The penetrate-and-patch cybersecurity market is a short-term solution and actually demonstrates how weak current security methodologies are.
Most of the recent attention on cybersecurity has been directed toward the disclosure of NSA activities and recent corporate breaches now reaching record-breaking levels. Both the public and private sectors are beginning to witness how devastating cyber breaches can be in critical infrastructure, intellectual property, wealth and even state secrets. These attacks are so big that monetary estimates range from $100 billion to $3 trillion, and the extent of some attacks are still unknown. What is known is that the whole world has had enough, and cybersecurity needs to start living up to its name: security.
How Bad is It?
The infograph World's Biggest Data Breaches gives a sense of the extent of these breaches using information from DataBreaches.net and IdTheftCentre. It summarizes breaches that exceed 50,000 files by year, number and type. In a recent interview on the CBS program 60 Minutes, National Security Agency (NSA) director Gen. Keith Alexander admitted that “a foreign national could impact and destroy a major portion of our financial system” by placing a virus in our computer systems “and literally take down the U.S. economy.” The message is clear that things aren’t working properly, and those of us in the industry knew they weren’t working. With a new focus, it might be time to pursue solid security solutions.
While the press has been focused on the NSA collection of cell phone metadata from private U.S. citizens, the real problem is their collaboration with some of the largest cloud tech companies in the world. Forester Research reported that cloud businesses led by HP, Cisco Systems and Microsoft and managed service providers (MSPs) could lose an estimated $180 billion through 2016 in cloud products and services. These losses are directly attributed to disclosures of the NSA spying programs. The concerns were so great, top tech executives met President Barack Obama to discuss their concerns. Snoop agencies are only part of the problem, though, with reports on millions of files hacked from both the public and private sectors annually. Mistakes made by people and systems are the main causes of data breaches. Whether intentional or not, the results are the same, and the cybersecurity industry and the companies it affects seem to need a fresh look -- or maybe even a cybersecurity overhaul.
One of the greatest concerns is that the very industries that are already witnessing security issues are producing and releasing products and services without considering security solutions. The cloud-computing industry is vulnerable to cyber attacks, and worldwide is expected to see double-digit growth rates during the next three years, with revenues reaching $148 billion in 2014 and $207 billion by 2016, according to the Information Technology and Innovation Foundation.
The Internet of Things (IoT) industry has forecast revenues of $8.9 trillion for 2020, and to date has no cybersecurity plan for the trillions of devices it plans to connect to the Internet. Clearly the cybersecurity and related organizations and industries needed a wake-up call, and maybe the recent NSA disclosures will actually help by putting responsible cyber solution in place.
What is Cybersecurity and is it Secure?
The definition of cybersecurity differs depending who in the industry you speak with. In general, some people think it's protecting networks and data, and others think it is having the ability to detect breaches. There are basically two ways cybersecurity is viewed today: You authenticate and encrypt end-to-end data network transport between users and information technologies (Intrusion Prevention Systems or IPS), or you detect what has come though the data stream and try to block or discard suspicious data (Intrusion Detection System or IDS).
Both of these methodologies have faults. Take IPS, for instance. Edward Snowden had top secret clearance and authenticated encrypted access, but left with thousands of files. Typical IPS security alone can’t stop inside authenticated breaches. IDS security technologies finding things like malware, viruses and trojans at the historical stored data output level often are too late in stopping a malicious attack.
Even combined, these technologies leave intentional and unintentional exploit capabilities, which hackers have demonstrated. All these technologies are missing the ability of authenticate, view and audit multiple process actions during real-time data in motion with human and machine action applications. These vulnerabilities leave gaping holes in current cybersecurity solutions and must be addressed quickly as we continue to connect more and more applications to an already insecure Internet cloud. Customers don’t want to spend billions of dollars for “almost security.” Tricky back doors and "almost security" are out; real proven solutions are in.
So Who do You Trust?
These NSA revelations were really not surprising to cybersecurity professionals. The NSA purchases many of these capabilities from the private sector. But today, exploit capabilities that were normally disclosed in confidence between computer scientists and vendors are now being marketed in the open by global brokers with little concern about state sovereignty or corporate entity. While people express concerns about NSA activities, at least these activities have some form of centralization and responsibility. Now we are faced with a form of global cyber ransom in an open market that is decentralized with varying amounts of responsibility.
This new global exploit threat means that security vendors will need to take security more seriously. In the past, the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities was rare, and in most cases of responsible disclosure, the vendor was given time to release a patch before the vulnerability was published. Now the game has changed. The penetrate-and-patch cybersecurity market is a short-term solution and actually demonstrates how weak current security methodologies are. Security patching will not be sustainable or trusted by customers in this now open-market free-for-all. Cybersecurity users are now demanding a new methodology. Trust needs to be built, and the only way to validate these solutions whether offered by government or corporate entity is “show me.”
Moving Forward with Solutions
Old ways of cybersecurity are slowly eroding, and customers will no longer accept the “appearance” of security. Even standards groups such as NIST were not left unscathed from the NSA involvement while they are working with industry on new approaches through the National Cybersecurity Center of Excellence Even U.S. government contractors with top secret clearance who were poised to have a big part in offering cybersecurity services in areas such as critical infrastructure are now coming under scrutiny, as are big name companies like Apple, Facebook, Google, Yahoo, Cisco, IBM and Oracle.
A recent merger of Mandiant and FireEye is an example of what customers want in cybersecurity. Security experts expect strong growth in both FireEye's cloud-based systems for detecting malicious software and Mandiant's software that analyzes cyber attacks. This merger is a reflection that customers are now demanding higher levels of cybersecurity services and new technologies for stopping cyber attacks.
A white paper released by Decision Zone discusses one of these new security technologies and clearly demonstrates the need for a paradigm shift to truly prove to customers that cybersecurity can be achieved. Decision Zone’s anomaly detection technology was actually built on the premise of an easy and inexpensive way to view, authenticate, audit and block process action in real-time at the application level. There is also an added nuance of now assuring the hardware and software they are using is doing what it is supposed to do. Hardware and software cloud companies and service providers will need to embrace technologies such as this if they are to regain trust in the marketplace.
With revenues losses already being seen by major cloud hardware providers, the global message in cybersecurity is clear: The customer still rules. “Good enough” cybersecurity technologies will not be sufficient, only “show me” will suffice. Our world is becoming ever more connected with smart technologies offering cloud-connected apps and devices in the trillions, there has never been a better time to expose the weaknesses of cybersecurity and offer solutions to these vulnerabilities. The digital future of every town, city and country depends on it.
Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure. He will speak at the Smart Grid Cyber Security Virtual Summit, on February 20, 2014.