Friday, November 14, 2014

What is the outlook for the future of cyber-defenses?

I was recently asked to comment on what I felt the outlook was for cyber defensive initiatives into the next ten years.  One of the specific aspects of the question was if I felt there might be a serious global cyber incident that resulted in billions of dollars of damage and/or massive loss of life.

Below are some of the thoughts that were within my answer and some more elaboration on the raw examples that I gave.

First, nearly all organizations in every sector that I have worked and consulted are living in denial that any significant threat exists. As long as those individuals that sit in the ivory towers of public and private (non-military) organizations fail to acknowledge that there is a threat there will be no call to action.  No call to action and those that control the purse strings will not feel the need to authorize spending on anything other than old, outdated, and ineffective cyber defenses that were last known to be effective, albeit marginally, over twenty years ago.

Why would they go after THAT?

When there is no perceived threat or the threat doesn't seem relevant to your area of influence, there is no feeling of need to act.  Therefore far too few resources are dedicated to defense. Meanwhile the bad guys continue to up their games, refine their tools, and develop their offensive technologies and strategies.  Consider a recent hack on NOAA (National Oceanic and Atmospheric Administration), which also includes the NWS (National Weather Service), both US governmental organizations. The flawed thinking of leadership today is "Who would bother to hack that?  There's no money there, the information they have is freely shared.  No need to spend much to protect that, right?" WRONG! Until we start thinking like the bad guys we will never be able to defend against their strategies.  Well, when the weather is good, it's not such a big deal to be without this information for a few days, but what about when the weather is bad?  What about critical forecasting data during times of bad weather? Approaching hurricanes? Storms that generate tornadic activity? Floods? Think if during the approach of hurricane Katrina that the weather data said that it wasn't going to be a category 5 hurricane, but rather a category 1 and no real need to evacuate?  Even a delay of 12 hours could cause a catastrophic loss of additional lives. Now, there are other communications systems and methods that would help to mitigate the bad data provided by NOAA and NWS web sites, however, let's keep following this line of thinking.  What other systems might have similarly lower levels of security resources dedicated to their protection?  Well, in my area after a previous round of wildfires the local government implemented a 'reverse 911' system.  Unlike 911, where you call for emergency service and they have your location data to be able to find you, this service is an opt-in system.  You have to sign up to receive notifications from the government about local disaster risk, threat information, evacuation routes or need to evacuate, etc. Obviously, there is a risk that hackers could steal that personal information, but the government promises to otherwise not share it, although that is not what we are talking about.  What if that information were unavailable or outright wrong during a period of emergency when minutes and seconds may count?  Having a compromise to such a system and cause it to distribute wrong information during a period of emergency would be quite an effective weapon.

But wait...there's more.

Now, the latest information about this was that it was 'just' a compromise of the web sites that report weather data, but let's start thinking like the really bad guys.  What other technologies do these organizations have access to?  Well, weather radar...could be interesting...and satellites.  Hey, not that could be really interesting! If, as a bad guy, I could break into NOAA and NWS, I might be able to get at the computer systems or protocols that communicate and control the weather satellites.  Now, I'm sure this is a reach and I know nothing about satellite communication protocols and frequencies, but it may be possible to attempt to communicate with other satellites using these systems...maybe communications satellites (data or broadcast media).  Maybe it would be enough to just be able to cause a DOS attack against them.  That would be pretty effective to take out some of those alternate forms of communication if a compromise of the web data were showing incorrect information during a time of crisis.

This is how the bad guys think and this is exactly what management doesn't want to hear and is far too quick to dismiss as pure fantasy; the stuff of science fiction and an over-imaginative, over-paranoid brain...until it happens and they see it on TV.

A war without rules

While our military and other government's militaries are engaging in a cyber arms race, there are few regulations or laws globally that prevent the use of military grade cyber weapons against civilian targets. Meanwhile, China, most notably, has a huge proliferation of middle-class development. It is those middle class people that crave jobs, and while their research and development investments are low, their efforts to steal intellectual capital and technology, that is the basis of middle class job creation, are very high. Even the systems that control the fundamental elements of our capital markets have been compromised and will continue to be compromised. In some instances governments are buying the tools from the hackers and keeping them secret rather than allowing the rest of us to know about it and try to protect ourselves.

Prospects for the future

The talent pool of people that are trained in security technologies and strategies is far too thin to cover the demand and that demand is only escalating. Management is reluctant to invest in cutting edge security training often believing it to be gratuitous and generally not a good return on investment. Every client I work for has many talented people that simply just don't think in terms that lead to effective security.  They trust everything works and don't suspect that things will go wrong.  Many of them are stretched so thin that simply making the system work is all that they have time to do. If you don't think about how things can go wrong, you certainly won't devote a lot of time to pondering what to do if things go wrong.  There are also people out there that are at their limit of training and barely able to understand the systems they are working on. It is tough to think in creative directions, like the bad guys do, when you are struggling to control the systems in your area of responsibility.

Will there be attacks in the next ten years that will cost billions of dollars and massive loss of life? Most definitely. In order to prevent it would require a paradigm shift in our view of the current technology that we posses and the risks that we are facing daily.

The famous last words spoken when a new attack is discovered is "I didn't expect them to do that." It is that very refrain that has become our battle cry of defeat.