On the inevitable failure of cyber security
27 Jun 2017|

Image courtesy of Flickr user Spry.

While the Australian Government’s Cyber Security Strategy contains many good initiatives, the government’s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet at the same time the data of the Australian people is safe and secure.

The Prime Minister has spoken about the importance of meaningful conversations about cybersecurity, but that narrative clearly has some internal inconsistencies and isn’t a realistic or nuanced message. As the Australian Public Service, business and the broader community raise their levels of cyber sophistication, we need to continually reframe government communications to push real cyber resilience.

Services delivered over the internet are exposed to several interesting asymmetries that all but guarantee that there’ll be cybersecurity failures of consequence. Imagine a hypothetical government IT project (let’s call it ‘Project ORCA’) that aims to provide a perfectly secure government portal to deliver vital services to the Australian public.

Our first asymmetry is that the teams building online services have only finite time to deliver their products. This is a good thing, as we want IT projects to be delivered, and infinite timelines aren’t helpful (even though that can feel like standard practice in government at times).

By contrast, malicious actors (baddies and hackers) on the internet are not time bound; their time horizon is effectively infinite. ORCA, for example, while built over a relatively short time, will be exposed to attack for the rest of its working life—which may possibly run from years to even decades. A successful attack on ORCA can be damaging to the government at any time throughout its life.

Second, teams building online services have limited skills and capabilities. The Project ORCA team is limited to the pool of skills available within the team. The very best we can hope for is that it implements the best possible solution at that point in time. But even this best-case scenario isn’t good enough.

Malicious actors can not only access the state of the art at the time when ORCA is built, but are also able to use new vulnerabilities that are discovered after the service has been delivered. In a very real sense, the Project ORCA team is trying to defeat hackers from the future!

Third, the ORCA team is focused on delivering what it uniquely adds to and builds upon the best frameworks and architectures available at the time.

Malicious actors, however, can attack not only what the ORCA team builds directly, but all the software and hardware that ORCA relies on and is connected to. The Project ORCA team can deliver its project perfectly, but the security of ORCA overall can still be undermined by factors outside the team’s control. In recent years, for example, there have been several very severe bugs that have affected internet services in totally unexpected ways, and Project ORCA can’t mitigate that class of threats.

Although this sounds pessimistic, this is broadly understood in private industry; breaches are common and inevitable, and there’s a very real focus on resilience and recovery. The cyber-mettle of an organisation isn’t measured by whether the organisation suffers a compromise, but by how quickly the compromise is discovered, how well it’s contained, and how effectively it’s cleaned up.

Government’s current narrative is focused on implementing the ‘Essential Eight’. These are the eight highest priority actions from the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents that help prevent cybersecurity breaches. The Essential Eight grew out of what were initially branded the ‘Top Four’, and when implemented will prevent a large majority of cyber intrusions that the ASD currently sees.

Even when these strategies are implemented, however, they are still only mitigation strategies. That is, they make things less bad than they were before. They aren’t a guarantee that security is perfect; they are just the first steps to take when your security baseline is very bad.

Real security doesn’t consist of implementing the ASD’s Top Four mitigations, and then a year or two later expanding that to the Essential Eight. Real security is the ongoing work that arises from an acceptance that failure is inevitable: understanding your network; detecting and investigating anomalies; patching, monitoring and alerting; clean-up, backup and disaster recovery.

The Prime Minister has spoken about the importance of meaningful conversations about cybersecurity events. But by denying the scope of the problem our political leaders are preventing the meaningful conversations that they desire and lulling us into a false sense of security. The conversation needs to change to account for the inevitability of failure.