To Defend A New World, Discard Old Strategies

Late October’s DYN cyber-attack shows the essential systems that connect us have changed. Is cyber defense keeping up? It’s time for a radical strategy shift.

We all work, play, buy, and sell today in a new and complex economy – and I don’t mean gray-market goods or bitcoins. The new or second economy we now live with underpins our primary, physical world with indispensable digital networks and systems. The second economy deals in three currencies – trust, time, and treasure – all prey for a newly industrialized, coldly efficient breed of cyber-criminal.

The second economy runs on trust. Whenever a consumer deposits a check using a smartphone or e-signs a loan deal online, it’s an act of trust as well as commerce. If you don’t trust that your money, data, or intellectual property, will survive the transaction, you don’t act. An old adage in the traditional economy says nothing happens until somebody sells something. In the second economy, nothing happens until somebody trusts something. But when things happen, and as smart devices proliferate that act as agents of their trusting masters, more transactions happen instantaneously, globally, and often without human checks. Maintaining trust means protecting those transactions.

The second economy runs on time. Cyber criminals plot and launch attacks at leisure; cyber defenders are stuck in a perpetual reactive footrace against their enemies and the clock, detecting and remediating threats. On defense, every second counts, and response speed depends in part on an organization’s tools, policies, people, and command structure in place. Get caught flat-footed, and a breach can mushroom into a brand disaster – turning trusting customers wary.

The second economy is also about treasure, of course. Though the big scores tend to be data or intelligence breaches, cyber criminals still steal regular money. Like criminals since day one, those trolling cyberspace are uncommonly rational. They gravitate to easy targets and maximum rewards. Economic decisions by organizations defending themselves are not always so sensible. You see cybersecurity software bought but unimplemented, or stacked up in depth but ineffectively; you see response hindered by org-chart silos or inertia; you see the wrong human impulses and outcomes rewarded. Cyber conflict is nothing if not asymmetric.

The second economy is under siege, and growing more so. This year McAfee labs counted an average of 400,000 distinct new incoming cyber threats per day; a decade ago it was 25 per day. A billion personal records are now stolen each year, degrading trust in the organizations victimized and the Internet itself. The scope of cyber-attacks has broadened exponentially, too. Where once individual retailers or banks were targeted, now entire supply chains, financial networks, and stock markets may be in the crosshairs, potentially affecting the integrity of international financial systems or a country’s GDP.

The cybersecurity industry is seeing tremendous growth. Corporate expenditures for cybersecurity this year are at $100 billion and rising. But sometimes more outlay only buys more complexity, higher costs, and mountains of data requiring analysis – and there’s a dire shortage of expert talent. The second economy is a new and challenging concept; protecting it calls for new and challenging defense paradigms.

It’s time for thorough changes within organizations, from the boardroom to the security center, to address current threats to trust, time, and treasure and prepare for future ones.

· Skilled teams must be developed to identify and evaluate top threats based on an understanding of the business, the infrastructure, the data, and recent targeted attacks. Automation can cope with the low-grade threats while top talent hunts for the 1 percent which would make headlines.

· A framework for dealing with risk should be established, then constantly revisited to test for inertia, institutional bias, and obsolete assumptions.

· A community of organizations is collectively safer when it shares threat intelligence, but many are reluctant. Adapting a more cooperative, less siloed defense strategy takes high-level backing.

· Leaders must have a basic understanding not only of second economy principles and what is really at risk, but what’s worked historically in cybersecurity and what hasn’t. When they see what motivates adversaries’ attack campaigns, defenders are better able to stop them – and hopefully move from defense to offense.

An evolution in defense thinking needs to occur to adapt and prosper in the world of the second economy. A world where more than money is at stake. In the second economy we are all fighting time – and working to justify trust.

The author is Senior Vice President & General Manager of Intel Security Group. This column is taken from his foreword to the forthcoming “The Second Economy: Time and Trust in the Age of IT Security,” by Steve Grobman and Allison Cerra, to be published in November 2016.