The Identity Crisis in Cybersecurity

Cybersecurity as an industry still in it's infancy, the term is used so liberally that it has become analogous with the term hacking, yet it means so much more. In its current state, cybersecurity is an industry that faces an identity crisis, the landscape evolves at such a rate that the good guys are having a difficult time keeping up, there's also a massive shortage in professionals, a misalignment of security between industry and governments, and the approach to tackle the issues are reactive rather than proactive.

Given the dynamics of the system and the players involved, it boils down to this:

It will always be easier to break than to develop and maintain. The versatility of the beast (innovation) is a curse on itself.

The is no such thing as a 100% secure system. Any new feature will always have vulnerabilities and unintended consequences. It's a balance but heavily favored to the wrong side.

Cause and Effect

Microsoft Windows is a perfect example of this dynamic. The core technology is great, yet there are so many libraries and applications built on the platform it turned into one of the most vulnerable operating systems to date. New applications or features developed will inevitably expand the canvas of attack.

The bad users will always try to manipulate and game the system to act outside of the software's original intention. It's a conflicting issue because technology cannot fix all problems, even if the system was 99% secure, humans are often miscalculated into the equation.

A recent breach on Capital One is a direct result of the human factor within a secure system. Known as one of the biggest financial breaches in history, about 106 million credit cards, 140,000 Social Security numbers, and 80,000 bank account numbers were exposed. This was at the hand of a malicious employee that worked at the Amazon Web Service division. In a system that is usually secure by design, it was vulnerable not because of the abstractions, but due to the users involved.

The Boogeyman

A 0-Day is a vulnerability that has not been disclosed to a vendor and is used as a one-time ticket to exploitation. These are far and few between but those that do find them can sell it on a gray market for thousands or honorably disclose it to vendors.

The Security Researchers that do find a 0-Day are those that know the system so intimately, they are able to find something that no one else has found before.

The NSA developed an exploit in Windows called EternalBlue, the tools were exposed by hacker group Shadow Brokers years later in 2017 and was used in the WannaCry Ransomware Attack. One of the biggest ransomware attacks in history and among the first. All from one 0-Day. Since then there has been a diaspora of ransomware attacks. A full interactive map of all reported ransomware attacks in the US from the last 5 years can be found here.

The Curse of Specialization

This year I had the pleasure to attend two of the biggest hacker conferences that US had to offer. Black Hat USA and DEFCON. It was amazing to meet such great minds and borderline savants on one campus. One thing I cam to realize was that there were many who specialize in one thing and only one thing.

The many struggles of cybersecurity is due to the fact that these people are intimate with one cognate of technology, they can either choose to make it better or worse. They can know everything about drones and hardware yet know nothing about Windows or Macintosh architecture.

The problem this poses is the nature of specialization will favor the individual more so than industry. Often times, these people are contracted by agencies, but will not hold a full-time position as a security specialist. Another issue is that Cybersecurity education is also not mandated by the government to be taught in schools. This is why there is such a massive shortage of professionals.

In parallel, cybersecurity firms are leaning towards using software to fix all of our problems. The truth can be seen when going to the vendor hall at Black Hat. While a software approach is important to have, there are many other factors that come into play when an attack can occur outside of the user space. Software will only secure the baseline. The attacks that deviate outside of the baseline are often the ones that cause the most damage.

The Magical Silver Bullet

A silver bullet solution, commonly advertised by firms plagues booths at Black Hat year after year. A one-stop shop solution for all your cybersecurity needs and at a six-figure price tag. Although these tools can bolster security, small and medium-sized businesses would not be able to afford them. As long as humans are in the equation, these products will never solve all your security woes and will tend to favor those that can put up the capital.

The real problem is that firms are spending resources and time tackling only the technical aspects of cybersecurity, rather than tackling dynamics of the non-technical i.e. the human factor, security education, supply chain, emergency plans, specifications for emerging technologies and so on. A frightening future is upon us if these are continued to be neglected.

The Future

We live in one of the most exciting times for technology and innovation. Artificial Intelligence will seep into our lives like never before, and devices that were commonly offline will breathe life of the internet. Yet as these technologies are created, there's a curse, a curse of imperfection that will plague them for the rest of their online lives. All whilst the industry struggles with hiring, firms are led by a software-first strategy, and the battle we're fighting was never intended to be won.

How are we to believe that the computers on the road, the computers in our homes, and the computers in our minds will ever be secure? It's time to rethink what security truly means for the next decade and the years to come.