Staying ahead of the race: drivers for cybersecurity

It's been a decade or more since cybersecurity started making news. Today, hardly a day goes by when we do not hear about new hacks, ransomware attacks, or security risks for critical infrastructure. Why does this issue not seem to ever go away? Putting aside cultural factors like the glorification of hacker troops in movies and the allure of sensationalist headlines, there are a few concrete drivers – technical and business – turning cybersecurity into an ongoing and permanent effort.

When it comes to cyber threats as with other safety risks (accidents, malfunctions) and erroneous human behaviour (crime, recklessness) per se, there is only so much we can do to mitigate risk. Conversely, there are incentives for us to accept and even actively increase risk both on an individual and societal level. Let us look at the drivers for cybersecurity in detail and how to balance risks and opportunities.

Attack surface scales with digitisation

Firstly, cybersecurity is important because IT is important. We are living in an increasingly digitised society and business world. Digitisation offers significant cost advantages, it promises efficient services, energy saving and equal access to knowledge and opportunity. Technical innovation has enabled digitisation, with ubiquitous broadband and mobile networks and access to cloud services. We are upscaling our computing capacity, while data stored doubles every two years approximately.

However, in security terms this actually means we're increasing our attack surface, or to put it into more familiar terms, the more digital assets we have the more we can be attacked. This does not necessarily mean we were safer before (data on paper can still be copied, after all, although not as easily and fast) but that we put all our eggs in one basket. The more data we put on computers the more secure these computers need to be.

Innovation keeps changing the playing field

The second challenge is one of innovation. In the last two decades we have gotten used to fast-paced technological innovation in the computing realm. However, innovation comes with a few strings attached. Its very nature is unplannable and unpredictable. We cannot, by definition, anticipate tomorrow's technical (and security) requirements from within today's infrastructure. This means that an infrastructure built last year (at significant investment, perhaps) may no longer be safe tomorrow as its environment changes. As a result, we have spent the same two decades retrofitting security to software stacks and network protocols that were never designed to support it.

There actually is an incentive not to deploy available security solutions, stemming from time to market pressure. In other words, the party that goes to market first with a product – even if it is objectively worse (security being one quality aspect among many of said product) – has a higher chance to capture that market. And even worse, the lifetime of a product may surpass its lifecycle which in turn may surpass the lifetime of the company. An unsafe smart product may still be in use when the company that built it no longer supplies updates or has left the market entirely (having, perhaps, failed to secure a profitable exit). In other words, we keep building vulnerable products because there is a business advantage to it in a market which is intransparent to most consumers and buyers. (An attacker may consider this a target-rich environment.)

Attacks on secure systems can reap a higher reward

The third challenge is economic. We are facing a paradoxical effect: The more secure we can make our system, the higher the incentive for an attacker to breach it. This seems counterintuitive at first: By increasing security we are raising the price for a breach. Attackers needs to spend more time and effort, which should discourage them from even trying. However, this is not the kind of game we're in – we have no way of defeating attackers forever as new ones crop up anywhere, anytime. All we can hope for is creating an equilibrium that is affordable for us, the defenders. The attackers on the other hand will respond to an increased scarcity as this will drive up their reward. In a world where all jewels are stored in secure safes, the reward for successful safe cracking will increase to the price of a single jewel. In a world where jewels are stored in wooden boxes, the reward will be small (opening wooden boxes is a commodity) and there are more profitable ventures potential attackers can turn their attention to.

Humans aren't always good at assessing risk

The final driver for the predicament we're finding ourselves in is human nature. Humans were never built to interact with computer systems. As a result, user interfaces must emulate concepts their users are familiar with. However, this emulation comes by way of an analogy. Putting a document into the trash on your desktop does not mean it's gone. Emptying the trash means an update to a file system – and it still doesn't mean the file's data are gone. A "lock" icon in a browser's address bar signals security but it's not the human that controls this security, instead it's the computer signalling that a complex process of checking digital signatures has concluded successfully. The same computer may for instance have been previously compromised by the same user by unwittingly accepting an insecure digital certificate.

Humans are also quite bad at judging and reacting to risk. We tend to assume we can control risks when we're just lucky. We also tend to regard certain risks as normal because we are familiar with them (You take a risk each time you drive a car.) Lastly, humans tend to fall into automatic reactions to things they're familiar with. Take a popup window that appears on your screen: Notice how hard it can be to not immediately click OK – even if it was trying to warn us of installing the faulty certificate from the previous paragraph.

We have tried for a long time to teach users about behaving the "right" way (right meaning secure) in using their computers. This approach works but it requires frequent reinforcement. It also must be performed in a way the user perceives as useful to their tasks – forcing them to click through the same web-based training each year is hardly going to accomplish this. Only recently we started supplementing this by changing our user interfaces. (Your web browser making it hard for you to visit an insecure web site is an example for this).

Balancing risk and reward

In conclusion, we are faced with a situation where we're constantly making security more important while making ourselves a bigger and more lucrative target and adopting new technologies and products before they have been properly secured while dealing with our own limitations as homo sapiens.

Yet – the world has failed to collapse from lack of cybersecurity. Obviously, we are still successful in maintaining an equilibrium. We have accepted security as a cost of doing business and moved on. No company would seriously question whether they need an effective cybersecurity function. Those that do tend to disappear from the market sooner rather than later.

Consumers have accepted IT as part of their lives, contributing to their quality of life and as a society we are collectively moving to a world that will largely depend on online services to function. At the same time our initial observation that cybersecurity keeps making headlines is perhaps (optimistically) a signal that people, business, and political leaders have woken up to the challenge.

Plus ça change, plus c'est la même chose. We can't run away from the cybersecurity challenge, and we must keep investing (and we can!) to stay ahead of the race – which is the only safe position to take.

Do you have questions concerning our cybersecurity offers?

Please contact Raphael Reischuk.