By Phil Reitinger
While there is a fair amount of FUD (fear, uncertainty, and doubt) in cybersecurity, there is less “fake news.” What we face is less made-up stories and more the blinding assault of the obvious masquerading as a new truth. I’ve decided to call these events “surprizez,” because they are not real surprises at all.
The most recent example is from Saturday, May 5. Warren Buffett, perhaps the most renowned investor in the world, said that “Cyber is uncharted territory. It’s going to get worse, not better[.]” With great respect to Mr. Buffett, duh. That prediction could confidently have been made a decade ago. “I’ve been working in cybersecurity for over 20 years. Each year, every year, I could make one prediction: next year, things will be worse. I make it now for 2019. I am confident in telling you that at the RSA conference in 2019, I will make the same prediction for 2020.
The evergreen surprize is the headline “X suffers breach,” where X is the entity of your choice. The implication (or explicit statement) is “who could have expected this?” Answer – anyone and everyone. To be fair, as resignation sets in, more and more press reports contain some version of “These attacks come as no surprise to anyone who’s worked in intelligence[.]” (This by Joel Brenner of MIT on attacks on the power grid.)
Other surprizez include:
- A mistake happened in software or architecture that may have allowed sensitive data to leak or an attack to happen. See Twitter storing passwords in plaintext on an internal system.
- Despite extensive training, a user clicked on a link in a phishing email. “As long as humans have access to email, phishing will work.”
- Losses from cybercrime rose this year. (See above)
- A small business, which didn’t think it was a target, was attacked and went out of business. About two-thirds of attacks target small business, and 60% suffering a [successful] attack go out of business in six months.
My answers about what to do also will come as no surprise.
- Do something – real, concrete things, to reduce cyber risk.
- Treat cyber-insecurity as a significant homeland and national security risk, and invest resources and political capital to improve the situation.
- Build security into the Internet infrastructure and services so that individuals and business get security with connectivity. This is a type of security solution that scales.
- Do the basic things as well and as rigorously as you can. That doesn’t stop sophisticated threats, but it gives you more bandwidth to hunt for them.