C. Warren Axelrod

Cybersecurity is Failing—Time for a Reset?

When you read what’s happening in cybersecurity, you could cry. We are being bombarded with cybersecurity fails. Recent egregious examples are Equifax and Capital One. To quote an August 2, 2019 article by Tom Foremski “A dismal industry: The unsustainable burden of cybersecurity” which is available at https://www.zdnet.com/article/a-dismal-industry-the-unsustainable-burden-of-cyber-security/ :

“Cybersecurity spending is the fastest-growing segment in IT budgets, but it provides no productivity gains or protection against more advanced exploits.”

I do not support the first claim of “no productivity gains” since we Infosec professionals have long asserted, I believe correctly, that strong cybersecurity is an enabler, allowing companies to deploy applications and systems that would otherwise not be feasible because of their inherent vulnerabilities.

But I do agree with the second claim of inadequate protection, as highly-visible successful exploits in critical sectors have demonstrated. The real question is whether it is indeed possible to provide strong enough protection. Perhaps it is not possible. And if not, how do we then proceed?

Foremski’s gloomy article comprises a report on a cybersecurity panel discussion at “Finn Partners in San Francisco.” Experts from NASDAQ, Redseal, Kount, Centrify, the FIDO Alliance and Keeper Security expounded on attacks and mitigation approaches. We see the usual suspects and remedies.

Durgesh Gupta of NASDAQ faults lack of government help for smaller organizations and disinterest by law enforcement in lower-level attacks. Ray Rothrock of Redseal suggests that increasingly sophisticated attacks require fast response and victim organizations should not cover them up. He said that prevention requires security guidelines and education. He also advises making Boards of Directors accountable, as with Sarbanes-Oxley, but dilutes his suggestion because he believes that fewer individuals will take on the responsibility.

Gary Servounts of Kount blames the added complexity of cloud-based systems. David McNeely of Centrify also faults cloud-based IT and suggests multi-factor authentication and building security into applications. Andrew Shikiar of the FIDO Alliance denounces passwords, but Craig Lurey of Keeper Security disagrees.

These issues and remedies have been around for decades, but seemingly to no avail. I have written often about them in this column and in articles and books. Yet we don’t see anyone with authority stepping up to the plate and taking on what is becoming a major existential threat.

It is time for a new approach, but what that should be is controversial, especially in an environment where denial is rampant. If it walks like a duck, and quacks like a duck, it’s a duck. If there is incontrovertible evidence of foreign interference in political systems, of attacks on critical infrastructure, and of the proliferation of unsupported claims in the news, then these are happening and must be addressed with immediacy and resolve.

Perhaps it is time to step back, take a deep breath, and truly determine what bad things are happening and how they should be corrected. I believe that we need to explain better the motives and motivations of all the players involved, and learn how these players interact, whether in cooperation or conflict, so that we can deploy effective protective measures comprising prevention, avoidance and deterrence. Until we do that, we are shooting in the dark and, as Foremski describes, we are missing the target time and time again.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*