Imagine that under some bizarre set of circumstances, a local high school football team is forced to compete against the New England Patriots. Imagine further that the victory stakes for these teenagers are enormous, perhaps even life or death. Let’s complete this nightmare situation with an understanding that the NFL team will not let up one inch. They will play full throttle, no holds-barred, and they will hit – hard.
If you are the coach, the superintendent, or the mayor – what would you do? Any thoughts of calling this ridiculous mismatch off must be forgotten; the game will be played, and the stakes will be consequential. So, what would you do? How would you address these unfair odds? Sadly, this ridiculous scenario perfectly illustrates the challenge of cybersecurity teams when dealing with nation-state actors.
This mismatch can be understood by examining the evolution of the corporate information security profession. Just as personnel departments have evolved from typists creating employee badges, information security departments have similarly progressed from technicians putting anti-virus software on PCs.
Unfortunately, while the personnel team has blossomed into a vibrant (and renamed) Human Resources team with its top executive reporting directly to the CEO, most data security teams are stuck, led by a middle-management executive called the Chief Information Security Officer or CISO. The CISO is generally viewed by the CEO as unfit for any other position, and is often fired when a breach occurs.
Most CISO-led teams are staffed and funded to deal with a so-called reasonable adversary. That is, their programs were designed to detect basic hacking, using common tools such as perimeter controls, anti-malware software, and identity systems. Larger programs in banks and telecom firms might super-size these components and introduce fancier tools, but the emphasis is the same: It’s one high school team set up to deal with another high school team.
However, in enterprise cybersecurity, the adversary is no longer just the basic hacker. Instead, the CISO must now craft a new type of program to somehow stop well-trained, professional foreign military attackers from breaching their systems. The CISO has become, in a sense, a local civilian defense commander, tasked with handling cyber backlash when national leaders openly recommend more intense attacks against adversary nations.
Much of the above will not come as a huge surprise. That is, data security breaches have been increasingly common events, and everyone knows that
nation-states sponsor a great number of these attacks. But the currently-popular solution of imposing stricter compliance demands is akin to the local superintendent handing the football coach a formal proclamation that the Patriots be defeated – or else.
Compliance programs, such as the European Union’s emerging Global Data Protection Regulation or GDPR, certainly have their place. It is reasonable, for example, to demand that users be offered easy-to-read details of business policies put in place by a data handler. Bad privacy policies are unacceptable and regulating their details is reasonable. But compliance requirements do not address cybersecurity breaches. In fact, they can often make things worse.
Let’s return to our high school football analogy: To deal with the upcoming Patriots game, suppose that the superintendent develops compliance controls that the local coach must follow during the game. Auditors will ensure that if these controls are violated, the coach will be personally fined and fired. But in a bizarre twist, the compliance controls will be published for all to see – including the Patriots! Compliance is public; the adversary gets to see your plans.
Overly strict compliance controls with demanding documentation requirements bog down the CISO-led teams into a nightmare of paperwork and administrative processes. Furthermore, they stymie creative cyber defenses, particularly after a compliance project has been completed. Who, for example, would ever recommend network or system adjustments after a network has been certified? The result is a basic paralysis resulting in architectural stagnation.
The Solution Has Three Elements.
First, we must begin to untangle CISO-led teams from the barrage of compliance requirements they are asked to support. The GDPR, for example, can get in line behind dozens of other controls such as NIST 800-53, PCI-DSS, and HIPAA that are currently bogging down enterprise cybersecurity teams. Stricter compliance is simply not the answer to data breaches.
Second, enterprise CISOs must be elevated to more senior positions with greater power and leadership. They should be selected based on their ability to run a complex organization, rather than their ability to write rules for an intrusion prevention system. CISOs should be funded as purveyors of civil defense, rather than as the handlers of trivial awareness messaging for sloppy employees. And they should only be fired after a breach if they deserve it.
Third, enterprise leaders must recognize that the entire business enterprise must be completely redesigned, with different policies, systems, and third-party support to stop nation-state attacks. The cloud, for example, should be viewed as helping rather than hurting cybersecurity. Again, consider your high school coach: To defeat the Patriots, major changes in personnel, practice, and technique would be required. The whole program would need to be overhauled.
By the way, it would be nice to imagine that perhaps negotiating with nation states might solve this cyber problem. But security experts have observed for years the so-called Roger Bannister effect for cyber-attacks. That is, just as the four-minute mile opened the door for others to easily pass that time, nation-state sponsored cyber-attacks have opened the door for many others to do the same. They open the flood gates, by example, for less capable hacking teams.
Let’s hope that in the coming years, particularly as the GDPR ecosystem begins to levy massive fines on breached companies ill-equipped to deal with the types of threats being directed at them, we will take a moment and reflect: Compliance does not stop data breaches; only revamped cybersecurity programs can do that. And if the CISOs tasked with protecting our data are underserved, then you can be certain that all of us will be underserved as well.