Why, and to whom, does cybersecurity actually matter?

[A revised and evolving version of this blog appears at https://medium.com/@chris_wiesinger/are-moods-getting-in-the-way-of-cyber-progress-bb82b2d70515]

Are moods getting in the way of progress in cybersecurity?

We see in the cyber conversation — whether it’s Dan Geer [see 1], Mark Anderson [see 2], or other voices whose concerns converge between cyber and the physical world [see 3, 4] — a mood of resignation that the people who want to break into systems are permanently ahead of those responsible for protecting them from undesirable manipulation. Adding to that stew are revelations that national intelligence agencies persistently try to create vulnerabilities at the operating system and hardware level. [see 5 and 6]

We seem to share a sense that the status quo is terrible and our future is bleak. Unlike Land, Sea and Air, cyberspace is a domain that seems to lack rule of law, and the ability to enforce law.

But it also seems that little is being done to change the situation, or the changes being sought are too little, too fragmented, and too slow.

Why are we stuck? Beyond the blah blah blah, does anyone care enough about what is at stake to act with purpose and effectiveness? Are we being asked to care about the right things?

It seems that moods of fear, resignation and despair are getting in the way of shifting to new mindsets, choosing different issues to care about, and adopting technologies that could actually make a difference. Cybersecurity innovators will have to find ways of shifting these moods in order to create market traction.

New Mindsets

Innovators in the security industry have pivoted from classic perimeter defense approaches to the principle that breaches will happen, and what is becoming important is implement new practices and enabling technologies to limit the damage or exposure such violations create. They propose a security mindset of resilience, rather than a philosophy of prevention.

One such pivot involves the principle that all data in the cloud should be masked, and that the masking and unmasking should be governed by business rules. That way, while firewalls and networks might be compromised, data remains protected. So we have firms like Ciphercloud, who propose that all enterprise users should go through an encryption/decryption gateway when they use the cloud. We have firms like CloudMask, who say that’s not good enough because it doesn’t address our tendency to use unsanctioned cloud services because they deliver better value than internal capabilities, or the insider threat… and propose instead implementing plugins (“sandboxes”) on end-user devices to mask/unmask data on an application-specific basis, regardless of whether the target system is on-premise or in the cloud.

Firms like WebShield offer technologies and approaches that enable new practices for governed data sharing in unwieldy and decentralized networks, bringing techniques that protect data from unauthorized access, while simplifying automated, just-in-time de-obfuscation processes.

Another complementary pivot comes through firms like Bromium, who propose that every application should run in a purpose- and use-specific virtual machine (think “fresh, out of the box, computer configured to run only that application”) that disappears once the session is complete. In this way, any malware or virus is isolated in that session, and destroyed after the fact without being able to migrate into the “real” machine. Bromium adds to resilience an element of what Nassim Taleb calls anti-fragility: capturing the patterns of malware when it first appears as a non-white-listed process, and subsequently filtering for it.

Adoption Paralyzed by Mood?

But while security is on everyone’s mind, there seems to be among many customers a reluctance to prioritize action along these smart pivots. They’re not buying.

Enterprises act as though they have no choice to spend money on firewalls and anti-virus. But while conceptually interested, buyers currently lack the resoluteness to invest in the alternate risk mitigation approaches offered by non-traditional vendors and approaches.

Perhaps this is because at higher levels of corporate brand and share value, there seems to be — over the medium and long term — a mood of indifference over the impact of cyber breaches. Freshfields, Bruckhaus Deringer, basing their assessment on a three year study, reported in 2013 that: “Global listed companies hit by a cyber attack saw a combined loss in market value of $53bn on the first day’s trading following the revelation of an incident and those affected took an average of 24 days to recover pre-crisis valuations.” [see 7] In other words, the “public” impact of a breach on shareholder value is immediate… but fleeting. And so it is not surprising that at the small and medium enterprise level — according to recent UK Government research [see 8] — only 16% of respondents considered cybersecurity a top priority for action.

Which raises the question: why, and to whom, does cybersecurity actually matter?

We speculate that the cybersecurity domain is enveloped by negative moods, and that these moods limit the possibilities of action. One overriding mood is resignation, as expressed by leading voices like Geer and Anderson. That mood is underscored by ongoing experiences: For example, one firm in the financial services domain claims to spend around $250M annually on cybersecurity; despite this, the firm incurred a data breach affecting 83 million accounts in 2014.

A mood of resignation suggests that since all the solutions that have been tried in the past are failing, there is no path to success on the horizon, the pivots that need to be taken will not occur, and this will not change. Others are fear and uncertainty, amplified by established vendors engaged in feature and function battles for classical solution marketshare. Yet another is a mood of being overwhelmed by the continued onslaught of attacks and breaches, and the complexity of defense.

These moods combine to produce a sense of powerlessness, indifference and victimization.

Here’s Fernando Flores on moods: “We can interpret moods in terms of assessments that people have about the future. The employee… may expect that the new company effort will not improve the company’s reputation with customers or his own possibilities for advancement and job possibilities…. These aren’t assessments that (the person) makes consciously; it’s simply obvious… that no new initiative is going to turn the company around… For this reason, we sometimes refer to a mood as an automatic assessment.” [9]

Individuals operating under the influence of negative “automatic assessments” like resignation and despair are not likely to take the new action, or adopt the new practices suggested by non-traditional cybersecurity vendors, because they live in a world where nothing they do will change things.

“I will busy myself with reducing my dependence on, and thus my risk exposure to, the digital world.” — Dan Geer, 2014 (BlackHat USA)

We have nothing to fear, but fear itself

“No one wants to pay for security,” a PKI pioneer and industry veteran recently told me over coffee. “No one’s buying what we’re offering,” a Manager for a large system integration Cybersecurity practice in Europe confided. “Our actual revenues are way short of what we targeted,” a Business Development executive at a similar, North American firm confessed. These assessments and assertions make weird sense in a domain where, regardless of how much is spent, breaches continue… and continuing breaches just provide “justification” that spending more is somehow the answer.

What is on offer — more of the same stuff, in aggregate, seemingly ineffective: promises of “security” unfulfilled — is clearly part of the problem.

Another challenge is what some have called the “moral hazard” [10] inherent in a world where firms lack incentive to invest because the direct, financial impact of breaches is low, and much of the remaining impact is externalized through diffusion of pain to individual consumers. They really have little reason to care. Is a minor fear — and mitigated risk — of losing money a sufficient catalyst to adopt new practices?

But perhaps an even bigger part of the failure to progress in this domain is the matter of mood among buyers, something that cybersecurity vendors simply exacerbate when they use industry trope techniques — fear, uncertainty and doubt — during their sales processes. Is the fear mongering snuffing out any possibilities for positive, optimistic moods and accompanying action to take hold? Does the generation of a constant atmosphere of fear eventually inure the market to any sort of offer? In short, do traditional stories about cybersecurity simply fail to produce positive reasons for acting, and are they part of the problem?

For a new generation of security offers to take hold, innovators will have to find ways of shifting the mood of potential buyers. They won’t achieve this by playing into the dominant, negative narrative. What is needed is not more features and functions, but a framework for addressing security in a way that produces outcomes that the market as a whole can assess as being satisfactory.

****************************

Links and References

[1] Dan Geer, “Cybersecurity as Realpolitik” presented at Black Hat USA 2014 https://www.youtube.com/watch?v=nT-TGvYOBpI and transcript http://geer.tinho.net/geer.blackhat.6viii14.txt

[2] Mark Anderson, “The Sony Hack And Nortel’s Demise: Piracy Vs. Crow” http://blog.stratnews.com/2015/01/the-sony-hack-and-nortels-demise-piracy-vs-crown-jewel-theft/

[3] Greg Miller, “In campaign against terrorism, US enters a period of pessimism and gloom” http://www.washingtonpost.com/world/national-security/in-campaign-against-terrorism-us-enters-period-of-pessimism-and-gloom/2015/03/07/ca980380-c1bc-11e4-ad5c-3b8ce89f1b89_story.html

[4] Tim Greene: “Kapersky: A very bad incident awaits critical infrastructure” http://www.networkworld.com/article/2895095/security0/kaspersky-a-very-bad-incident-awaits-critical-infrastructure.html

[5] Sarah Burr, “Apple Products May Have Been Compromised By CIA Mass Surveillance Program” http://techcrunch.com/2015/03/10/apple-products-may-have-been-compromised-by-cia-mass-surveillance-program/?#CYGMWF:gxWW

[6] Schneier on Security “Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception” https://www.schneier.com/blog/archives/2015/03/cisco_shipping_.html

[7] “Cyber attacks wipe $53bn off listed company values but investors remain largely unfazed by cyber risk” http://www.freshfields.com/en/news/Cyber_attacks_wipe_$53bn_off_listed_company_values_but_investors_remain_largely_unfazed_by_cyber_risk/

[8] “Cybersecurity myths putting a third of SME revenue at risk” https://www.gov.uk/government/news/cyber-security-myths-putting-a-third-of-sme-revenue-at-risk

[9] Fernando Flores, Conversations for Action and Collected Essays: Instilling a Culture of Commitment in Working Relationships www.conversationsforaction.com [2013 Kindle Edition] p.62 of 138.
[10] http://qz.com/356274/cybersecurity-breaches-hurt-consumers-companies-not-so-much/?utm_source=parQZ