The Long Game in Cybersecurity
Keeping Up With Increasingly Complex Risk
🎧 Listen to this article
This article originally appeared in Forbes.
I have followed the evolution of cybersecurity for almost three decades. The one constant is that as quickly as the underlying technology advances, so, too, does the cyber threat.
To understand how things might play out in the coming years, I spoke with four cybersecurity experts, each of whom brings a different lens: a national security leader; a pioneering technologist; a veteran CISO inside one of the most sophisticated technology companies; and a prominent cryptography professor whose students will invariably shape the course of the field.
They are unified on one point: cybersecurity has never been more central and more complex. No one can afford to fall behind.
The National Security Dilemma
Richard A. Clarke’s experience in cybersecurity and counter terrorism stretches across three decades of service at the State Department, the Pentagon, and as counselor to three US presidents. Today he remains an indispensable advisor to countries and businesses on cyber risk and one of the preeminent thought leaders in the space.
As a national security matter, Clarke believes the US government is well-organized for cyber defense, but persistently falls short of providing adequate funding. In a recent conversation with me, he suggested that most informal, criminal hacking organizations around the world could probably be shut down by a combination of the NSA, CIA, FBI, and Cyber Command – “if only the US was willing to expand the resources it now devotes to counter-cyber warfare.”
Nation-state cyber terror is a different issue. “Iran, Russia, China all have cyber vulnerability. But so do we,” he points out. In the current conflict between Russia and the Ukraine, he worries that every non-cyber move by the US – say, shutting down Russian access to the SWIFT messaging system – could trigger a damaging retaliatory strike against US critical infrastructure.
“The problem is that we don’t know how to handle the escalation of cyber warfare between countries,” he told me.
New strategies need to be developed. He cites the 1965 seminal work by strategist Herman Kahn, On Escalation, which addressed how major powers could contain and manage the risks of nuclear conflict. “We need a similar roadmap for managing escalation in cyber attacks.”
Clarke’s concern for businesses is a repetition of the SolarWinds attack that went undetected for months. “The biggest threat to most companies is a cyber attack that comes through the software supply chain. That’s what happened to SolarWinds. Today, every company gets a staggering number of software updates every month.”
Companies are vulnerable with no clear place to seek help.
“The US government would likely come to the aid of a major defense contractor hit by a cyber attack,” Clarke said. “Large banks might also expect support. But other companies need more clarity about whether or when US government resources would be deployed to help them recover from an attack.”
The Problem of Cybersecurity Complexity
Nir Zuk, the legendary founder and CTO of Palo Alto Networks, remains frustrated by a fundamental truth of cybersecurity: customers have no credible way of knowing whether the products they’ve purchased actually work. Failures are only discovered after an attack has breached their security.
Zuk believes this is one reason why cybersecurity conversations have moved up the ladder of the enterprise hierarchy, from engineers to the CISO to the CEO and the board. He sees growing awareness at all levels of business that simply buying the latest vendor “solution” is no longer a viable strategy. Enterprises must understand why cybersecurity is growing both more sophisticated and more difficult to manage.
According to Zuk, operationalizing cyber systems is the bottleneck. Customers can’t keep up with the volume of information generated by cloud and machine learning technology. An alert about a potential breach might show the whole chain of the attack, stretching back into the architecture of the interconnected components in the cloud. “It’s very hard for any human to absorb and respond to all that information,” Zuk says.
This dynamic makes automation of security crucial and inevitable. But Zuk worries most vendors and companies will get it backwards. Rather than “adding one more automated feature to human tools,” he advocates thinking about automated security the way Tesla thinks about autonomous driving: first create the autonomous products, then add the human factor.
Two threats concern him. First, ransomware continues to spread with impunity. No foolproof system exists against an attacker who only needs to be lucky enough to breach your system once. The best antidote, he argues, is to turn the tables by focusing on how to detect a breach once it has penetrated the system; that’s when the attacker must hide 100% of the time.
But he quickly concedes that a good backup and data protection plan may still be the best strategy.
Supply chain attacks are the second major threat and are hard to prevent because the enterprise that is victimized is not the first target of attack. Instead, hackers are going after the vendors in their supply chain, exactly what happened in the SolarWinds attack.
The problems, Zuk believes, are knowable. The challenge is how companies will respond.
The New Corporate Imperative
Phil Venables was already an established and highly respected figure in cybersecurity when he joined Alphabet as Google Cloud CISO. He spent over two decades at Goldman Sachs as both CISO and chief operational risk officer.
When he looks at today’s risk landscape, he sees many companies still thinking about cybersecurity the wrong way. “Companies are rushing to invest in cyber software without modernizing their underlying technology,” says Venables. “They are effectively trying to build a fortress on sand.”
Venables argues the cloud should be viewed as a “digital immune system.” He concedes this may sound self-interested for Google’s Cloud CISO. But his case is hard to refute.
Writing recently in Forbes, he described the cloud’s persistent ability to update, adapt, and respond to shifting threats as “an accelerating feedback loop” for enterprise IT leaders.
In the coming years both executives and corporate directors will need to become more sophisticated, Venables believes. Not about the technology itself, but about how to build security into products and processes. Venables argues, business leaders should be prepared to talk about the digital underpinning and security of a product, just as knowledgeably as they would about supply chains or customer relationships. “Think about secure products, not security products.”
Venables proposes an exercise for a board. Instead of quizzing CEOs and their teams about patch updates or the latest security scanners, directors should ask simply how often the organization updates its software. Not long ago, IT teams boasted about quarterly updates. Venables says that leading-edge companies are typically updating software multiple times a day, or more. That’s the reality of an agile approach to cybersecurity.
The Next Frontier
Dan Boneh is a leading professor in applied cryptography and the co-director of Stanford’s computer security lab. He enjoys a distinct advantage in the world of cybersecurity: he sees what new problems fascinate his students.
Not surprisingly, they are gravitating to a set of problems around blockchain security. One involves the scalability of cryptocurrencies such as Bitcoin or Ethereum, which currently are restricted to conducting about 15 transactions a second. Yet as demand goes up, this limitation is causing transaction fees to rise. The research question is how to move far beyond the 15 transaction-per-second limit without compromising the integrity of the system.
The other security issue with blockchain is privacy. While the virtual ledger offers efficiency and accountability for all types of enterprise transactions, the very nature of blockchain requires that the information can be viewed by others. This is a challenge for companies that want to pay suppliers or even employees through a blockchain system. Researchers are exploring how this can be done securely, without compromising competitive or personal information.
Boneh and his students are also focused on a threat that he believes remains overlooked by most enterprises: adversarial machine learning. For some time, engineers have been refining machine learning algorithms so that a robot or a vehicle can reliably recognize patterns: say, defects in a product or the difference between a stop sign and a yield sign. But Boneh points out that “a growing number of results show how to attack these models.”
Some are breaking into the training data algorithms that make machine learning possible. Others are extracting the model and effectively stealing it so that those with malicious intent can query it for the purpose of infiltration. As machine learning becomes more essential to advanced business operations, a new front of vulnerability opens.
He sees other technical vulnerabilities in the world of cyber defense: how to secure code depositories such as GitHub or how to protect package management systems that automate the uploading and updating of software.
The fundamental problem, he argues, is that “the security industry is reactive. It is always focused on last year’s problems.” His research and students are a valuable counterweight to that tendency.
Cybersecurity Remains Foundational
While each of these experts have a distinct vantage point, they affirm that, in the midst of much technology innovation, cybersecurity remains foundational, growing, and increasingly complex.
As they point out, AI and machine learning, the balance of security and privacy, the vulnerability of supply chains, the growth of the cloud and blockchain, and the demand for automation are fueling frenzied activity in this space.
We see it in venture capital. During the past two years, there has been a surge of entrepreneurs with new approaches to cybersecurity, and nearly all of them are magnets for capital. Barely a day goes by when I don’t hear from a fledgling cyber start-up. Today there are over two dozen pure play cybersecurity companies that have gone public. More will inevitably follow. The demand is unrelenting.
The reasons are obvious. Cybersecurity has become a kind of virtuous circle. At one time, a breach of a legacy server inside a corporation was disruptive, but its consequences limited.
In a world increasingly dependent on interconnected services and users, any single breach has deep ramifications and the potential to create havoc.
Cybersecurity remains a long game.
(Disclosure: Greylock is a founding investor at Palo Alto Networks and I am on the company’s board of directors.)