Being Secure vs Practicing Security,

Risk mitigation is a universal concept that transcends industries, societies applying equally even to life itself. From an evolutionary standpoint, managing risks has been essential for survival, and this principle remains true today across various aspects of life, including those parts that are infused by technology.

This article is the first in a mini series of two articles that explore the need for a fundamental shift in the cybersecurity industry's approach to combating cyber crime. The discussion highlights the limitations of relying solely on advanced tools and tactics, emphasizing that such an approach can only lead to an escalating arms race between defenders and attackers, with no possible resolution. Instead, the focus should be on changing the underlying landscape and mentality, addressing the root causes of cyber crime by focusing on neutralizing cyber criminals, fostering collaboration, and designing user-centric solutions. This strategy could enable an industry-wide transformation that shifts the power and financial advantage from cybercriminals to businesses, paving the way for a more secure and resilient digital environment.

To better understand risk mitigation, let's explore five key strategies and illustrate each with an example:

1. Eliminate vulnerabilities: The first approach is to remove or reduce any weaknesses that may make a system or individual susceptible to attacks. By addressing these vulnerabilities, one can decrease the likelihood of being exploited. For example, in cybersecurity, regular software updates and patching can fix security flaws, reducing the chances of hackers exploiting them.
2. Eliminate attackers: The second strategy aims to neutralize potential threats or adversaries. By removing or discouraging attackers, the risks associated with them can be effectively mitigated. In the context of public health, this could involve eradicating disease-causing pathogens, such as through vaccination campaigns that decrease the prevalence of a virus, ultimately reducing the risk of infection.
3. Prevent attackers from reaching vulnerabilities via access control: This strategy focuses on creating barriers that make it difficult for attackers to access vulnerabilities. By implementing robust access control measures, it is possible to prevent unauthorized individuals or entities from exploiting weaknesses. For example, in a physical security context, this might involve installing access control systems, such as keycard entry or biometric scanners, to limit entry to sensitive areas of a facility.
4. Stop attacks when criminals try to exploit vulnerabilities: If an attacker manages to bypass the preventive measures, this strategy involves detecting and stopping the attack in progress. By employing real-time monitoring and detection systems, it is possible to thwart ongoing attacks and minimize the damage. In a financial context, banks often use fraud detection algorithms to identify and stop unauthorized transactions, protecting customers and their assets.
5. Perform damage control and recovery: When all else fails, the focus shifts to minimizing the consequences of an attack and recovering as quickly and efficiently as possible. Implementing a robust incident response plan is crucial in this regard. For instance, in the event of a natural disaster, communities can have emergency response plans in place that outline evacuation procedures, temporary shelters, and rebuilding strategies.

Risk management is a fundamental concept that applies across various aspects of life, industries, and societies. Along the five strategies outlined above, individuals and organizations must manage and minimize risks, ensuring resilience and adaptability in the face of adversity. There is no other way to survive. It is important to recognize however, that not all of these strategies are built alike and some are more effective than others in providing a state of security.

Strategy one, two, and three are preventative measures that aim to minimize risk exposure before an attack or adverse event occurs. These strategies focus on creating a robust defense infrastructure to deter potential threats or diminish their impact. Implementing preventative measures is akin to making a capital investment, where the initial costs can yield long-term benefits, providing protection and security for multiple instances in the future:

1. Eliminate vulnerabilities: By addressing weaknesses in a system, the likelihood of future exploitation is reduced, providing ongoing protection.
2. Eliminate attackers: Neutralizing potential threats decreases the overall risk, creating a safer environment with fewer adversaries to worry about.
3. Access control: Creating barriers to vulnerabilities offers continuous protection, as unauthorized access is consistently denied.

Focusing on the above three strategies will result in a state of security - meaning that there isn't any regular chore that needs to be performed to maintain security, security just is. This is what we generally believe to be secure means.

In contrast, strategies four and five are operationally intensive, as they involve dealing with an attack or adverse event in progress or recovering from its aftermath. These strategies can be resource-intensive, time-consuming, and costly, as every investment in operational measures has a limited scope of benefit, typically focused on addressing a single event or issue:

4. Stop attacks when criminals try to exploit vulnerabilities: This approach requires constant monitoring and detection systems, which can be expensive to maintain and operate. Each successful intervention may only prevent one instance of exploitation, but the resources dedicated to this task must be maintained continuously.
5. Perform damage control and recovery: The least efficient of all strategies, damage control requires significant investment in resources, planning, and infrastructure to minimize the consequences of an attack or adverse event. In this scenario, the investment is primarily aimed at containing the damage and recovering from the impact, with no direct advantage gained from these efforts, as the resources allocated cannot be used for growth or improvement.

While we consider these two strategies as part of security, they are not in fact able to create a state of security. These strategies only marginally and temporarily maintain security through continuous effort. This is what I call "practicing security", which should definitely not be confused with being in a state of security precisely due to the transient nature of the activity. Failure to allocate the effort or failure of the task itself, will result in immediate demise, so this is in fact from an existential perspective, a state of danger.

Balancing these strategies is essential for effective risk mitigation and resource allocation. In spite of that, in today's cybersecurity landscape, the primary focus is only on four out of the five risk mitigation strategies: elimination of vulnerabilities, access control, defending against attacks, and damage control. The industry generally avoids focusing on the elimination of attackers as a core strategy, largely due to the inherent challenges posed by the design and nature of the internet.

The internet was designed to facilitate communication and information sharing, without any central authority or control. This decentralized structure is a double-edged sword; while it promotes freedom of information, it also makes it difficult to effectively prevent abuse. Cyber criminals can operate from anywhere in the world, often using anonymizing tools and techniques to conceal their identity and location. This makes tracking and neutralizing these individuals or groups a challenging task.

Moreover, the global nature of the internet allows attackers to operate across international borders, further complicating efforts to eliminate them. Jurisdictional issues and differing legal frameworks can hinder cooperation between law enforcement agencies and impede efforts to apprehend cybercriminals.

As a consequence of these challenges, there isn't a specific industry focused solely on the elimination of cyber attackers. Instead, the cybersecurity industry concentrates on developing various techniques along the other four strategies, which are viewed as being more practical and effective in mitigating risks, with more immediate benefits and results to show:

1. Eliminate vulnerabilities: Regular software updates, patching, and secure coding practices help minimize security flaws that attackers could exploit.
2. Access control: Robust authentication and authorization mechanisms limit unauthorized access to systems and sensitive information.
3. Defending against attacks: Advanced monitoring, threat detection, and response systems are highly gratifying because they have the ability to show effectiveness and thus, are viewed as being indispensable.
4. Damage control: Incident response plans, recovery strategies (backups) and cyber-insurance help organizations minimize the impact of a breach and restore operations quickly.

While the elimination of attackers is not a primary focus in the cybersecurity industry, collaboration between private organizations, law enforcement agencies, and governments remains crucial in addressing this challenge. This cooperation does lead to the identification and apprehension of cybercriminals, ultimately contributing to a safer and more secure digital environment, but it is very, very slow and resource intensive, and has a highly accentuated delayed gratification nature. By comparison, logs that show up in intrusion detection systems continuously re-iterate the effectiveness, even though that effectiveness may only be apparent. Equally, when we measure everything in money, it is direct and simple to understand how insurance compensates for lost money, but this does not take into consideration either that not everything can be translated to money, or the long term consequences for letting crime play out. This chase for more immediate rewards skewed the industry away from trying to find mechanisms to stop criminals also, not just crime.

This tendency is clearly visible if we look at the growth pattern of the industries that are aligned with each strategy. Although there is a significant amount of money invested in preventative technologies, businesses are choosing more and more to invest in operational and damage control tools and services. This is a very slippery slope, because the operational strategies are not capitalizing which means that expenses grow, while the security posture does not improve, it's only maintained. With time, aging technologies and strategies create a natural degradation of the state of security, and the negative feedback loop closes in.

This lack of focus on eliminating attackers in the cybersecurity landscape does indeed have a serious downside. By not actively pursuing and neutralizing cyber criminals, the environment inadvertently allows them to adapt, learn, and refine their tactics over time. This can result in an escalating arms race between attackers and defenders, with both sides constantly evolving to outmaneuver each other. As businesses invest in better defenses, criminals learn from their unsuccessful attempts and improve their techniques to bypass these new security measures. This continuous cycle effectively trains cyber criminals, providing them with invaluable experience and knowledge. Each failed attack serves as a lesson, enabling attackers to refine their strategies and develop more sophisticated tools and methods.

A real-world example of this phenomenon is the evolution of ransomware attacks. Initially, ransomware was relatively simple, often involving basic encryption techniques and targeting individual users. As organizations improved their security measures, cyber criminals adapted and began launching more advanced and targeted attacks against businesses and government agencies. The continuous refinement of ransomware tactics, such as double extortion, where attackers both encrypt data and threaten to leak sensitive information, exemplifies the adaptability of cyber criminals in response to evolving defenses.

The consequence of this dynamic is that, eventually, criminals may succeed in breaching even the most secure systems. Driven by this line of thought, organizations must accept that no security system is foolproof, and that the only possible solution is to prepare for the possibility of a successful attack, as famously stated by the former Director of the FBI, Robert S. Mueller, III: "There are only two types of companies - those that have been hacked and those that will be hacked".

Ultimately, the failure to address cyber criminals directly contributes to decreased effectiveness in the cybersecurity industry, pushing it into a more operational mode. As organizations focus on defending against attacks and damage control, they may neglect the root cause of the problem - the attackers themselves. This operational shift comes with several consequences:

1. Costly damage control: An increased reliance on damage control strategies can be expensive for organizations, as they must invest heavily in incident response plans, recovery measures, and crisis management. These costs can strain budgets and divert resources from more proactive, preventative measures.
2. Expensive cyber insurance: As the number of successful cyber attacks continues to rise, insurers face increasing payouts to cover the damages. This drives up the cost of cyber insurance, making it more expensive for businesses to obtain coverage. High premiums may discourage some organizations from seeking coverage, leaving them vulnerable to the financial impacts of an attack.
3. Cascading consequences: The shift towards damage control can lead to a domino effect across industries. As cyber attacks become more frequent and severe, the costs associated with recovery and rebuilding can ripple through the economy, impacting supply chains, consumer trust, and the overall business climate.
4. Regulatory aspects: The growing prevalence of cyber attacks and the increased reliance on damage control measures can prompt governments to introduce stricter regulations for cybersecurity. These regulations may mandate higher security standards, breach reporting, and incident response requirements. While these regulatory measures can improve overall security, they may also impose additional costs and administrative burdens on businesses.

***

The current state of the Internet industry is understandably undesirable due to the challenges it faces. In a follow-up article, I will discuss our belief in shifting to a mentality that emphasizes prevention through re-focusing attention towards cyber criminals. By adopting an authenticate-to-connect approach and promoting a secure and collaborative digital ecosystem, the industry can unlock new growth opportunities and avenues. This transformative approach holds the potential to redefine the cybersecurity landscape, leading to a more secure and resilient digital environment for businesses, users, and the wider online community.