The Narrative is the Enemy: Cyber Crisis and Changing Paradigms

WannaCry made a lot of headlines, as did the whole “Cyber Weapons stolen from an intelligence agency by an intelligence agency and publicly disclosed”. WannaCry potentially made as many headlines as infections, and was an eventual failure for reasons that

I:

WannaCry made a lot of headlines, as did the whole “Cyber Weapons stolen from an intelligence agency by an intelligence agency and publicly disclosed”. WannaCry potentially made as many headlines as infections, and was an eventual failure for reasons that are beyond the scope of the article, but the failure also made a lot of headlines. Before WannaCry was Shamoon 2.0, which used stolen admin credentials through VPN, and with little in terms of technical vulnerability and very little in terms of complexity required, took out badly managed enterprise networks in one swoop. Made headlines, naturally. Around the same mess as WannaCry, Microsoft began patching legacy operating systems and warning about nation state attacks. Headlines. Another intelligence agency has been having their laundry aired in another information warfare campaign probably with similar techniques and phased releases as the guys behind the exploits behind WannaCry. More headlines. Recent releases have brought to the world's attention the fact, and the tooling, behind badly protected home routers being systematically subverted by said intelligence agency, oh and they gave it a funky codename. Even more headlines. Anxiety, trepidation, fear, uncertainty, doubt. To the uninformed, cyber is ever changing, unpredictable, mysterious, unfathomable. The psychological narrative of unchartered waters is dangerous because it often distracts from proactively improving your security posture. Where the shortening global attention span is distracted so easily by the latest development averts the true issue. A better headline and more apropos to the real problem could have been “Thousands of Enterprise Networks Laughably Insecure” or perhaps “Global Information Infrastructure Mismanaged and Under-protected.” In comic sans.

II

Threat intelligence is a very useful tool when put in context, but thats not how the zeitgeist is taking it; it has escaped the bounds of context and is being treated by many as an alternate take, cyber quo cyber sans all the IT stuff, sort of a computer NORAD with screens showing global attack maps full of sound and fury, signifying nothing. But it looks good. It makes good press. It's exec and public opinion friendly. It's attractive, calming, a metaphor to say we're protected and we're safe because we are blocking the attackers and everything is OK. Threat Intelligence can only inform reactive efforts by definition, and reactive treatment of emergent cyber threats poses a critical question of why should we wait to plug the holes we know of? For naive example: WannaCry spread using services that had no business being exposed to the internet, with activated protocols that no one needs, and had a patch out for 60 days before the worm struck. The malware was remarkable in that the threat actor in question failed more than the totality of the technology community, but not by much. In organizations around the world we have gaping holes in our defenses that the people in charge know about but do not prioritize because they are not incentivized to care enough. This is what people really mean when they tell security to maintain a balance, and thats ok. Organizations must serve their strategic interests and have their priorities which filter down from the board room, and certainly do rightly frame the conversation in terms of risks and service management and all that happy stuff, except there’s a few problems with that view.

III

Concrete reality is impossible to grasp, and so we abstract it, we tell stories about it. Both the narrative of the media and that of the established technology security paradigms are damaging. Media, in the pursuit of clicks, tells the story of cyber event after cyber event is such a way that the audience is left with only confusion and fear. That's good, those sell. This also sells psychologically to technology and security practitioners that feel that in this world of shadows and boogiemen they can be partially released of the responsibility. I assert a contradictionary idea: if there's something you can fix, go fix it; the crucial factors are internal and not external and much more in our control than you’d be led to understand from the media or from the uninformed. The news cycle however still demands to be fed, attention spans remain short, and delocalized concern around cyber permeates C-Suites and D-Suites. Executive management in organizations around the world is coming to grips that cyber security may be an existential threat to some organizations but do not understand how, and are impelled to treat cyber as an externality. They do that because of the media, public opinion, political rhetoric, and the cloak and dagger nature of the threat. It's not something that can be considered comfortably by any means. The convenient oversimplification allows everyone to treat the issue of cyber security at arm's length. We only realize a paradigm has changed when the change is full and complete, when the new paradigm is already in full force and the old one is completely irrelevant. I contend we are now in a paradigm of full-on international cyber emergency that we are not ready to come to grips with. If the frameworks and the risk tradeoffs work so well then why do we have a problem with their outcomes? The way we do it must change, because where we persist what right do we have to expect different outcomes?

IV

Do we have, today, a full blown cyber security crisis globally? Individual headlines and news stories and panics fade away but where trends matter more than events, are we becoming more or less secure as individuals, organizations, and a global community? Where are we today, and where are we going? Again a naive riff on current events:

1. Weapons Grade Tools, Techniques, and Procedures that were restricted to nation state threat actors are widely available
2. An information war is active in the background of all this
3. Nation state threat actors are entrenched in each other’s critical infrastructure and critical information infrastructure, including private enterprise, which includes everyone with providing a critical service, which probably includes your organization
4. Organized crime is anything but lazy. Nation State TTP’s go into their arsenals and get used to devastating effect. The annual cost of cyber crime is assumed to be anywhere from 1 to 3 trillion dollars a year today.
5. Almost everyone has been hacked. It may have been small, minimal, incidental, or it may have been the data of 3 billion people, or the crown jewels of the OPM, or an errant piece of spyware on an executive’s machine, but no one today is immune.
6. It’s only getting worse. The only good thing about every year in cyber events is that the next one made it look peaceful in comparison.
7. More and more leaks and revelations of all kinds that were inconceivable have become common place, feeding the capabilities of attackers and not those of defenders.

Lets leave the list there. There’s other factors, but these are enough. Long term, one should not be happy to dodge tiger after tiger because they're coming in meaner, faster, and in greater numbers.

V

My biggest issue with reactive approaches is that attempting to block or prevent the new thing does not add reasonable residual value to the security efforts of an organization beyond dodging the immediate threat. Of course its needed when you're in trouble, of course it gives impetus to deferred proactive actions at times, but the danger is of believing that cyber security is subject to external factors alone, which even when insidious and unspoken is a bias to effective decision making. The real enemy is the narrative we tell our selves, the false sense of security, the cop out. When we think we've done enough we've begun to fail. This doesn't mean an infinity of investments and manpower and complexity, but a sort of becoming-better-day-by-day kaizen approach. The mess of a disordered information system, locally or globally, did not happen in a day and it'll take more than a day to fix, but it's one day, one inch, one little victory at a time. Proactive approaches only add residual value, and go completely unrecognized in moments of non-panic, but they are there when you need them. The next guy got got because he was unprepared, not because he didn't react fast enough. How fast is fast enough? The speed of light is how fast the threats come in and propagate. Your answer to your executive asking you what you’re doing about X should be that you’re doing what you’ve always done, running a secure system. Then maybe give him a nice diagram of the CSC top 20 and say refer to this when in doubt. My personal view is that we are vulnerable, globally, because we all - individual targets each one of us - do not implement our technology mindfully. We said oh cool this will be easy and thought someone else should consider the potential implications. We’ve been sloppy. Software vendors, end users, 'the business' and world and organizational leadership. It's a hard problem to solve and hard problems tend to be deferred for years and catch up with us. The media narrative is fueled by sensationalism and attention, the individual narratives are fueled by individual incentives, and the percentage of people that agree we’re in a cyber crisis will be more, not less, a year from now. The percentage of people who could reasonably explain or even understand a cyber attack will remain far too low. We are sitting pretty, waiting, expecting guidance which no government or standards body can provide; its not them that understand your information system or how it works, and they can’t help you because they can’t do more than tell you to implement accepted best practices. Not individuals but economics will fix this mess. No theory or breakthrough will be the cause, although they will come, but we will improve because we must. Because in economics everything that needs to happen will happen. The way we do technology has to change fundamentally before we can stem the tide. Reality will eventually become so prejudicial to the functioning of organizations that norms will emerge - not from standards bodies but from the victims who will choose to protect themselves with prejudice. They will do so by focusing on their security viscerally, by realizing the existential nature of the threat and overhauling organizational factors to account for the new norms. They will do so by redefining their role and their responsibility for due care, and the way they engineer their information system.  

Read more on: How Vital is Information Security Controls in Fraud Prevention?