When it comes to recent cybersecurity talks, the prevalent theme seemed to be, “We know we need to do something, but what?”
The recurring questions are: Where do we start, and how fast do we need to react to stop cyberattacks? What's become quite clear is that if we are to secure our digital world, we need to do it with technologies that run as fast as the networks and applications in which they operate — in milliseconds.
Repeated time and again in recent discussions is the need for proactive defensive measures in cybersecurity — and how quickly they must react to stop today's hacker. Even the language in the new cybersecurity bill seems to fall short of true cybersecurity protection, as it is more based on the sharing of information to assist in the detection and recovery of a cyberattack rather than a proactive cybersecurity solution that would stop the attack.
And this leads to a few important questions: Is there a big disconnect between the public and the private sectors when it comes to what cybersecurity is suppose to achieve? If so, what is that disconnect, and how can we move forward?
The way the public sector reacts to a cyberattack is much different from how the private sector reacts. When the public sector responds to an attack, officials immediately disclose the attack in order to obtain additional funds to fix it. In the private sector, however, officials don't want to disclose the attack because the company will take a stock hit — which would reduce revenue sources that could be used to fix the problem.
The public sector typically looks at problems after they've occurred and then tries to get funding to analyze the size of the problem and how to control it. The private sector tries to immediately address the problem, running it through a risk management process to evaluate how expensive it is and how much it will cost to fix.
Even private-sector technology providers' loyalties differ compared to their counterparts in the public sector. This was clear when 22 of the largest tech companies were firmly against the controversial Cybersecurity Information Sharing Act (CISA) due to their customers' privacy concerns. Knowing this, the passing of the recent cybersecurity bill by the U.S. Senate explains clearly why there is so much opposition between the two sectors: They haven't been on the same page from the start, because they serve different customers and operate their organizations very differently. We spend a lot of time and money in cybersecurity only to be left with technologies that potentially deter attacks or historically define when and how the attack occurred.
Keith Alexander, a retired U.S. Army general and founder and CEO of IronNet Cybersecurity, made two straightforward comments about cybersecurity in a keynote address at the University of South Florida Cybersecurity Center Annual Conference earlier this year: “Our current cybersecurity technologies don't work," he said, and, "we need to focus on proactive defensive cybersecurity technologies."
Although Alexander called CISA “a good start,” the bill is now reaching its fifth year trying to get approval. It will then take years of public/private breach information-sharing before cyberattack improvements would be realized. Many are saying that passing this cybersecurity bill has taken so long that the solutions in addressing how cyberattacks suggested in the bill are now obsolete.
In an article focusing on cybersecurity insurance, Scott L. Vernick, a partner at Fox Rothschild LLP in Philadelphia called cyberlegislation a good first step, but “we shouldn't get carried away” about what it can and cannot accomplish given that cyberattackers “are changing what they're doing in milliseconds.”
The private sector's response to leading-edge cybersecurity technologies is not much better. Combine private-sector technology purchases with product lifecycle time frames, and it's nearly a guarantee that the "security" in cybersecurity will always be behind the curve. Both the public and private sectors are at fault here; they are more the reason for a lack of cybersecurity defensive technologies than part of the solution.
So where is the disconnect in truly understanding how to achieve superior cybersecurity solutions and rapidly offer leading-edge services that work?
When a large technology company or government research group evaluates a proof of concept for a fix to cyberattacks, that fix is immediately met with resistance, even if the technology works. From the government side, it is how that technology could work with technologies in already-funded programs —technologies that may be inferior, or even obsolete. These technologies are funded by big research grant monies that take so much time to get approved, the money and studies continue flowing even if the technology is going in the wrong direction.
Those in the corporate world may be caught between having a superior technology but needing to recoup investment of an inferior technology before that superior tech can be allowed in. And because years pass between these decisions being made, hackers have plenty of time to change their game plans. As these delays continue, hackers have time to obtain information from government entities, standards groups and corporate product releases that disclose what they're doing. So as big government and big business stifle new ideas in defense cybersecurity technologies, hackers can continually place themselves ahead of the obsolescence curve — always putting themselves in the position of cyberattack innovator.
Large organizations also have a need to centralize cybersecurity technologies for control and profit. This is the main reason for standards groups and open architectures that can put a thousand eyes on a particular cybersecurity architecture. There is value in these standards, but cybersecurity works at a very granular level — right down to individual, location and processes of the digital technology used. Essentially, use of the same cybersecurity solution may greatly differ depending on who, where, what and why it is used.
Most cybersecurity technologies are focused on protection and prevention by analyzing historically logged digital analysis techniques while adding access and encryption techniques for intrusion prevention. In reality, what's needed are technologies that audit in real time the uniquely targeted security policies and events of a particular process or ecosystem that often occur in milliseconds. This millisecond requirement has been echoed by both Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) and an IEEE citation by the Department of Homeland Security's Peter Fonash and Phyllis Schneck in Cybersecurity: From Months to Milliseconds. This need is now being demanded as a proactive cybersecurity requirement echoed by many industry and government leaders.
As a cybersecurity advisor, I have proposed the need for this millisecond cyberdefense capability —and I've found working and patented technologies available and ready for use to address this requirement. These technologies were already lab tested are well beyond proof of concept; they are ready for targeted deployment. What my associates and I struggle with, as do many innovative idea companies, is how to get this information out and technologies deployed within the established bureaucracies in both the public and private sectors.
If even working solutions can't find a rapid process of evaluation, hackers will always maintain the technological advantage. Do you think hackers submit proof of concept to bureaucratic oversight groups to see if their stuff works? Of course not. They just do it and see if it works; they aren't waiting for someone’s permission. And if we are to close the innovation window between needed cyberdefense technologies and advanced cyberattack technologies, we must find avenues of testing and deploying cyberdefense technologies in the same manner.
The process of evaluating hackers by determining how they hacked somebody is flawed. For starters, it takes too long to share the data without potentially disclosing personal information not related to the breach, as the scrubbing of non-pertinent private information could take months. By that time, the hacker has already morphed a new version of its cyberbreach exploit, which means those trying to protect against these attacks will just be playing catch-up.
We must focus on cybertechnologies that define the correct digital actions taking place and audit these events as they are used — which means tackling them in the millisecond windows in which our digital systems operate.
When it comes to cybersecurity, many recurring facts are oddly misunderstood. For starters, cybersecurity is local and it is often human-initiated, but then it operates as a microsecond machine-to-machine action that often cannot be traced.
From access to activation, we pass through multiple digital ecosystems with devices that can be leveraged to hack unrelated digital system processes in a millisecond. With millions more digitally enhanced devices projected in the near future, we need to effectively focus on authenticating, viewing, auditing or blocking these millisecond machine actions as they relate to the security policies of our accepted processes and digital ecosystems.
This is the reality of the millisecond machine action cyberworld we live in today — it's one that is rapidly growing, adding the potential of many more system breaches. If we are to enjoy the amazing digital technologies of today and the many more on our doorstep, we must find and deploy millisecond technologies that can defend cyberattacks ahead of the hacker.