Society tends to disregard concerns and threats that are not immediate, or at least immediately apparent. Cybersecurity is a microcosm of this human tendency, both as a generic threat, as well as in particular threats we still remain mostly ignorant of today.
In 1991, Winn Schwartau went before the United States Congress to discuss how foreign nations would one day use the internet to attack the US. He was laughed out. In 2001, I was laughed at for discussing how the internet is a world of compromised computers controlled remotely by attackers in what is called “botnets”.
“Any fool can tell a crisis when it arrives. The real service to the state is to detect it in embryo.” – Isaac Asimov, Foundation
It took years for these threats to become a reality even after facts surfaced, and for cybersecurity to be accepted as a mainstream threat, with cases such as FBI vs. Apple on opening an iPhone; the US Democratic National Committee data breach; President Macron’s elections hack in France, and so on.
In the late nineties, Israel instituted a small organization to protect critical infrastructure. One could claim that was early insight into the problem. Others would claim it was already too little, too late.
Experts claimed cybersecurity, then known as information security, was a huge problem waiting to explode. But, it hadn’t yet exploded at the time. How can one tell the difference between one threat and a thousand others? When does a threat (a risk shown to exist) become a credible one? How much investment would any such threat warrant, and how do we discover it?
As I have discovered new threats over the years and attempted to counteract them, I tried to come up with some answers. Several parameters, or canaries in the coalmine, present themselves.
When experts tend to complain that the very infrastructure is built wrong, and possible solutions (such as replacing it) have a friction too high to be relevant, we are looking at a threat without a solution – a threat that is likely to grow. Examples of this are the internet protocols TCP/IP, and the email protocol SMTP.
Cat and mouse
When the solutions that are being used are recognized to be a part of the problem. In cybersecurity, we react in ways that maintain our systems in the short term, but by their very nature introduce a neverending cat and mouse game, where both sides constantly adapt in a co-evolutionary race toward a “superbug”. Examples of this are DDoS (distributed denial of service) attacks, spam, and phishing attacks.
If we look at it in an adversarial context, one side is asymmetrically advantaged compared to the other, and an economic solution to the problem cannot easily be found. Examples of this are spam, APT (advanced persistent threat) nation-state spying, and indeed cybersecurity itself.
We’ve already seen this risk or threat before, and similar systems are invented based on the same principles or with similar challenges. Examples of this are lessons not learned and replicated alongside new technology (mainframes, personal computers, cell phones, RFID, internet of things, drones, and so on).
The more we use something, such as a technology, the more reliant on it we become. No better example exists than the incident now known as “The First Internet War” in Estonia in 2007. Following the fall of the Soviet Union, Estonia created its infrastructure from scratch based on the internet. Thus, when its internet came under attack, it was a threat at a national level.
How many people use the system? How many will likely use it in the future?
“The right to have access to every building in the city by private motorcar in an age when everyone possesses such a vehicle is the right to destroy the city.” – Lewis Mumford.
Looking into the future, a sample threat still largely ignored today is biological and medical devices. In 2007, I gave a talk on the subject of how biological devices and, later on, genetic engineering could become huge threats and what techniques we could use to combat them. I was not the first one to do so, but I was an early canary, having come from the trenches.
I learned that we can easily predict future threats, but can rarely imagine future solutions. Today, there are industry and government groups discussing the threat, yet it is largely an unacknowledged issue.
It will be years yet before devices are prevalent enough to be considered infrastructure, and for large-scale attacks to occur, before this particular threat will garner real attention. Will it be too little, too late? What level of funding would have to be thrown at the problem then, as opposed to now?
Perhaps, the issue is focus rather than funding.
It seems like the basic economic rule is one of the most common human cognitive biases: hyperbolic discounting. This is the tendency to overvalue a present reward and undervalue a future reward, even if it is larger (such as eating a burger now; rather than focusing on benefit to future health of not eating that burger).
The canary I find truly useful for discovering threats is private groups forming to counter a threat when governments do not. Even now, with the billions invested in cybersecurity, it is the experts, volunteers, and startup companies who work in the trenches and help resolve the issues. It is private individuals and venture-funded companies who usually bring to light the risks, and who create solutions for them.
It takes decades for governments to catch up and the process can be destructive. The most recent example of this is the WannaCry ransomware worm; private sector individuals were the ones who helped stop the spread of the attack.
Cybersecurity will never disappear as a problem, but I hope that in this coming decade it will shift from an asymmetrical field where we can barely stop the tide, to a maintained equilibrium like with regular crime.
My own startup company, Cymmetria, acknowledged by the World Economic Forum as a 2017 tech pioneer, is working towards this goal of shifting the asymmetry of cyber by changing the economics of attack and defence.
Instead of looking for endlessly changing attacks, we look to the attackers’ methodology and control what information they have, so as to control them. We enable organizations to protect themselves once an attacker breaches their network, removing the element of uncertainty in detecting the attackers, monitoring them, and kicking them out.