The characteristics of the cybersecurity war in which we are now engaged are not dissimilar from any team sporting contest. Whether in football, baseball, or basketball, the game is won or lost on four key elements. Winning almost always comes down to offense, defense, coaching, and playbook execution.
The Five Keys
In cybersecurity, winners and losers are defined by their ability to beat their opponents in education, information, technology, economics, and leadership. We have seen over the recent past that the U.S. government and U.S. businesses do not possess a superior advantage in any of those five key categories.
Most recently, the amazingly clever and well-crafted assault on SolarWinds has left everyone in the community across all disciplines befuddled and marveling at how it could have happened, the extent of the damages, and more importantly, what to do about it.
Uneducated
In education, our universities have failed to develop and deliver cybersecurity programs to their students on any sort of mass scale. In fact, only in the past 3 years have we seen cybersecurity majors available at a limited number of colleges. Businesses have failed to educate their employees on the fundamental cybersecurity issues surrounding their specific job duties. We have tons of educational programs aimed at social sensitivity training, but very few are targeted toward an understanding of common cyber threats or the precautions necessary to avoid being hacked.
While we possess none of the knowledge and skills necessary to compete with a global cybersecurity threat, our adversaries have focused enormous energy and expense on building a trained workforce with extraordinary skills to not only deal with threats but also to militarize that knowledge as part of an active cyber offensive that is prepared for global conflict. As an example, North Korea began training electronic warfare soldiers well before the Internet era by selecting math prodigies and training them to become software developers, online psychological warfare experts, and hackers.
Our State Department estimates that there are over 10,000 trained cybersecurity hackers embedded in units of the North Korean military busily executing a variety of global offensive cyberattacks, many of which we hear about on a weekly basis. And of course, North Korea is not alone.
Uninformed
Information in cybersecurity means the intelligence each adversary has at its disposal for use in attack planning and strategy. A quick review of large-scale cyberattacks during the last four years would suggest that we know very little about our attackers, while our attackers know a whole lot about us. A classic example would be the Sony Pictures attack where forensic analysis seemed to point at the North Koreans, but many in the InfoSec community believe that it was the Chinese who conducted this attack as a social media exercise to gauge the U.S. response.
Our SolarWinds attack is another. While many in the outgoing administration are quick to point to Russia, a second attack this week indicated that there may be more than one attacker, or that both attacks may have been conducted under false flags.
As we witness countless cyberattacks on both private and public-sector entities, it is hard not to conclude that the actors have much more information about their targets, our defenses, and the technology we use to detect and protect than we have about their attack styles.
Lagging in Security Technology
On the technology front, you would think we would be blowing away the competition as we are always seeing claims of how we are the superior innovators and how countries like China regularly rip off our proprietary designs and copy them. But of the 4000+ software products in the space, only a very few of them are designed to detect modern and advanced malware.
For example, of the hundred-plus products that claim to be in the Cybersecurity Artificial Intelligence (AI) space, many are currently working to integrate AI technologies to aid with threat detection, yet these are only very recent developments and only a few have actually brought a commercialized product to market.
IBM’s Watson may be quite good at Jeopardy and Chess, but predictive analytics are usually most effective inside a finite space where the rules are known and the variables while many, are limited. Also, unlike in games like Go where again, Watson has proven to be masterful, our counterparts in cybersecurity don’t follow rules anyway.
Losing the Economic Battle
The economic picture is even less heartening as we watch threat actors using increasingly commoditized Cybercrime-as-a-Service tools costing as little as $25 for a fully functioning exploit kit to wage successful attacks against behemoths like Chase Bank who are spending a billion a year on cybersecurity defense measures. It’s $25 vs. $1,000,000,000 and the guy with $25 is winning.
Lacking in Leadership
But, the fifth essential key may be the most important key of all and it is the one that is definitely missing for the home team. The fifth essential key is leadership.
Businesses in the private sector do what they have always done in a capitalist system. They maximize revenue, speed to market, and profit, thereby satisfying shareholder value.
Manufacturers of hardware and software are only interested in responding to consumer demand. And right now there is no consumer demand for security. We are, for the most part, an entitled and optimistic society that would rather focus on desired outcomes than on attendant risk and vulnerability. We like the fact that we have plug-and-play stuff and we don’t like having to figure out how or whether to change the default passwords in that same stuff or in our home routers.
Time for Change?
We do, however, have a new regime in the White House and they may decide to don the cybersecurity leadership cape and head out onto the playing field with an agenda for change.
Change in the way we manufacture Internet-connected devices, in the way we design and deliver software applications, in our national security policy and processes so that the software manufacturers cease becoming the last to know that there are vulnerabilities in their products. Change in the way we interpret international law during a time of war so that we may interdict our adversaries and weapons dealers in cyberspace as we would on a physical battlefield and change in our education systems so that our students can prepare themselves for a future that will be defined by a clear existential threat.
And finally, a change in leadership, so that this single and perhaps most potentially devastating danger to our national interests is elevated to a level of policy definition on equal footing with our military defense, healthcare, social, and economic agendas.
If we fail to do this and instead continue to ignore the tremors along the fault line, we will soon reflect back on the last few years as a day at the beach compared to what we will be facing in the near future.