Cyber Security for the Rest of Us*

There Are No Firewalls. There Is No Inside Or Outside. We Are All Swimming In The Same Cyber Sea—With Sharks Circling. We Have No Protective Cage.

Bottom Line: In The Realm Of Cyber, Nothing Is Secure.

Cyber security experts have cried wolf before—and the sky is still standing. But we have finally reached the tipping point. It’s time to get the word out about how vulnerable we all really are—and why we need to take an entirely new approach to networked security.

This approach is called less armadillo, more monkey. “Less armadillo” means we must give up the armadillo like illusion that a hard outer shell will protect us. In cyber security terms, this hard-shell metaphor refers to perimeter defense—the moat of firewalls, AVS services, intrusion detection systems, white list/black list feeds, and so forth that we believe will keep us safe.

“More monkey” means developing an agile, flexible, social, tricky response to cyber threats. When predators attack, we must swing through the trees, together. In cyber security terms, this means a wide variety of adaptive strategies. The goal is to help your company become intelligent cyber monkeys, instead of armadillo road kill.

Physical + Logical Security = Zero Silos

At first glance, physical security and cyber security appear to be two separate disciplines. They require different training, and different credentials. Inside the enterprise, they work in separate departments—and although they may talk, they rarely collaborate in any meaningful sense.

There are many reasons why consolidating the physical and the logical security forces within the enterprise make sense. From the IT side, the proposition is: some back doors are physical, and physical security audits and enforcement policies can help close them. Also, since your cyber systems will be compromised—you need all the security help you can get, especially in emergencies.

From the physical security side, the proposition is: technology is becoming ever more vital to your day-to-day physical security operations, so you can’t afford to remain uninformed about information technology threats and vulnerabilities.

From a general company perspective, system resilience increases when logical and physical security are in synch. Each side can definitely benefit by sharing information more frequently, and developing a closer relationship with the other.

But here’s a bigger idea: what if cyber geeks and physical bubbas were all a part of the same team... Could some powerful new protective shield emerge?

Cybernomics

First, let’s review some basic assumptions:

  1. Cyber attacks are a clear and present danger to nations, organizations, and all electronically connected people.
  2. Current cyber defense methods and tools provide some help—but not enough for us to keep up with, much less overcome, our adversaries.
  3. In a cyber war, quick intelligence is the bomb. The best intelligence in a networked world is shared intelligence. We simply must start sharing information as well as the bad guys—and then surpass them.
  4. We need new, agile cyber intelligence weapons that enable trustworthy organizations to collaborate.
  5. To even the odds against the bad guys, we need to change our tools, methods, thinking, and spending. Now...

What if the core problem—the real root of our inability to keep up in the cyber arms race—were not technical, but economic? Could understanding the economics of cyber help us in this fight?

Hence the notion of cybernomics: an economic theory which holds that robust cyber systems are a prime driver of the global economy; and that compromised IT systems create downward spirals for products, services, and, stock prices.

Cybernomics attempts to improve cyber security by following the money. The real solution is new thinking, smarter strategies, better decisions, and connected systems— so we can start working this problem together.

Dynamic InfoSec Controls: The Next Big Thing in Cyber Security

For several years now, it’s been clear that the traditional perimeter security model is failing, and that its key stalwarts— firewalls, anti-viral services and intrusion detection systems—are incapable of stopping the most sophisticated attacks. There are rumblings of the emergence of a new model that is being actively explored by several leading US government agencies.

This original research explored security system architectures inspired by the workings of our human immune systems. The untested thesis then was, what if instead of focusing on keeping the bad guys out, we built systems that let only known good guys in? One key element in this ongoing R&D is the security methodology known as application white listing.

Application white listing services authenticate applications and other computing elementsby source. What seems to be in the works now is a major program backed by a group of US government agencies that would leverage new cyber security initiatives inside government, and then go a step further, by installing a more automated, lower-overhead version of application white listing.

It would add up to comprehensive new approach to cyber defense based upon maintaining trusted environments, rather than fighting a continuing arms race against the bad guysone vulnerability at a time.

How to Kick-Start Cyber Information Sharing

Congressman Mike Rogers (R-Mich) is the leading, and most articulate, advocate for cyber security in Washington, D.C… Rep. Rogers’ argument in favor of robust cyber information sharing is (paraphrasing): We now spend an enormous amount of money gathering cyber intelligence to protect 5 percent of America’s IT systems—those operated inside the government. But the other 95 percent is also critically important. It’s crucial we make our government’s cyber intelligence available also to American private sector partners.

Intelligence sharing among good guys—government- to-private, and private-to-private—is urgently needed. Nothing could make more sense. There is an urgent need for government to start sharing cyber intelligence with trusted private sector partners. But government information sharing policy—at the markings level, and above—is a giant hairball—and one unlikely to get unraveled any time soon.

Based on past experience with government efforts, the road to information sharing hell is paved with good intentions— and lots and lots of policies. Policies for legal compliance, intellectual property confidentiality, personal privacy, protection of sources, effective public relations, and on and on… all based on the notion of need to control, rather than the cyber security operational imperative of need to share.

We need the ability to share critical attack information in real-time. The technology building blocks exist. A pervasive policy log-jam, in both the public and private sectors, is the problem. Making the policy transition from need to control to need to share will be difficult....