As Henry Ford once said, “If you do what you’ve always done, you’ll get what you’ve always had.” Cybersecurity appears bound in a method of cause and effect while rarely thinking outside of the box. When a bad actor breaks in the front door, IT just builds a bigger door, not even considering window or skylight threats. These actions have led to, in many cases, our remaining in the same place today as we’ve been for 30 years.
Even though cybersecurity defenders have great intentions to harden environments, we have a long way to go. As defenders continue doing what we’ve done, attackers have grown in sophistication and attack frequency. While information system guardians remain stagnant and stuck in yesterday, attackers continue moving with much more agility and focus. Something must change with the way we harden, monitor and operate information security lest we continue down the same path. Russia showed us with the NotPetya (2017) and SolarWinds (2020) attacks, cyber warfare is upon us. If there was ever a time for information warriors to step up their game, that time is now.
Our thinking around cybersecurity and our actions occur linearly. Bad actors break into a network from the outside, we implement firewalls. They join the cleaning crew to gain physical access to a network, we create MAC filters. They send malware, we install and/or update anti-malware software. They create ransomware, we restore backups. We’ve reacted for 30 years, and the attacks grow more costly, more extensive and more frequent. Defenders have been on our heels since the invention of TCP/IP, and we are hardly better off today than we were back then.
Fred Baker, former Chairman of the Internet Engineering Task Force (IETF) once stated “[TCP/IP] was originally written among a cohesive community that had significant internal trust. By default, IP applications assume they should trust people.” There’s no problem with that concept; the issue exists, in part, because the initial network of systems grew into what we know of as the Internet and nothing changed with the underlying protocol. The core mechanism to transmit data remains the same and, sadly, our defenses focus in the wrong places.
The open nature of TCP/IP created long-stemming problems with securing data in transit. Data traverses in clear text natively. Additionally, there are no inherent barricades between source and destination systems. Both of these core problems established an early need for encryption and firewalls. These two technologies still remain at the heart of today’s defenses. We know that current firewall implementations play a less substantial role in securing environments than they once did. Even so, firewalls still play an oversized role in corporate defense. The fact that enterprises continue having a primary focus on external penetration legitimizes the argument that we are where we have been.
Attackers no longer spend the time breaking through a firewall, they simply phish their way into networks. With regard to encryption, a large number of businesses see a need to secure only data outside their environment. The lack of data classification, data monitoring and internal data encryption procedures also highlights the fact that we continue looking through the same lens we did decades ago. Although our defenses remain similar in fashion, the attackers have shifted in an agile fashion, increasing the global threat against information systems.
Along with clear text and lack of native barriers to transmission, malware plays a critical role in the world of cybersecurity. Viruses, one form of malware, have been around nearly since the inception of data networks. We’ve dealt with anti-virus software for just as long. The concept is to identify the signature of a malevolent program, come up with a way to quarantine or eradicate matching code and move on to the next piece of nefarious software. We are using the same type of technology, running on the same systems, managing numerous employees, following the same processes and procedures. We incorrectly expect a different outcome as we continue doing what we have always done.
No one should wonder why we not only continue seeing incidents, we see attacks on a greater scale. When we think we’ve seen the worst with WannaCry, we then see NotPetya just one month later. This attack was topped after three years with Sunburst in the SolarWinds supply chain hack. Bad actors in the cybersecurity realm continually elevate their game while defenders play with the same tools, techniques and processes we did 30 years ago. A global problem exists surrounding cybersecurity defense. We must, as an industry, take action to make substantial changes before we can hope to stem the tide of nefarious behavior.
Stay tuned for Part 2, where I discuss potential solutions.
The comments, suggestions and statements in this article are my own and don’t necessarily represent IBM’s positions, strategies or opinions.