Elements of Cyber War is part of a four-part series by Steve King. He leads the Advisory Services practice at CyberTheory and is our resident CISO.
In our previous installment, we discussed the world of education in the context of cybersecurity. Steve discussed how the attacker/defender dynamic has become more asymmetric and the unfortunate state of our current skill base. In this final post, we discuss the most threatening and important attacker/defender asymmetry: Technology. With the looming adoption of 5G, the increasing alignment of physical infrastructure with connected devices, and enormous biometric data sets in the cloud, our Technology future will present great challenges for cyber professionals.
Drowning in Cool Technology
The fourth front in this cyber war is being fought in technology. The thesis is simple: We have too much, and it does us little good. I know I just made about 3,500 enemies. One of each of the 3,500 product vendors in the cybersecurity space, but if we are to be honest about our present state it would be hard to argue that we don’t have enough technology. Wouldn’t it?
SIEMs, PAMs, and End-Point, OH MY!
How many SIEMs does it take to screw in a lightbulb? How many EDR products? How many Firewalls, Network Behavioral Analytics tools, anti-virus offerings, vulnerability management platforms, threat intelligence feeds, etc.?
Does anyone pay attention to Gartner these days?
Everyone in the industry pretty much understands that if you are a large-check-writing Gartner customer, you kind of get to call the shots as to how you are positioned and in which quadrant you get placed, right? Small check writers, not so much. How is this even a legitimate industry analysis? And, what do actual end-users think about all these products? You know, like CISOs?
Who knows.
Why?
Because no one asks them.
Cyber Catalyst to the Rescue
Instead, the insurance industry has decided that through the Marsh brokerage unit of Marsh & McLennan Cos., a group of insurers will evaluate cybersecurity software and technology sold to businesses, collate scores from participating insurers, and with the assistance of Microsoft, they will identify the products and services considered effective in reducing cyber-risk.
Everyone is susceptible, but asking a leading technology vendor with a poor record of cyber-defense in its own product suite to sit in judgment over other vendors’ efficacy in reducing cyber risk seems slightly ironic.
The theory behind this plan is that a collaborative effort across many insurers has a better chance of bringing to light weak cybersecurity products that should be avoided by manufacturers in global supply chains. the Marsh initiative will focus on offerings that address risks such as data breaches, business interruptions, data corruption, and cyber extortion.
They are expected to include technology-based products such as firewalls and encryption, tools for monitoring threats, and training and incident-response planning. The Israeli cybersecurity company, Team8 is launching a similar effort in partnership with Moody’s in an effort to rate cyber risk based on a company’s cybersecurity technology implementation.
Wrong Focus
Instead of trying to assess which technology point solutions are the most effective in warding off known threat vectors, we should be focused on defending our most critical and highest-value assets, and then directing remediation efforts to those assets under attack.
In addition to the over-abundance of redundant technologies, none of which appear to be capable of stopping cyber-attacks, we also have an asymmetrical disadvantage in the attacker/defender technology dynamic.
Attacker/Defender Dynamic
The attacker has at its disposal, the very latest pre-programmed kits and techniques available both as software agents and as a service that can be used to penetrate and disrupt our latest defenses. We, in turn, develop new defense techniques whose effectiveness increases rapidly until it reaches a level of effectiveness that prompts adversaries to respond. Attackers quickly discover ways to evade the defense technique and develop countermeasures to reduce its effectiveness. That is the cycle we have been stuck in for years. Good for attackers. Bad for defenders.
Technological Solutionnism
In the meantime, we have just expanded our threat landscape through an almost universal embrace of an ideology called “technological solutionism”. This ideology seems to be endemic to Silicon Valley and it reframes complex social and technical issues as neatly defined problems with definite, computable solutions … if only the right algorithms are in place!” This highly formal, systematic, yet socially and technically myopic mindset is so pervasive within the industry that it has become almost a cartoon of itself.
Technology Solves Everything, Right?
How do we solve wealth inequality? Blockchain. How do we solve political polarization? AI. How do we solve climate change? A blockchain powered by AI. How do we solve cybersecurity attacks? A blockchain powered by AI with a pinch of advanced predictive analytics and a skosh of machine learning. This constant appeal to a near-future of perfectly streamlined technological solutions distracts and deflects from the grim realities we presently face.
Joke Fest
AI dominates technology discussions from boardrooms to venture capital LP meetings, to CISO conferences and the State Department. China continues to march far ahead of us in AI and ML technology, having stolen much of it from our own technology startups and has developed Quantum solutions we are still trying to understand. What do we do instead of developing our own Quantum capabilities? We haul frauds like Zuckerberg in front of Congress and get his promise to develop better AI for content moderation. But AI remains the tent-pole of the cybersecurity technology framework today. The now-old joke continues that if you want to raise VC for your cool new cybersecurity, make sure you include about 25 references to AI throughout your pitch deck.
AI Can Help
To build cyber defenses capable of operating at the scale and pace needed to safeguard our information assets, artificial intelligence (AI) could be a critical component in the tech stack that most organizations can use to build a degree of immunity from attacks. Given the need for huge efficiencies in detection, provision of situational awareness and real-time remediation of threats, automation and AI-driven solutions should be a major contributor to the future of cybersecurity.
But as we have seen, the cyber-crime statistics to date provide evidence that any technical developments in AI are quickly seized upon and exploited by the criminal community, posing entirely new challenges to cybersecurity in the global threat landscape.
Bad Guys Are Bad Guys
One weakness of machine learning models is that they require constant supervision to avoid becoming corrupted, which is something the bad guys will seek to do. The use of AI and ML in detection requires constant fine-tuning, and AI has yet to invent new solutions to security problems; Its principal value has been in doing what humans already do, but faster.
Leapfrog
Among the more nefarious uses of AI by our adversaries are worms that learn how to avoid detection or change behavior on the fly in order to foil pattern-matching algorithms.
An active worm with lateral movement can roam targeted networks undetected for years. Another risk is intelligent malware that can wait until a set of conditions is met to deploy its payload. Once attackers breach a network, they can use AI to generate activity patterns that confuse intrusion detection systems or overwhelm them with false probing threats. The highly targeted form of the phishing exploit known as “spear phishing” currently requires considerable human effort to create messages that appear to come from known senders. Leveraging AI, future algorithms will scrape information from social media accounts and other public sources to create spear phishing messages at scale. The use of AI by criminals will potentially bypass – in an instant – entire generations of technical controls that industries have built up over decades to defend against such attacks.
No Shortage of Innovation
In the financial services sector, we will soon start to see criminals deploy malware with the ability to capture and exploit voice synthesis technology, mimicking human behavior and biometric data to circumvent authentication of controls for assets found in people’s bank accounts. In short order, the criminal use of AI will generate new attack cycles, highly targeted and deployed for the greatest impact, and in ways that were not thought possible in industries never previously targeted. In areas such as biotech, for the theft and manipulation of stored DNA code; mobility, for the hijacking of unmanned vehicles; and healthcare, where ransomware will be timed and deployed for maximum impact. Biometrics is being widely introduced in different sectors while at the same time raising significant challenges for the global security community.
Forget Credit Cards – Whole Identities Instead
Biometrics and next-generation authentication require huge volumes of data about an individual, their activity, and behavior. Voices, faces and the slightest details of movement and behavioral traits will need to be stored globally in the cloud, giving cybercriminals streamlined access to exploit a new generation of personal data, all conveniently stored in a single place. For those CISOs and security analysts charged with defending our assets, understanding an entire ecosystem of biometric software, technology, and storage points makes it even harder to defend the rapidly and ever-expanding attack surface.
The “Solution” Ideology at Work in the Real Word
AI and Biometrics in the near term are not going to solve any of the problems that our current technology stack can’t solve. This is because most of our breaches and attacks come as the result of poor processes, inadvertent human error, insufficient human resources and skills, and either too many redundant technologies or too few of the wrong technologies. None of these problems will disappear because we have discovered the world’s coolest AI or Biometric solution for cybersecurity defense.
Deep Fakes and Fake Media
This “solutionist” ideology extends beyond cybersecurity and now influences the discourse around how to handle doctored media. The solutions being proposed are often technological in nature, from “digital watermarks” to new machine-learning forensic techniques. To be sure, there are many experts who are doing important security research to make the detection of fake media and cyber-attacks easier in the future. This is important work and is likely worthwhile.
But all by itself, it is not likely that any AI technology would help prevent cyber-attacks exploiting vulnerabilities that we fail to patch or to fix the deep-seated social roots of truth decay and polarization that social media platforms have played a major role in fostering.
AI Would Not Have Helped Equifax Much
I don’t think any technology argument would convince the remaining shareholders of Equifax that an AI solution would have automatically applied the patches necessary to prevent the Apache Struts attack. AI might have generated a loud alert that significant asset values were at risk, but the last time I checked, people still would have had to apply the patch and perform the config management required to cloak the vulnerability. System glitches don’t occur in a world that runs on the promise of AI or Biometric technology. Banking still runs most of its legacy systems on 220 billion lines of Cobol code. In 2018, system glitches dominated broad outages triggered by a cyber-attack. There are no magic AI wands that can automate legacy systems maintenance.
And it is about to get far worse. A new generation of 5G networks will be the single most challenging issue for the cybersecurity landscape, maybe ever.
Bigger, Faster, More
It is not just faster internet; the design of 5G will mean that the world will enter into an era where, by 2025, 75 billion new devices will be connecting to the internet every year, running critical applications and infrastructure at nearly 1,000 times the speed of the current internet.
This will provide the architecture for connecting whole new industries, geographies, and communities, and at the same time, it will hugely alter the threat landscape, as it potentially moves cybercrime from being an invisible, financially driven issue to one where real and serious physical damage will occur at a 5G pace.
5G will provide any attacker with instant access to vulnerable networks. When this is combined with the enterprise and operational technology, a brand new generation of cyberattacks will emerge. The recent ransomware attack against the US city of Baltimore that locked 10,000 employees out of their workstations will seem like child’s play.
Faster Cyberattacks
In the near future, smart city infrastructures will provide interconnected systems at a new scale, from transport systems for driverless cars, and automated water and waste systems, to emergency workers and services, all interdependent and as highly vulnerable as they are highly connected.
In 2017, the WannaCry attack took parts of the UK’s National Health Service down and required days to spread globally, but in a 5G era the malware would spread this attack at the speed of light. It is clear that 5G will not only enable great prosperity and help save lives, but it will also have the capacity to thrust cybercrime into the real world at a scale and with consequences yet unknown.
The bad guys including our nation-state adversaries will be leveraging 5G for maximizing their illicit campaigns, while we will be peddling fast just to stay alive. We don’t have the people or technology to combat and respond to the threats and we don’t have the discipline or resources to implement, manage, and maintain the controls necessary to defend our assets.
Smoke Em’ if You Got Em’
The most dangerous element evolving from “technological solutionism” is not that industry leaders are coaxed into the chase for the next coolest bright new shiny object.
It is Instead that the ideology itself is so easily used as a smokescreen for deep structural problems in the technology industry itself. What is now blindingly obvious to even the most casual observer is that technology has not been able to prevent breaches, loss of data, business interruption, data corruption, or cyber extortion.
Spend More Get Less
In fact, the more technology we develop and apply, and the more money we spend on cybersecurity defense results instead in a greater increase in cybersecurity breaches.
And those breaches are only the ones we a) know about and b) are reported.
Over the past decade, cyber-criminals have been able to seize on a low-risk, high-reward landscape in which attribution is rare and significantly greater pressure is placed on the traditional levers and responses to cybercrime.
What is interesting amid this onslaught is that businesses of all types remain in denial about the threat. It is clear from 10-K filings that even today in 2019, despite countless warnings, case studies, and an increase in overall awareness, it is only in the aftermath of a cyber-attack that cybersecurity moves high onto the board agenda in any meaningful way. In the year before it was hacked, Equifax made just four references to ‘Cyber, Information Security or Data Security’ in its 10-K filings vs. the credit rating industry as a whole averaged 17 references and an overall US average of 16 cybersecurity references.
Hey, Cybercriminals: Just read the 10-Ks!
In fact, Equifax’s four references matched the average for credit rating agencies way back in 2008 when cyberattacks were rare. This suggests a full decade of under-prioritization of security by the company. The term ‘cyber’ is featured more heavily in Equifax’s report than that of leading cyber-security specialist FireEye, who recorded 117 mentions of ‘cyber’ to Equifax’s 139. Equifax’s breach costs are currently totaling $1.4 Billion since the breach, while FireEye’s entire operating expense equals $1.4 Billion over the same two-year period. Is it obvious that organizations with fewer references to cybersecurity in their annual reporting are less security mature and more likely to be breached? Or, is it more likely that cybersecurity is not high enough on the agenda for the board and C-suite executives to feature it in their flagship report?
With the annual report being such a significant communications tool, we can use it as an indicator of the strength of the top-down security culture within an organization, and so can our adversaries.
In a stunning example of this information asymmetry, we see that cyber-criminals can follow a similar process as part of their open-source intelligence, identifying likely corporate victims perceived as the lowest hanging fruit. It is not a coincidence that Marriot, Anthem, Equifax, Yahoo, Home Depot, Sony, Adobe, etc., were among the many with the fewest 10-K references to cybersecurity.
Our thesis has been that the attacker/defender dynamic confers an asymmetrical advantage on our adversaries in technology, information, education, and economics. And, in every theater, we are losing and being badly outpaced.
If we stay in denial and do nothing to change the course, in the next few years, the landscape will worsen significantly and any chance of protecting information assets, assuring truthful social media, and providing data privacy will disappear completely.
Existential threats? Forget about Global Warming. 12 years from now we may all be speaking a different language