Cyber security is a nation-first, vendor-second issue. Recent events have frighteningly underscored the requirement to fundamentally rethink our approach to information security lest our economy, our very way of life suffer drastically.
Cyber incidents are a form of terrorism: They can strike an open, digital society in ways not yet imagined when the security systems built to protect us were designed. To maintain an open society, we must first recognize that all information security is now cyber security, and, secondly, much is going to have to change.
The Office of Personal Management (OPM) breach was the digital equivalent of a major terrorist strike. While 2014 was the year of the hack — and pervaded much of the tech industry and business news cycle — the scale and scope of the OPM breach brought home for a large number of Americans that cyber defense could shortly become the fifth branch of our military.
Just as we re-examined and retooled the security of our transport systems post 9/11, we must take a parallel approach to data security. We must start with a blank page and build a cyber security posture that parallels the dynamic requirements of today’s environment, rather than focusing on protecting the technology of a generation ago. It is sadly ironic that the intrusion detection system that monitors the network traffic of government departments is called EINSTEIN. While the government program has not changed very much in a decade, the real Einstein gave his definition of insanity as “doing the same thing over and over, but expecting a different result.”
Going forward, we must focus on these six principles of the current cyber threat environment:
- All security is cyber security. CISOs now must evaluate the IT “risk pyramid” and potential kill chains to understand their cyber attack surface. The entire IT landscape is now under attack. It requires a new trust and security model that builds consideration of the new threat environment into the design and use of IT.
- Threats come mostly from the inside out, not the outside in. Eighty percent of cyber security breaches are aided and abetted by insiders or weaknesses in internal systems, yet the majority of an enterprise’s security spend is focused on protecting the perimeter. Relying solely on the perimeter infrastructure layer is an invitation to continued failure. This asymmetry of spending and focus on the perimeter of the data center vs. the interior must change.
- The speed at which security systems adapt is as important as how well they detect and prevent. Cyber security must focus as much on agility and adaptation as on detection and prevention. Not every attack can be prevented, but adaptive systems can more rapidly address breaches before critical data is exfilitrated. The faster an adaptive system detects and deals with a breach or piece of malware, the less damage that will occur
- Everything is untrusted. In today’s environment, the assumption should be no-to-yes vs. yes-to-no in developing trusted connections among users and systems. This is true in inter-server connections or using two-factor authentication in accessing SaaS applications. While this may cost some convenience — and perhaps some time — in business operations, the price of not doing this is too high.
- Security must be built into the fabric of computing. Today we have an application development process where someone creates an application, another party on-boards it to the infrastructure, and a third party determines how to secure it. This series of handoffs increases risk and creates bureaucracy in dealing with any changes or updates to applications. Security must be conceived and applied “upstream,” not as an afterthought.
- The public/private partnership must be rebuilt. In the post–NSA revelation era, the level of trust between Washington and business is inversely proportional to the need we have to cooperate and collaborate. Because of the thin line between national security and economic cyber issues, it is time for a renewed partnership between the private and public sectors.
These six areas of how security must change in the cyber terrorism era are just the starting point. There is absolutely no doubt: All information security must change.