Monday, April 9, 2012

A Cyber Security Industrial Complex?

Dwight Eisenhower is one of my heroes. Yep, I said it right here and now. His speech on the military-industrial complex is only now being appreciated. It was done 50 years ago and is still relevant today. Why am I bringing this up and what does this have to do with cybersecurity?

I did a SANS Lightning talk this past month and when I was researching material for the talk, I stumbled across some reference material from 2001 called "Top 10 Security Mistakes" (http://www.computerworld.com/s/article/61986/Top_10_Security_Mistakes). They were:

1. The not-so-subtle Post-it Note.
2. We know better than you.
3. Leaving the machine on, unattended
4. Opening e-mail attachments (remember the Love Bug virus?) from mere acquaintances or even strangers.
5. Poor password selection.
6. Loose lips sink ships.
7. Laptops have legs.
8. Poorly enforced security policies.
9. Failing to consider the staff.
10. Being slow to update security information.

Take a look at this list and tell me which of these mistakes have we eliminated in the past 10 years. If you come up with an answer of "none", then the follow-up question would be "what have we been doing these past 10 years?".

I found another slide from a 2002 presentation I did where I made the following statement:

"Viruses, trojans, rootkits will never be eliminated because we've created a multi-billion dollar industry to combat them. If we eliminate the root causes of cyber attacks, we eliminate a multi-billion dollar industry". I believe there's no economic incentive to eliminate these root causes. Or to put it another way, there is a strong economic incentive to NOT eliminate the root causes of cybersecurity attacks.

Now, mind you, I've been an active part of the Cyber Security "industry" for the past 20 years. I helped write the original SANS/FBI Top 10 Internet Threats document back in 2000. Part of my job is measure the effectiveness of our defense strategies. If I use this 2001 list to examine our effectiveness industry wide, I think while we've made some progress, we (the collective we) have failed miserably.

Alan Paller talked about the 4 quadrants of cybersecurity: Academic Security Researchers, Hunters/Tool Builders, Operator/testers who monitor IPS, IDS, pentest tools and Audit/Policy/Compliance workers. The largest of these quadrants is the Audit/Policy/Compliance group which seems a little backward to me. We're focusing on compliance instead of actually fixing the problem. We need to train and develop more people in the Hunter/Tool Builder category so that we have a chance at fixing the root causes of cyber attacks one of which is insecure code.

And so we come back to President Eisenhower's speech. We're seeing the militarization of cyberdefense. Defense contractors who used to specialize in tanks, helicopters, jets, advanced weaponry are retooling to become cybersecurity "experts". We're seeing a lot of money being spent to defend/monitor instead of fixing the root causes.

Are there parallels between the complex of the 60's and the "complex" of the 201x's? Take a look at a recent NPR article on Eisenhower's speech and see if you can draw the parallels. It's at http://www.npr.org/2011/01/17/132942244/ikes-warning-of-military-expansion-50-years-later.
More on this later.....