Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Nature vs Nurture – Is Bad Cybersecurity in Our DNA?

Einstein is often quoted as having said that insanity is doing the same thing again and again and expecting a different result. When it comes to cybersecurity, based on that definition, we must all be insane. 

Einstein is often quoted as having said that insanity is doing the same thing again and again and expecting a different result. When it comes to cybersecurity, based on that definition, we must all be insane. 

Whether Mainframes, desktop PCs, networked computers, the cloud or the Internet of Things (IoT), we somehow manage to repeat the same mistake of trying to bolt on security in retrospect, even though we already know the outcome. Even though the potential for damage in each iteration of the technology cycle grows exponentially.

In the beginning it was viruses, transferred via floppy disks by hand and only affecting one PC at a time. Then came network worms, the first example was the Morris Worm in 1988 that knocked out nearly 10% of the then nascent internet. These propagated by themselves, greatly amplifying the potential for damage.

Cybersecurity: Nature vs. Nurture

Next came internet botnets, infecting large swaths of improperly secured systems and allowing adversaries to launch the first distributed denial of service attacks. These ushered in the era where someone else’s bad security practices could impact others whose systems were properly security. These have now been ported to the IoT world, with the potential to dwarf the previous generation  of botnets due to irresponsible vendor security practices.  To borrow another term from biology, good security depends on herd immunity.

To top it all off, even our own intelligence services have started to contribute to the collective insanity, apparently having learned nothing either, making the term “Intelligence Services” sound like an oxymoron when it comes to responsible disclosure.  We now have nation states meddling in elections and the first examples of cyberattacks breaching the kinetic barrier.

We can’t hide behind the excuse that we weren’t warned. Our industry is full of Cassandras, damned to be prophets of doom that no one listens to. I’m on the record, like many others, for promoting improved regulation, legislation and assigning liability to software vendors with a disproportionately bad security track record. Instead of fixing the root cause of the problem, directly in the supply chain, we kid ourselves into thinking that all we need is a shiny new toy to magically undo all our technological missteps and mitigate our failures to follow best practices.

The latest silver bullet is Artificial Intelligence (a misleading and damaging marketing buzzword if there ever was one, but that’s another story altogether). Before that it was Sandboxing, and before that Intrusion Protection Systems. The claims are the always the same, as are the results, bring us right back to insanity.

WannaCry is just the latest example. The community as a whole came together really quickly to disseminate the incident, and to provide advice and guidance on how serious a threat it was and what to do to protect against it. Sadly, many in our industry instead saw this as a prime opportunity to dish the dirt on adjacent technologies and competitors, and to inundate organizations with sales pitches, rather than the helpful information that they were seeking.

Advertisement. Scroll to continue reading.

Vulture marketing at its best, sowing Fear, Uncertainty and Doubt, and espousing the benefits of artificial intelligence, machine learning, cognitive something or other…  to organizations that don’t even have the budget or technical resources to upgrade their legacy systems and patch devices. This is of course like Marie Antoinette exclaiming “let them eat cake!” when the French peasantry was starving and had no bread.

This begs the question – are we really all lunatics – or is bad cybersecurity in our collective DNA? Is this based on nature or nurture? Otherwise it is difficult to rationalize why we repeat the same mistakes in each new technology generation.

There is a select group of organizations that do a good job of securing their digital systems, and there are also software vendors that have a comparatively low numbers of vulnerabilities compared to their peers. They are rare to be sure, but they do exist. In the case of WannaCry what was far more interesting than how many companies were hit, were how many weren’t. Hyperbole and sensationalism aside, most businesses were not directly affected and overall did a good job of preventing the worst.

So we can safely rule out Nature. It’s apparently not genetic. If approached with the right skills, mindset and understanding of the problem, good security is feasible, despite having to compensate for a supply chain that externalizes sloppy secure development practices in the name of profit. It appears to be nurture.

Stretching the biological analogy a little further, a new trend in the field of genetics is called Epigenetics, defined as “the study of the modification of changes to an organism based on gene expression, rather than the alteration of the genetic code itself”. Simply put, how genes express themselves is based on environmental circumstances and conditions.  To provide an example – gene expression changes with age. A simple genetic marker, DNA methylation levels, tells the body how old we are and changes the way that our genes express themselves.

We can take inspiration from this new biological discipline, and we can apply some of its premises to our own predicament. In our case though, instead of genes, we must look at corporate culture and governance, market regulation and even how we conduct geopolitics to change how we app
roach cybersecurity. We must also look to other industries, like aviation or automobile, to understand how they regulated safety and security effectively and still stayed profitable and competitive.

The argument that this is not achievable is moot. Perfect security is not achievable, we all know this. But there is a difference between perfect security and bad security by design. Improvement is possible and desirable. Complexity is usually cited as an excuse, but falls flat in the face of the fact that the aviation industry has a complexity factor that would boggle most people’s minds.

Philosophical objections to regulation aside, we regulate almost everything else. The question is only to what degree and how.”

The increasing cost of security is becoming unsustainable. We need to acknowledge that technology has become a critical foundation for our modern world instead of pretending that we are still building toys in garden sheds. People’s lives and the future of nations depend on it.

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...