July 26, 2019

FUD and the Infosec Zombies

FUD and the Infosec Zombies

Every week we see news headlines about new cyber attacks and security vulnerabilities affecting millions of consumers and businesses around the world. In recent years it appears that the rate of government leaks and ransomware attacks is multiplying at an alarming rate. Everyone, from the Luddite to the technophile, is concerned that their personal and professional data is a risk. And once a new or perceived threat becomes known, it is next to impossible to kill the hype attached, creating InfoSec zombies that are free to run rampant through our collective consciousness. Therefore the question is: Is the current level of InfoSec angst justified or is there a calculated policy of scaremongering designed to sell us unnecessary or inflated cybersecurity products?

The Cyber-Umbrella

The word cyber is pervasive, ubiquitous, omnipotent. Cyber-Bullying, cyber-crime, cyber-stalking. Consuming the public and private sectors of almost every economy as well as the individual citizens living in those economies is the sense that this all-encompassing cyber-reality is somehow underlying all the ills of the world. If it’s got cyber in front of it, it's malicious. This is not surprising in a climate where it pays to have a tie-in to cyber. Program managers, in both public and private sectors, know that the means to sidestepping the budget chopping-board is to name a project or product ‘cyber-something.’  Robert Hale, former Department of Defence (DoD) comptroller, highlighted this issue, stating:

We tried to capture it all, but I’d say there’s a gray area here in what counts as cyber.

Unsurprisingly, the top-tiers of corporate and state departments are at a loss as to what constitutes a cyber threat and farm out this problem to private cyber-security companies with a vested interest in maintaining the skittish status quo. Even NATO is scratching its head for a concrete definition of cyber-threat. In 2014, NATO leaders determined that a large-scale cyber attack on one member would constitute an attack on the entire alliance and could, therefore, provoke a military response. Notwithstanding this bold pronouncement, NATO has yet to agree on a standard protocol to determine what an attack would look like.

Zombie Pathology

At the root of the cyber-security issue is this simple truth; the number of personal and corporate data breaches is increasing.  A 2018 study from Juniper Research  estimated that cybercriminals will steal approximately 33 billion records by 2023. This represents a 175% increase on the figure previously estimated for 2018. The cumulative data loss expected by the end of this period will exceed 146 billion individual records! Despite this frightening figure, small scale, private industry makes up a mere 13% of the cybersecurity market. Constrained by budget limitations and access to vanguard cybersecurity research, small businesses simply cannot afford to spend big in this area.

The big money is at the state level, where seemingly limitless budgets are allocated to addressing an often misunderstood, frequently inflated cyber-menace. As Dr. Ian Levy, technical director at the UK’s National Cyber Security Center (NCSC), puts it:

If you’re told that cybersecurity attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it you’re going to have a fear response. And that’s where we are today. The security companies are incentivized to make it sound as scary as possible because they want you to buy their magic amulets.

State agencies and large-scale industries, entrusted with the safety of their citizens/customers data are deciding that the sky's the limit when it comes to cybersecurity spending.  Recent research from Cybersecurity Ventures forecasts that global spending on cybersecurity will exceed $1 trillion between 2017 and 2021. Cybersecurity contractors are more than happy to enter the fray, contributing their ‘wisdom’ and their products in the cause of protecting our online data, all the while capitalizing on the fear associated with anything ‘cyber.’

Run for the Hills?

Overselling the threat of cyber attack creates confusion and fear, it could even lead to military action. Dr. Dan Leavy says:

The fact is, more squirrels have taken out power around the globe than any hacker has to date. It is not even close. Yet, the fragile ‘House of Internet Things’ we are rapidly building is full of risk. That risk has to be managed in the light of reality…The reality is that business relies on its professionals to act as such. If there is a real risk, we need to attack it. If there is perceived risk, we need to evaluate it.

Managers and senior officials must bone up on the tech they are using. They must ensure that their departments have the requisite technical knowledge to see the hype for what it is and meet real threats head-on. The most effective means of defense is knowledge. As Drew Koenig, security solutions architect with Magenic, says:

Know what your security problems are before you look at vendors to solve them. Only a business knows what problems you have ― a guy in a booth or cold calling you shouldn’t tell you what problems they think you have.

Is ramping up alarmism really in the public interest? Ultimately, continuous overexposure to cyber-threat hyperbole can lead to cyber-cynicism, becoming so desensitized to the real dangers that we fail to shore up our defenses in real and practical ways. If we allow ourselves to feel helpless in the face of perceived, persistent attacks, then we diminish our power to tackle the genuine threat.