Internet outages, Botnets… Just Another Day at the Office
2017 seems to have been a breakout year for cyber risk, and just when you’re telling yourself it can’t get any worse… well, it gets worse. As anyone monitoring the security press (or Twitter) will be aware, both the FBI and DHS have released information about campaigns targeting our critical infrastructure and the potential of internet outages from the quickly-growing ‘IoTroop’ IoT botnet. While neither revelation is much of a surprise (summary: bad people are targeting stuff that matters and someone is growing a big botnet for reasons yet to be disclosed) that’s hardly a good Monday morning in the office.
While it’s good that we’re seeing sharing of cyber risk, I have to ask if this is a warning that we can do much about in the short term. Yes, we can add specific detection for the botnet traffic, yes, we can detect IoCs for the latest round of people-centric attacks. However, neither of those do us much good in the long term, because the attacker doesn’t stay static and simply say ‘You got me!’ If a nation state has us in its crosshairs, I have to ask what concrete steps commercial entities can take that would make much of a difference given the vast asymmetry they face in terms of cost to attack versus cost to defend. Even if we were to disclose the “Who?”, “What?” and “Why?” would that change the specific mitigations we need to put in place? There are steps we can take, but they are anything but quick, and they are not simple. That’s an important point, so I’ll reiterate. Not quick, as this requires a fundamental do-over in how we try and build protections, and not simple, in that we live in a world where defenses and threats co-evolve: the attackers respond to us, and vice versa. Changing the technology (but more importantly, the underlying economics) of that game is something that we have to do.
As an active member of the cybersecurity community for over 25 years, the takeaway is perhaps different than one might expect. Cyber represents a continuous risk for not just vulnerable sectors, but at the upper end, to our way of life. I am not arguing that the sky is falling nor trying to sell fear or uncertainty (or doubt, to complete the thought), but we also need to recognize the highly-asymmetric threat environment in which we now live for what it is. This is not abstract… it is personal, and we’re all in it together. For example, with a botnet, your insecurity directly impacts my safely online… and vice versa. Once we recognize that, we then have to make the investments to do something about it – something well thought out, not a shared system of liability where my only recourse is litigation.
From a security perspective, these joint warnings remind us that attackers will use any means necessary to accomplish their goals, ranging from simple distributed denial of service attacks using massive botnets to the specific targeting of high-value targets within an organization. As defenders, we need to do the basics well, such as patching, continuous monitoring and secure software development. However, in addition we must recognize the criticality of focusing on not just the purely technological, but also the human. We cannot remain trapped in an arms race chasing the latest exploit or vulnerability, but must work on a more holistic strategy that provides protection for every end user in our organization. Building resilience in our systems must be our mantra as we go forward.