Security Experts:

Nature vs Nurture - Is Bad Cybersecurity in Our DNA?

Einstein is often quoted as having said that insanity is doing the same thing again and again and expecting a different result. When it comes to cybersecurity, based on that definition, we must all be insane. 

Whether Mainframes, desktop PCs, networked computers, the cloud or the Internet of Things (IoT), we somehow manage to repeat the same mistake of trying to bolt on security in retrospect, even though we already know the outcome. Even though the potential for damage in each iteration of the technology cycle grows exponentially.

In the beginning it was viruses, transferred via floppy disks by hand and only affecting one PC at a time. Then came network worms, the first example was the Morris Worm in 1988 that knocked out nearly 10% of the then nascent internet. These propagated by themselves, greatly amplifying the potential for damage.

Cybersecurity: Nature vs. Nurture

Next came internet botnets, infecting large swaths of improperly secured systems and allowing adversaries to launch the first distributed denial of service attacks. These ushered in the era where someone else’s bad security practices could impact others whose systems were properly security. These have now been ported to the IoT world, with the potential to dwarf the previous generation  of botnets due to irresponsible vendor security practices.  To borrow another term from biology, good security depends on herd immunity.

To top it all off, even our own intelligence services have started to contribute to the collective insanity, apparently having learned nothing either, making the term “Intelligence Services” sound like an oxymoron when it comes to responsible disclosure.  We now have nation states meddling in elections and the first examples of cyberattacks breaching the kinetic barrier.

We can’t hide behind the excuse that we weren’t warned. Our industry is full of Cassandras, damned to be prophets of doom that no one listens to. I’m on the record, like many others, for promoting improved regulation, legislation and assigning liability to software vendors with a disproportionately bad security track record. Instead of fixing the root cause of the problem, directly in the supply chain, we kid ourselves into thinking that all we need is a shiny new toy to magically undo all our technological missteps and mitigate our failures to follow best practices.

The latest silver bullet is Artificial Intelligence (a misleading and damaging marketing buzzword if there ever was one, but that’s another story altogether). Before that it was Sandboxing, and before that Intrusion Protection Systems. The claims are the always the same, as are the results, bring us right back to insanity.

WannaCry is just the latest example. The community as a whole came together really quickly to disseminate the incident, and to provide advice and guidance on how serious a threat it was and what to do to protect against it. Sadly, many in our industry instead saw this as a prime opportunity to dish the dirt on adjacent technologies and competitors, and to inundate organizations with sales pitches, rather than the helpful information that they were seeking.

Vulture marketing at its best, sowing Fear, Uncertainty and Doubt, and espousing the benefits of artificial intelligence, machine learning, cognitive something or other…  to organizations that don’t even have the budget or technical resources to upgrade their legacy systems and patch devices. This is of course like Marie Antoinette exclaiming “let them eat cake!” when the French peasantry was starving and had no bread.

This begs the question – are we really all lunatics - or is bad cybersecurity in our collective DNA? Is this based on nature or nurture? Otherwise it is difficult to rationalize why we repeat the same mistakes in each new technology generation.

There is a select group of organizations that do a good job of securing their digital systems, and there are also software vendors that have a comparatively low numbers of vulnerabilities compared to their peers. They are rare to be sure, but they do exist. In the case of WannaCry what was far more interesting than how many companies were hit, were how many weren’t. Hyperbole and sensationalism aside, most businesses were not directly affected and overall did a good job of preventing the worst.

So we can safely rule out Nature. It’s apparently not genetic. If approached with the right skills, mindset and understanding of the problem, good security is feasible, despite having to compensate for a supply chain that externalizes sloppy secure development practices in the name of profit. It appears to be nurture.

Stretching the biological analogy a little further, a new trend in the field of genetics is called Epigenetics, defined as “the study of the modification of changes to an organism based on gene expression, rather than the alteration of the genetic code itself”. Simply put, how genes express themselves is based on environmental circumstances and conditions.  To provide an example – gene expression changes with age. A simple genetic marker, DNA methylation levels, tells the body how old we are and changes the way that our genes express themselves.

We can take inspiration from this new biological discipline, and we can apply some of its premises to our own predicament. In our case though, instead of genes, we must look at corporate culture and governance, market regulation and even how we conduct geopolitics to change how we approach cybersecurity. We must also look to other industries, like aviation or automobile, to understand how they regulated safety and security effectively and still stayed profitable and competitive.

The argument that this is not achievable is moot. Perfect security is not achievable, we all know this. But there is a difference between perfect security and bad security by design. Improvement is possible and desirable. Complexity is usually cited as an excuse, but falls flat in the face of the fact that the aviation industry has a complexity factor that would boggle most people’s minds.

Philosophical objections to regulation aside, we regulate almost everything else. The question is only to what degree and how.”

The increasing cost of security is becoming unsustainable. We need to acknowledge that technology has become a critical foundation for our modern world instead of pretending that we are still building toys in garden sheds. People’s lives and the future of nations depend on it.

view counter
Oliver Rochford is the Vice President of Security Evangelism at DFLabs. Oliver is a recognized expert on threat and vulnerability management as well as cyber security monitoring and operations management. He previously worked as research director at Gartner. He has worked as a security practitioner and white hat hacker for Tenable Network Security®, HP Enterprise Security Services, Verizon Business, Secunia® (now Flexera Software), Qualys®, and Integralis (now part of NTT Com Security).