary opened a phishing email which gave the hacker access to Anthem's data warehouse. Devastating to Anthem and the 80 million covered who lost all of their sensitive PII, but we still don't know who did the crime.

Anthem has since invested some $260 million into improving its IT infrastructure and beefing up its cybersecurity apparatus, but the insurance commissioners and Mandiant agree that without assistance from the Federal government to hold these threat actors accountable, we will not be able to stop foreign governments from assisting in cyber-attacks of this nature.

Resource asymmetry stacks up our small contingent of trained defenders protecting millions of applications and systems located in fixed positions against tens of thousands of unknown global cyber attackers examining tens of millions of dispersed targets. In terms of military tactics, state armies like ours generally fight in an orderly framework while non-state and individual terrorist organizations successfully use guerrilla cyber-methods designed to overcome the disparities in power.

Since we don’t know who we are fighting and we must defend fixed positions without specific rules of engagement, it makes it quite difficult to successfully engage.

Infrastructural asymmetry highlights the actual nexus of our physical vulnerability as the imbalance offers our attackers fixed and aging targets upon which all of us depend for the most basic of functions like heat, light, communication and power and water, food, health and transportation. Assuming we actually have technological superiority, it will be quickly cancelled by the destruction of the electric grid, roads, ports, food and water supply systems in highly populated areas, which will dramatically impact the economy and affect our national morale, while our attackers neither require nor depend on any infrastructure beyond the Internet and the dark web.

Lacking a unity of purpose, we compound our imbalances. We have no idea who the enemy is, and we possess only a vague notion of why we should be engaged.

The last time this happened, we lost a brutal war in a little country called Vietnam.

If asymmetric warfare doesn’t give us enough to worry about, we are also surging ahead with IoT (Internet of Things) device integration in all aspects of our daily lives. We are adopting increasingly complex mobilized access via our smartphones, our clothing is now connected, and we will soon be adopting driverless vehicles.

All of this technological advancement creates scads of new attack surfaces that we are not sufficiently addressing as we rush new products out the door. With the billions of objects that are expected to be networked within the next few years, issues of identity and trust, data protection, access control, and device control should all be areas of grave concern, not just for business, but for public sector agencies and personal safely as well.

Our failure rate in combating ransomware is a small example of how poorly we have been coping with the onslaught thus far. Imagine the terrifying convergence of ransomware and the expanding IoT raising questions like how much you would be willing to pay to regain access to your TV programming, or your refrigerator, you baby monitor, your car, or your defibrillator?

Today, over 75 percent of hospital network traffic goes unmonitored, putting connected devices with access to sensitive patient information at risk. Think about that number the next time you are being wheeled into surgery.

Do you think the future of cybersecurity defense will be [a] harder or [b] easier? And, given that in spite of increased spending of 15% per year on cybersecurity to the tune of $85 billion in 2016, our current success rate diminishes steadily year over year (16% more successful breaches in 2016 than in 2015), do you think we will be [a] more successful in the future, or [b] less successful?

If we continue to approach cybersecurity in isolated product silos the way we have, we will end up where we are today, only less safe and increasingly less protected against future threats. So much is at stake now that I look forward to RSA 2017, not with the hope or expectation that we will see some shared vision Cyber-Moonshot forming to fight the forces of evil, but rather a glimmer of progress toward the recognition and acknowledgement that we are [1] in a war and that [2] we are losing.

Instead, I fear we will see the launch of another 35 venture-backed point solutions based on predictive analytics, advanced data science, adaptive machine learning, artificial intelligence and cognitive piped neural networks that will surely rock those bad guys back on their heels this time and ban them forever into the deep recesses of cyberspace. 

A handful of investors and entrepreneurs will get rich, yet we won’t be one step closer to a secured business, organizational or homeland environment than we were at the same time last year.