Working with the largest organisations in government, finance and critical national infrastructure, we see good and bad every day. In a confusing hybrid war where APT groups launch attacks that could potentially turn out the lights, it is hard to remain impartial. The fact that a political act of devastation manifests as an innocuous looking line of code viewed over a cup of tea does nothing to detract from its destructive and vicious intent.
For all these reasons, we have decided to explore some of the bigger themes in the space in which we operate.
As world-changing events are shaking the foundations of everything we know, it seemed appropriate to take stock and ask questions about the fundamental principles that cybersecurity was founded on—altruism, transparency and community—and how they are relevant today.
Altruism at the root of cybersecurity
To the outside viewer, today’s cybersecurity sector might not be defined by altruism. Looking from a distance, the casual observer would probably see a space which was equal parts risk, pace, commercial imperative and perhaps a touch of theatre. But the beginnings of cybersecurity were much more altruistic. These beginnings were characterized by curious individuals who were prescient in spotting the role technology would eventually play in society and who were asking ‘what if.’
What initially started as loose collections of academics and programmers with curious minds began to coalesce into collectives and think-tanks such as L0pht. Their famous testimony to Congress in 1998 outlining how they could ‘shut down the Internet in 30 minutes’ epitomised the questioning, sometimes challenging but always well-intended mindset of such groups. The Director of Information Protection at the National Security Council at the time summed their motivations up as, “Their objective is basically to help improve the state of the art in security and to be a gadfly.”
The cybersecurity community still wants to give back
Fast forward 20 years, one of the reasons why altruism may not be as obvious in cybersecurity is because it is competing with a variety of new forces. The sector is worth nearly $200bn. The threat landscape has swelled to monstrous proportions by comparison. And it has become a reputational, legal, financial and even political problem. This compared to the 90’s, where it was an outsider consideration or perhaps even counterculture.
While commercial interests may have diluted some of the purism of the early days, markers of altruism are still abundant. Never have there been more working groups, industry associations, mentoring projects and other unselfish initiatives to choose from. From the dedicated OWASP chapter president to the BSides volunteer handing out badges, a desire to give back clearly still exists.
Motivated individuals who care about giving back to their work is one thing. However, the element that many find defines modern cybersecurity is the depth of community. The sector has a unique ability to bring globally disparate individuals together regardless of location to solve problems. Bonds are forged in the fires created by cybersecurity’s uniquely adversarial backdrop, and a shared state of threat creates a rally point from which communities grow. This is primarily expressed as the sharing of information, the development of tools and the creation of collectives around specific objectives—each of which contributes a huge amount of value to the defence of organisations of all sizes.
Optimise collaboration by developing standards
The maturation of collaboration is the development of standards. If the ultimate aim of all the sharing and alliances is to improve security for a broad range of stakeholders, the objectives are clearly similar. Both community collaboration and standards are vessels for capturing expertise.
Of course, the crucial difference with standards is that they typically have some kind of teeth. This does, however, jar slightly with the liberalism and pragmatism of the cybersecurity community. Mandating compliance immediately opens standards up to debate about their effectiveness and interpretation. In an intelligent and questioning community which finds problems for a living, such discussions have the danger of becoming mired in entrenched positions. This is the very opposite of the desired collaborative effect.
Human elements aside, the utopian dream of a unified standard is held back by their current volume and complexity. Not only are they prescriptive in their detail, but geography and sector play multiplying factors. A company with operations in Asia, US, Europe and UK, for example, has to adhere to a different standard for each geography.
The obvious end point of this discussion settles on the need for a singular standard, as defined by the cybersecurity community. Whilst collaboration may have achieved scale as the sector has developed, such harmony has yet to be achieved.
Encouraging diversity could be seen as the ultimate altruistic act in cybersecurity. Put simply, different people have different ways of looking at things. In a space that is all about solving problems, a broader range of opinions provides a greater chance of beating your opponent. This means the more diverse the background of the people trying to stop an attack, the better their chance of success is. It is the human version of a layered approach.
This is as true on the offensive side as it is for defenders. In fact, attackers have remarkably low barriers to entry. The main question asked is can you do it and will you do it?
Transparency as a core tenet of security
Transparency is a contentious subject in today’s commercial cybersecurity space.
It is a core tenet that has defined the space from the outset. The early hacker collectives set the tone for a sector that still holds a belief in highlighting technological flaws close to its heart. This has many positives, as is evidenced by the widespread adoption of bug-bounty programs and information sharing.
However, as cybersecurity has fought its way up the commercial priorities ladder over the years, transparency has had to accept a lesser role in a much broader commercial environment. Freedom of information is now no longer considered a binary state but one which exists in a finer balance that also include factors such as regulation and commercial advantage.
Crisis situations can throw this balance off. For example, breach scenarios or those where there is a sensitive disclosure to navigate in large corporations come wrapped in personal, political and regulatory nuances. This can cause confusion for security teams, especially those who have self-selected into siloes away from other business functions.
To address this problem, cybersecurity teams should move out of the shadows and embrace a culture of transparency with the entire organisation they operate in, not just technical stakeholders. Educating everyone from lawyers to comms teams and customer contact centre operatives on the culture and ideologies which underpin cybersecurity is crucial. Only with this kind of transparency can the company respond as a whole.
Building long-term resilience
Harnessing the modern definitions of things such as collaboration and transparency effectively in cybersecurity is difficult without applying them to the contemporary environment.
For the last 20 years, the threat landscape has set a rapid pace but one which the cybersecurity industry has managed to counteract with a doctrine of mitigation. The focus has been on iteratively addressing threats as they appear. With an estimated 10,000 threats per day and growing, this is getting harder.
As this has been happening, the underlying backdrop has changed, and the world has advanced to a point where many organisations are now not just fending off disparate attacks but are actively part of a hybrid war. Utilities companies, banks, transport providers and healthcare organisations are on the front-line in a battle perpetrated by a well-resourced enemy determined to win at all costs. The stakes have intensified and are now fought over on increasingly slim margins.
COVID may be the factor that causes the dam to burst and forces security teams to rethink this approach. By thrusting people and technology into an unexpected and seemingly perpetual crisis, it has highlighted the flaws in this reactive strategy. A longer view needs to be taken.
Instead of mitigation, what is required is long-term resilience. Security must be built into the technological infrastructure that now underpins everything an organisation does rather than what’s bolted on as an alleviating factor in the event of a problem. Approaches such as “just in time” infrastructure and agility, for example, play a useful part in technical innovation, but questions need to be asked as to how exposed they leave organisations and how risks can be managed accordingly.
A shift in mindset such as this becomes a frame within which technological and human factors such as collaboration, transparency and altruism can be applied for maximum effectiveness. This, in turn, creates fertile ground for the effective deployment of defensive technology.
Technological and human advancement go hand in hand
While human elements are crucial to effective defence, retaining a competitive edge requires these people to have access to continually advancing technical tools. Without those, it is the equivalent of well-meaning soldiers charging into oncoming fire.
Ironically, such advances in technology are often brought about by entrepreneurial members of the community already imbued with the aforementioned altruism. The drive of these individuals sees them bringing together similarly motivated teams to secure points of emerging exposure. Today, this means protecting the continued migration to the cloud, reducing API exposure or introducing new countermeasures to monitor and safeguard the exploding attack surface presented by IoT. Such solutions are also not just focused on fixing code-based problems. A significant amount of capital is currently deployed in solving the cyber skills shortage, for example.
People are the driving force of the security industry
Cybersecurity is played out using technology but dictated by humans.
The strength of the people in cybersecurity lies in their ability to unite around a common good, building bonds strong enough to collectively evolve in the face of a never-ending threat landscape. This evolution is key. But they can’t afford to stand still.
Opportunities for change exist in a number of avenues. Increased diversity and the ability to foster greater collaboration and education with non-technical teams appear to offer the routes of least resistance. In addition, while defining more united standards is difficult, the cybersecurity community has solved bigger and tougher problems previously and is a goal worth pursuing.
As for the technologies of the future, these form a crucial part of this collective change. In the constant game of digital cat-and-mouse, it is vital to have altruistic individuals manifesting their passion for security in the form of new countermeasures. It is only by bringing both of these elements together and continually enhancing both can the sector continue to be a force for good, even in a changing world.
Contributed by Paul Edon, senior director of sales and services, Tripwire