Judging by the defeatist stance of the security industry in reaction to high profile breaches of just about everything and everyone, and the billions lost every year by banks, credit card companies and brokerages, you might think that this whole cybersecurity thing is way beyond us. The experts claim the bad guys are unstoppable, that prevention is impossible, that it’s so complicated and so hard that the best we can do is buy cyber insurance and go hide under the bed. It’s as though, when it comes to protecting our data, identities and money, we’ve fallen and can’t get up.
Let’s talk about that moonshot we pulled off. The computer in that capsule that transported three men—sitting on top of a Saturn V rocket, standing 363 feet in height and producing a ludicrous 7.68 million pounds (34 meganewtons) of thrust from five monstrous kerosene-gulping engines—to the moon, 233,455 miles away, where two of them landed, and brought them all back safely, mind you? That little gadget had less computing power than those learning toys for preschoolers.
That was in 1969.
Too extreme of an example? How about something we did a really long time ago? Like the discovery of germs. Try convincing a venture capitalist to give you funding for this: “So, yeah, we discovered these little invisible creatures that live in our food, air and water and sometimes they make us sick.” Or even better, the cure for those diseases: “Hi, we’re back. Now we need more funding because we figured out we can grow other invisible creatures from mold and garbage to cure the diseases the first creatures caused.” Of course. To whom do I make out the check?
Here are a few more things that are harder than cybersecurity: Flight. The automobile. The Internet. The Eiffel Tower. In fact, any modern skyscraper and everything in it.
You get the idea. We have this almost limitless track record of astounding accomplishment and yet, we seem to be willing to write off security online as something completely mysterious and beyond our abilities. Worse, we seem to be willing to accept defeat in this area, as if that were the best available option.
Just last summer in one of the largest and most stunning breaches of government, nearly 21.5 million people at the Office of Personnel Management lost their personal information, including Social Security numbers and even fingerprints. In the story, The New York Times reports, "[The breaches] seemed certain to intensify debate in Washington over what the government must do to address its substantial weaknesses in cybersecurity, long the subject of dire warnings but seldom acted upon by agencies, Congress or the White House."
Yes, intensifying the debate would be nice, but a bit late. Perhaps it would be a good idea to intensify the debate after we get those vulnerabilities, which are apparently rampant, fixed.
But no, because it gets better.
In the same article, The New York Times quoted Michael Daniel, the White House cybersecurity coordinator, who said, “This incident that we are talking about today is unfortunately not without precedent. We have to raise our level of cybersecurity in both the private sector and the public sector.”
If it's not without precedent, then what happened after all those other breaches? And by the way, this guy leads the league with his capacity for stating the obvious by saying we need to raise our level of cybersecurity. How about actually having some cybersecurity, because apparently, we have none.
But here's the best part. Katherine Archuleta, the director of the Office of Personnel Management, held a conference call to explain the extent of the damage and the agency's planned response. She said, “I am committed to the work that I am doing at O.P.M. We are working very hard, not only at O.P.M. but across government, to ensure the cybersecurity of all our systems, and I will continue to do so.”
She also announced that the O.P.M would be implementing some new security measures—how's that for timing—and that the victims of the breach would receive, you guessed it, free credit and identity theft monitoring.
She also said she would not resign, despite members of Congress from both parties calling for her head.
She resigned the next day.
The people who created these attacks are not superhuman. They succeed because we help them. They work with what we give them, in almost every instance. We know better, but we don't do better, and so our systems are full of security holes, inadequate safeguards and lots of information worth stealing.
Instead of waiting until there’s been an attack and then cleaning it up, we need to shift our angle of vision and our attention to the source of the attacks. This requires that we shift our focus from breach discovery and incident response, to anticipation and prevention. In other words, our security efforts need to work more like a bodyguard and less like a police force. If we can catch threats while they’re still just threats, we’ll have far fewer incidents to explain and apologize for.
Finally, it’s also important that we shift from trying to detect anomalies in big data, and looking instead at “small data” and the patterns hacker create therein. On the Internet, packets move from one place to another and everything leaves a trail. Send out enough attacks and you’re not creating anomalies, you’re creating a signature. Pick up that signature and you’ll find it leads right to the attacker.
We can have cybersecurity that’s worthy of the name, if we’re willing to change our approach. But it is doable and it’s certainly worth doing. And it’s not even as hard as sticking a bit of cotton to both ends of a little paper stick.
Oren J. Falkowitz is the co-founder and CEO at Area 1 Security