Is Anything Secure Anymore?

Reports that the 2016 US Presidential election was tampered with electronically by foreign political agents have served to put Western democratic nations on edge, with British Prime Minister Theresa May recently accusing Russia of meddling in their own elections.

“We know what you are doing and you will not succeed,” she stated in an address to the Lords Mayor’s Banquet.

However, it’s not just nation states attacking and spying on one another; cyber criminals are attacking businesses and individuals now at a rate unheard of before. What’s worse is that businesses don’t seem the least bit alarmed. According to the SolarWinds MSP Security Survey’s findings, a full 87 percent of businesses in the US and UK are “confident in their cybersecurity preparedness,” while concurrently finding that 71 percent of businesses surveyed had “at least one breach in the previous year”.

This obvious disconnect between wishful thinking and reality isn’t shared by private US citizens. A separate poll by Gallup shows that out of all crimes, Americans are worried most about cybercrime. The results show that:

  • 67 percent of Americans worry about hackers stealing their personal information
  • 66 percent worry about identity theft
  • Americans most frequently report being victims of cybercrime
  • 38 percent of Americans worry about having their car stolen or broken into, the third highest worry behind identity theft.

If high-alert government agencies, negligent businesses, and frightened citizens aren’t enough, the cybersecurity skills shortage means that things likely won’t get better.

A Lack of Cyber Security Professionals

Jon Oltsik, writing for CSO Online, believes that the cybersecurity skills shortage doesn’t just mean things won’t get better — he believes that it represents an existential threat to both private and national security. Out of 343 cybersecurity professionals surveyed by Oltsik’s company, 70 percent reported being affected by the cybersecurity skills shortage. When asked what that meant to their organizations, this is how they responded:

  • 63 percent said the cybersecurity skills shortage has led to increasing workload on the existing staff.
  • 41 percent said they’ve had to hire and train junior employees rather than hire people with the appropriate level of skills needed.
  • 41 percent said the cybersecurity staff is forced to spend a disproportionate amount of time on high-priority issues and incident response with limited time spent on planning, strategy, or training.
  • 39 percent said the cybersecurity staff has limited time to work with business units to align cybersecurity with business processes.
  • 39 percent said the cybersecurity skills shortage has led to a situation where cybersecurity professionals are unable to learn and/or fully utilize their security technologies to their full potential.

“To summarize, the cybersecurity skills shortage is having an impact on people (i.e. overwhelming workload, limited time for training, etc.), processes (limited proactive planning, limited time to work with business units, etc.) and technology (limited time to customize or tune security controls, etc.),” writes Oltsik. “In aggregate, all of us are being protected by an understaffed and underskilled workforce, and the data suggests things are only getting worse.“

Is Cyber Security Dead?

All of this information put together indicates that cybersecurity is in a bad place. In fact, Mike Baukes, co-founder and co-CEO of cyber resilience platform UpGuard, writing for Forbes made this controversial statement:

“The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?”

Baukes explains that the concept of anti-virus that many have in their head, such as Symantec software that you leave running and is supposed to protect you, is simply too easy to overcome. Not only that, but many businesses are unaware that their own practices are actually what is putting them at risk. Cloud company XMedius published a post titled “3 Major Data Security Risks Every Business Should Know About,” listing the number one risk as employees who don’t know how to protect data.

“It’s safe to assume that unless we work for a company specializing in IT security, the average worker goes about their day handling and sending sensitive data without thinking about hackers or data loss,” they write. “It’s actually the lack of security awareness and skills that makes organizations an easier target for hackers or disgruntled employees who have access to networks and admin accounts.”

Add to all of this the fact that many businesses are using legacy systems and outdated, often unpatchable software, and we get a clearer picture of why cybersecurity as a whole seems to be in dire straights. Fortunately there are solutions on the horizon — but let’s hope they aren’t deployed too late for it to matter.

The Blockchain and AI to the Rescue

As cryptocurrencies have become a more pertinent topic of conversation in the mainstream, the blockchain technology that they’re built upon has become more pertinent as well. Anabel Cooper, writing for InfoSecurity Magazine, believes that blockchain technology’s ability to encrypt all actions performed with a file or object will bring data security to new heights, starting with private messengers and payments across social platforms. Not only will the contents of the messages be secured by blockchain technologies, but the metadata associated will also be encrypted and void the need for user authentication information. Cooper also believes that the blockchain will provide effective means of deflecting cyber attacks on major websites with centralized servers.

“The problem is that current DNS servers lack in security because they keep the access key on a single server and rely too much on caching,” writes Cooper. “Startups like Guardian and Nebulis, are determined to change that with using the distributed network of keys and keywords on the basis of the blockchain. Ultimately, blockchain will protect servers from hacker attacks and make them virtually unbreachable.”

While the blockchain could definitely help shore up defenses, the cybersecurity industry is also benefitting from new paradigms and philosophies. Artificial intelligence has made it possible to shift from the “fortress mentality” that focuses all resources on keeping intruders out, and instead focus on new approaches that detect intruders as soon as they’re in, and contain the damage before it gets out of hand.

“They’re shifting from military metaphors to the language of biology,” writes Wired’s Scott Rosenberg. “They’re designing immune systems rather than barricades.”

He explains that machine learning applications such as Darktrace, founded by Cambridge University mathematicians and ex-British spies, are now able to catalog never-seen-before anomalies as they happen. This is because Darktrace learns what “normal” looks like in a system, and then investigates and reports any deviation from that norm. Rosenberg interviewed Darktrace CEO Nicole Eagan for his Wired article, and she extrapolates:

“The big challenge that the whole security industry and the chief security officers have right now is that they’re always chasing yesterday’s attack, That is kind of the mindset the whole industry has — that if you analyze yesterday’s attack on someone else, you can help predict and prevent tomorrow’s attack on you. It’s flawed, because the attackers keep changing the attack vector. Yet companies have spent so much money on tools predicated on that false premise. Our approach is fundamentally different: This is just learning in real time what’s going on, and using AI to recommend actions to take, even if the attack’s never been seen before. That’s the big transition that Darktrace is trying to get folks… to make: to be in the position of planning forward strategically about cyber risk, not reacting to the past.”

Stuck in Limbo Until We Adapt

Unfortunately, cybersecurity is stuck in a sort of inbetween right now. While blockchain tech is on the rise, Darktrace and other AI applications that follow its “Enterprise Immune System” (EIS) model are emerging, they’re a far cry from being considered “mainstream” solutions yet. They are a light at the end of the tunnel, a distant star on the horizon, and they represent hope. Interestingly, however, they also highlight that it’s not just technology that needs to change — it’s also us.

Our attitude toward cyber security, prevention, and response desperately needs updating. The old M.O. of keeping the fortress walls high and the attackers out simply won’t cut it anymore, because no matter how high you build the wall, all it takes is a malicious actor that decides to built a taller ladder. This is a simple fact, and one of the main reasons that businesses should be wary of their confidence in their systems.

As AI applications and EIS prove effective, fewer military fortress analogies will be used, and more businesses will begin liken cybersecurity to responsive immune systems. Until then, the rest of us will be left twiddling our thumbs, still wondering: is anything secure anymore?