We are at an interesting crossroads in cybersecurity -- somewhere between cyberwar and cybersecurity. There were more attacks than ever in 2014, including the largest state attacks, and in 2015, there are predictions of even more attacks.
All this comes at a time when the largest use of the Internet -- that will dwarf all current Internet use -- will be massively increased by the Internet of Things (IoT) and cloud computing. Both are projecting massive growth in the upcoming year with both having known cyberattack vulnerabilities.
Preparation for inevitable cyberattacks is imminent, and these new technologies will offer increased attack vectors. These attacks occur in microseconds, and only technology that works faster than this can fix it. So what are we doing wrong? And what exactly should we do?
This is where DPM 5GL -- Digital Process Management 5th Generation Programming Language -- comes into play. But what is DPM 5GL? To explain, I must start with some basics.
Remember the days when you simply didn't open an unrecognizable executable file as a means of protecting yourself against cyberattacks? Well those day are long over. We live in a time when software has been released with admitted back doors, microchips can have hidden malicious functionality, smartphone apps can actually be used as cyber exploit tools, cloud computing breaches are increasing, and the IoT is web of devices being connected to the network without even being seen by the provider. And as we are increasing the potential of breach with new technologies that have even worse vulnerabilities, we have yet to address known cybersecurity vulnerabilities. There will soon be a tipping point of cyber breaches, and all projections point to this year.
But there is a fundamental flaw in all current cybersecurity technologies. They work after the attack has occurred -- but wouldn't it be better to avoid a hack altogether vs receiving notification that your database has been hacked? Would you prefer discovering that your software or chip set is doing something wrong, or would you like real-time validation that it's performing as expected?
At best, current cybersecurity technologies aggregate data that can be historically analyzed in the hopes the problem might be found. This means we are doing little to proactively stop cyberattacks in real time -- and it's why everyone agrees that the cyberattackers will continue to have the advantage. Historical-based cyberattack information technologies are no longer an acceptable option in addressing attacks, as machine actions can occur in microseconds. Cybersecurity must act within microseconds to be effective in securing our information processes. We can no longer use the same current cybersecurity technologies that are, at best, a deterrent, and expect different results. At this point, we are losing ground to cyberattacks.
One of the recommendations given by cybersecurity analysts is to assume you've already been attacked. This is one of the concerns I have in current Intrusion Prevention Systems (IPS) cybersecurity technologies and Intrusion Detection System (IDS) cybersecurity technologies.
This assumption validates that current IPS encryption technologies are, at best, a first-level defense in cyberattacks -- and IDS technologies didn't even see the attack come in. With these two valid assumptions (and cybersecurity vendors now admitting to these inefficiencies), we must conclude that our defensive cybersecurity technologies are not enough to stop attacks. If you can’t stop attacks, then what?
There have even been discussions on the use of counter attacks as a offensive retaliation -- a disturbing trend being seen in nation state attacks that we should be very careful about. Cyberattack expertise can be bought on the open market with both white hats and black hats offering services. Nation states are actually hiring independents who have little loyalty to the nation or cause, and more interested in the money. Even ex-NSA and Israeli Unit 8200 are leaving their public-sector organizations and going to the private sector for the money.
The fact of the matter is that there are thousands of these people who have the skills to hack their desired targets. They are just doing what they need to do today and not necessarily concerned about the long term outcome of cyberattacks. Whether they are patching known vulnerabilities that were put in by nation state spy organization or a hackers just doing it for fame and fortune, this back and forth hack and patch cyberwar could be devastating. The problem is who wins or gains when this is done. The short answer today is the aggressor wins in the short-term until eventually stopped with some short-term patch. Then a new exploit is found and we start all over again. The problems are these: Who is the aggressor? Who wins? And how much does all this cost? This has led to a whole new field of cyber risk management that unfortunately is more of a guess than a science.
The short answer as to whether we can insure cybersecurity is no.
The problem with cybersecurity insurance is in these two questions: How much did they take? And how deep was the breach?
Why? Because how can an insurance company calculate a premium or settlement in a cyberattack without complete information? Frankly, the cybersecurity industry doesn't have enough analysts now, so where is the insurance industry going to find the expertise to even evaluate the attack? We don't have enough trained cybersecurity analysts today to even support our current information processes. Even if you are to get a cyber insurance policy, you must prove how well you are currently protected. If current cybersecurity technologies are simply deterrents to cyberattacks, then who would want to insure you in the first place?
As you can see, even a monetary defense posture of cybersecurity insurance is unreasonable. Rather than getting caught up in cyber war offense and defense and patch technologies, we should be looking to cyber intelligent technologies that can authenticate, view, audit, analyze and block these attacks in real time. Who cares about who did it -- when you get robbed, do you want your money back or to know who the robber was? Wouldn't it be better to just not be robbed in the first place? Cyberattacks use offensive technology, and we need to defend these attacks with better proactive defensive technologies. This can be done, but to achieve it, we must be better and faster than the attackers.
We currently use software that runs mainly on 3rd Generation Programming Language (3GL) and 4th Generation Programming Language (4GL) technology. To explain what 5th Generation Programming Language is, it's is best to compare it to previous 4th generation programming language.
While fourth-generation programming languages are designed to build specific programs, fifth-generation languages are designed to make the computer solve a given problem -- without the programmer. This way, the programmer only needs to worry about what problems must be solved and what conditions need to be met, without worrying about how to implement a routine or algorithm to solve them.
5GL is a programming language based on solving problems using constraints given to the program, rather than using an algorithm written by a programmer. Most constraint-based and logic programming languages, as well as some declarative languages, are fifth-generation languages.
By adding Digital Process Management to 5GL, you now have a comprehensive real-time intelligent viewing capability during data in motion, which can catch cyberattacks before they occur.
It is important to note that 5GL does not use algorithms. This is a significant departure from current security and analytic technologies that are heavy dependent on algorithms, which, in many cases, are targets for cyberattackers.
A recent whitepaper (PDF) written by M. E. Kabay, professor of Computer Information Systems at the School of Business & Management at Norwich University, clearly identifies the immediate need for DPM 5GL technology. In the white paper, Kabay states: "Have you ever wondered why computer and network security are so difficult? One of the problems is that it’s really difficult to make sure that all the proper procedures used by machines and by people are in fact in use to protect their information."
Process events are usually locally activated, with the process knowledge being driven by the local operator and the procedures defined both locally and company-wide by thorough standards and proprietary process flows. These human and digital process flows are the heart of every organization that not only determine security breach anomalies, but also the competitive process efficiency and ROI of each organization.
Current 3GL and 4GL programming languages were mainly focused on interconnecting and automating systems rather than intelligently monitoring their operations in real time during data in motion.
Adding to this system complexity is an increasing amount of software and device applications now being connected to the enterprise, cloud or Internet that can affect or even exploit the control system processes. If we are to continually interconnect digital devices and software to our system processes, we must start to manage this digital information. Kabay continues by saying that if a user can develop an unambiguous, complete flow chart of a process, "that chart can be converted into a working program (instructions, or code, for the computers to execute) to identify deviations from the expected operations or data. Computing professionals call the process of turning a design into a working program instantiation.”
By combining DPM and 5GL, they are able authenticate, view, audit and block system events in real time during data in motion across multiple software, hardware and network platforms. Kabay gives specific examples of how 5GL DPM could be used by more than 25 industries verticals.
Another important part of 5GL is that it simplifies current software events while monitoring these process events in microseconds. Today's software is so complex that the complexity itself is where hackers find weaknesses. This is why current patch and pray technologies are having difficulty in just keeping up with attacks. We must be ahead of the attack actions in real time while improving the ability to observe both the correct events and attack anomalies even if using multiple networks and layers of software. 5GL has the unique ability of intelligently recognizing these multiple process events in milliseconds.
Today's information technologies were really built to automate processes and not necessarily to view or secure the events within the processes. All current IPS and IDS cyber security technologies are not really good at security these events because they frankly don't even see them or know they are an accepted part of the process. There is nothing more important than events in information processing because they represent the exchange of information between systems applications, and the individual and machine actions that initiate them. All systems and applications, enterprise, network, cloud, IoT -- it doesn't matter. If you really watch what hackers do, you can see that they manipulate digital events or software to get their desired results.
The knowledge of this process workflow is local. Your house, the area you live in, your work processes, even your global interaction. If we are to secure these processes, we must define and validate the event flow in real time during data in motion. From giving a key to the office to having access to complex control system processes, event processes are driven locally and are the first step to achieving true cybersecurity. DPM is used to pre-define the sequence of these multiple events in the accepted processes. By adding the intelligence of 5GL to the pre-determined digital management process, we can effectively be ahead of cyberattacks in microseconds rather be in the reactionary cybersecurity mode we are in today.
Mr. Karisny will be speaking on line in the 4th Annual Smart Grid Cyber Security Virtual Summit on Thursday, Jan. 22, 2015. His session, Securing the Smart of the Smart Grid with 5GL, will cover the technologies discussed in this article in more detail with live Q&A available after the session.
Editor's note: On Feb. 4 at 7:40 a.m., this story was edited to remove the reference to M.E. Kabay as being the "father of cybersecurity."