Mike Burgess, Telstra’s Chief Information Security Officer, claims that attributing blame for cyberattacks is a ‘distraction’. It’s hard not to empathise with his views when, according to the Australian Centre for Cyber Security, 85% of the threat of intrusion could be mitigated by the implementation of baseline protection measures. Burgess also pointed out that while attributing blame is an important component of preventing attacks, they are too often discussed in amorphous and hyperbolic terms when describing their sophistication.
Burgess has decades of experience in intelligence and security and unlike many others is well past the future shock of cybersecurity. At present, the capability of actors to penetrate networks is increasing, as is their ability to do damage. If you ever want to induce a sense of utter helplessness in your CEO, just show them this raw feed of cyberattacks from Norse. The reality is that good intelligence on actors and their capabilities is fairly useless unless a company has a strong understanding of what it’s exposed to. Context is everything when it comes to raw data.
It doesn’t help that many leading cybersecurity researchers fail to discuss these events within their wider context; and many of the top cybersecurity programs treat the subject matter as an extension of computer science and engineering. To security studies, cybersecurity is one area, amongst a range of others where threats exist in asymmetric terms. Authors are largely yet to work across these disciplines when discussing such threats. An example of this is found in Sandria’s work on Cyber Threat Metrics, which attempts to reinvent the wheel rather than work within the existing context of existing security threats. In Clausewitzian terms, cybersecurity is just security by other means. The literature on security, threat, perception, signaling and a range of other areas is sitting there waiting to be leveraged rather than reinvented.
There’s a great deal to be gained by discussing cybersecurity as an extension of existing trends. The relative youth of cybersecurity as a subject area means that it hasn’t yet been integrated into the wider literature. While that’s not unexpected it is something that needs to be addressed. In the early days of nuclear weapons, Oppenheimer had to reach for the Bhagavad Gita for an eloquent expression of future shock. Today’s cybersecurity researchers have no need to reach so far back for a meaningful comparison. Science transforming the security environment is nothing new: nuclear weapons were first discussed by the scientists that invented them, then by the military and then finally harnessed by statesmen. A similar thing is naturally occurring in cyberspace.
In reckoning with present trends, cybersecurity faces an uphill battle where opponents are increasing in capability and responses are uneven. While it is all well and good to proactively deter attack, if a company has a flat network architecture and never updates its software, it probably won’t do very much to limit exposure in the medium to long term. A few years ago US retail giant Target had invested over a million dollars in malware detection tools from FireEye. So despite possessing functioning notification tools, Target did nothing when they detected an attack. The breach compromised 40 million debit cards and the personal details of 70 million people, and cost the company more than US$146 million. Spending money on the right tool is useless if the company isn’t getting the basics right.
Another area of potential change is the ongoing debate over when to report an attack. Companies are not convinced that it will be to their benefit if they disclose attacks, and an increasing number in Australia don’t. Companies also fear a loss of confidence by investors if they disclose an attack. There’s presently a move in the European Union towards mandatory reporting. In 2013, Pricewaterhouse Coopers estimated that in the course of a year some 93% of large British companies had suffered a cybersecurity breach. The same report lists the median number of breaches per company at 113 over the same period, with the average cost of a large company’s worst breach coming in at over £400k.
So we understand, to some degree, the context and scope of the threat. And while it’s a threat that’s increasing, the vast majority of cybersecurity conundrums are manageable at present. New methods of attack aren’t a distraction but they are a second order problem and ought to be treated as such. The first step is to recognise the risk and implement the already identified best practice strategies to manage the threat. Moving on from there, the second order debates of reporting, classifying threats and auditing systems will take place. Burgess is right when he notes that second order problems currently dominate the discussion, but can this be seen as a natural extension of the uneven development of cybersecurity as a field? Many companies, for their part, must work to escape the future shock—cyber threats are real but so are the basic strategies on how to manage the risks they pose.
Australia’s in a strong position to close the gap between awareness and response. Under Burgess, Telstra has proactively produced industry-based reporting on the present situation. Along with this, the Australia Cyber Security Centre was launched in November 2014. That same organisation has produced an unclassified threat report that represents a good first step. Finally, CERT Australia is attempting to develop the space between government and industry where effective collaboration can flourish.
Each of the organisations mentioned above has constructed the beginnings of a collective response to cybersecurity. Being overwhelmed by risks is an extension of not understanding their context. Australia is on a strong path to cooperatively and proactively respond to cyber threats if those problems are tackled in order and in a collaborative manner.