Sign in Subscribe

CYBER SECURITY HAS FAILED

Anthony S. Clark

5 min read
CYBER SECURITY HAS FAILED
CYBER SECURITY HAS FAILED

In my career in cyber security I've seen the creation of:

  • Firewalls
  • Anti-Virus
  • SSL & TLS
  • CVEs
  • SEIMs
  • VPNs
  • Vulnerability Scanners & Exploit Test Frameworks (like Metasploit)
  • Patch Management Systems
  • Intrusion Detection / Prevention Systems and Host Intrusion Systems
  • Malware Analysis & Incident Response
  • Penetration Testing, Red Teaming, and Adversary Simulation
  • The Penetration Testing Execution Standard
  • PCI
  • MITTRE ATT&CK
  • CVSS
  • Web Application Firewalls
  • SAST / DAST App Sec Testing
  • DLP and DRM
  • Threat Intelligence
  • EDR
  • Many classes of attacks from format strings to XSS
  • Memory protections such as DEP and ASLR
  • Zero Trust
  • MFA
  • Identity Providers
  • ML Classifiers
  • Security Frameworks (NIST CSF, ISO 27001, CIS Controls, CMMC)

And many more. I've been fortunate to have been a part of the creation of some of these.

You know what I haven't seen? A decline in intrusions. If anything, they have increased since the year 2000. The attack ecosystem has grown from viruses and worms, to ransomware, supply chain attacks, APT, and IoT/OT targeting with no signs of slowing down.

The following is a very rough conservative estimate (lots of ways to measure it) of the growth of the value (expense) of cyber security defense over time:

  • Year Estimated Value of Cybersecurity Market*
  • 2004 ~$3.5 billion
  • 2010 ~$16.5 billion
  • 2015 ~$75 billion
  • 2023 ~$219 billion
  • 2024 ~$190-240 billion
  • 2025 (forecast) ~$227.6 billion

The Identity Theft Resource Center gives us the following numbers for the last five years:

  • Year Number of Compromises
  • 2020 1,108
  • 2021 1,862
  • 2022 1,802
  • 2023 3,205
  • 2024 3,158

The number of victim notices in 2024 was up 211%.

Obviously this is just what's reported and tracked, not the full extent of the problem.

The Santa Fe Institute

I gave a talk and attended a private cyber security summit at the Santa Fe Institute many years back. The CSO of a major network vendor was there as well as C execs from many well known organizations. In one of the breakout sessions we were discussing who was making money from cyber attacks. We went down a chain something like this:

"Well the malware author makes money from who he sells it to."

"Yeah but the hacker makes more money deploying it and selling CCs and SSNs."

"Oh wait, the security vendors make way more money from selling the defenses than the guys doing the attacks. How do I get in on that racket? Oh wait, I AM in on it!" said the CSO.

Then I said: "But the banks make money on every transaction, from start to finish".

So we have invested billions of dollars, countless careers and resources, VC time and effort and the problem has only gotten worse. In any other industry this would be a major alarm bell. Imagine if the number of commercial plane crashes went up year over year despite major investment in flight safety. What would happen to that industry? Why are we not introspecting the same way when life safety is more and more in the sphere of cyber?

Every day new cyber security business are launching, large investments in cyber from venture firms, new tools being released, and tons of competition. Why isn't there is anyone saying "Hey wait a minute, what are we doing? We aren't making any progress!"

From my experience consulting for Fortune 100 companies, governments, and big Tech what I have seen is that cyber is a multivarant problem consisting of (but not limited to:

- Budgets
- Politics
- Staffing Limitations
- Critical Legacy Systems
- Competing Priorities
- Education

To say nothing of real technical hurdles. This is not a problem that can be mandated away by a government or a policy.

WHAT TO DO?

What to do?

This whole time we have been retrofitting security on top of protocols and systems that were never designed to be secure. Most of the focus is at higher levels of whatever stack.

We implemented SAST / DAST into our build pipelines but not into our processes.

We added encryption on top of HTTP and DNSSEC on top of DNS and all of that on top of TCP/IP.

What we didn't do is go back and redesign computing architecture to include security from the get go. We don't have processors or RAM pipelines that have any mechanism for validating or flagging instructions or addressing. We don't have low level protocols like ethernet that have authentication and traffic verification built in. As much of computing is moving towards SoC type designs, low power and lower cost devices like ARM, we have a unique opportunity to rethink the whole thing.

I think we have a major choice in front of us. Continue investing in new band-aid ideas that attempt to patch issues that are discovered with each attack as a reactive measure:

  • Network attacks spawned firewalls and IDS.
  • Web attacks spawned WAF and structured queries.
  • Credential harvesting spawned MFA.
  • Incident Response spawned SEIMs.

And continue to throw money into a bottomless pit destined to fail.

Or we can flip the table and go back to the drawing board at the hardware level of our computing infrastructure and design things the way they should have been done from the beginning if we had had the foresight to anticipate attack evolution. It will be very expensive and painful, but if we want actual security and not just cyber economy I think we have no choice. I suspect this effort would take several decades and many billions of dollars to implement .

One thing I'm pretty sure of is that no gov legislation or standard is going to fix the issue.  We already have:

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communications Privacy Act (ECPA) / Wiretap Act
  • Stored Communications Act (SCA)
  • HIPAA / HITECH (Healthcare Security Law)
  • Gramm–Leach–Bliley Act (GLBA)
  • Sarbanes–Oxley Act (SOX)
  • Federal Information Security Modernization Act (FISMA)
  • Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA — 2022)
  • State Data Breach Notification Laws (All 50 states)
  • California Consumer Privacy Act / CPRA (CCPA/CPRA)
  • New York SHIELD Act
  • FTC Act Section 5 (Unfair or Deceptive Practices)
  • DFARS 252.204-7012 / NIST 800-171 (Defense contractors)
  • International Traffic in Arms Regulations (ITAR)
  • Export Administration Regulations (EAR)
  • SEC Cyber Disclosure Rules (2023+)
  • CAN-SPAM Act

And many more, all with various levels of teeth and penalties. And yet, the breaches continue. In fact, with the recent Salt Typhoon / CALEA issues I would make the argument that often government regulations are the problem, not the solution.

Lets say, via a bill, we set some minimum bar with huge fines or loss of licenses for non-compliance. The same hacks will happen, and then what? Do they still lose their license? Do we raise the bar again and rinse and repeat? This bar keeps squeezing already low margins from organizations until eventually they just give up their licenses because its too expensive to maintain, or they get bought out by one of the big guys in their industry (who are a whole other problem).

We could have the most perfect bill and it have little to no effect at preventing breaches. We've been focused on the minimum baseline / low hanging fruit for 3 decades and not only have breaches increased, we haven't gotten rid of the low hanging fruit.

Can fancy autocorrect (AI) solve this for us? I have my doubts.

What do you think?

A.

Sign up for more like this.

Enter your email
Subscribe