Rethinking Cyber Security
In the United States reported spending by corporations in 2018 on cyber security may have exceeded $200 billion. Some estimates are higher – putting the total spent at over $300 billion.
Regardless of the exact number, spending is very high and is likely to climb. Yet we face a basic problem that poses the question: are all these billions wasted? The terrifying reality is that each and every cyber security measure developed and applied is out of date: the hackers are well ahead of whatever is being put in place. It is an almost hopeless arms race diverting funds from truly productive purposes.
So, what to do now? We do need submarines.
105 years ago, Europe went to war. Part of that war was arguably a result of a 15-year arms race pitting Britain’s Royal Navy against the Imperial Germany Navy commanded by my much-maligned great-grandfather Grand Admiral Alfred von Tirpitz. In hindsight it was a pointless arm race as to which of the two nations could build the largest and best giant battle ships such as those of the famed Dreadnought class.
The cost of these ships started to rapidly outstrip naval budgets and did threatened to bankrupt both naval services. The battleships did see some action including the Battle of the Skagerrak or Jutland, handily won by the Imperial German Navy. Apart from that, these ultra-expensive floating fortresses had little use – partially because they were obsolete, the moment they were launched.
One naval weapon, the submarines – cheap and effective – would cause sleepless nights at His Majesty’s Admiralty, concerned that the United Kingdom would lose access to ever more vital supplies of beans, bullets and band aids.
Neither naval service saw much utility in submarines at first. Admiral von Tirpitz was not a fan and his counterparts in Britain, notably Admiral Fisher, were equally cool to these “newfangled” contraptions. Sure, submarines or U-Boots do not look great in a Naval Review – just a little tower sticking out of the water. Yet Germany’s rapidly expanding (and cheap) submarine fleet almost brought Albion deservedly to its knees.
So why this history lecture? Today we find ourselves in a similar arms race in the cyber war: ever more powerful IT departments are spending growing amounts of funds for purposes that do not produce revenue. I believe that much of this spending is a waste.
I know based on anecdotal evidence that the galloping increases in IT spending have forced pharmaceutical firms to cut vital R&D budget; airlines to shortchange maintenance; industrial firms to make unpardonable shortcuts which, possibly, could result in costly product liability issues.
What’s worse: the moment new cyber defenses are emplaced, the hackers already know how to overcome these barriers and then, IT departments respond with yet another wave of spending, implementing technology solutions likely to be obsolete within days. The global economy has yet to mount an adequate defense against the rise of cyber-attacks, according to new research. The impact could be $3 trillion in lost productivity and growth in the next seven years. Are we doomed along what Thucydides wrote 1,400 years ago?
It must be thoroughly understood that war is a necessity, and that the more readily we accept it, the less will be the ardor of our opponents, and that out of the greatest dangers communities and individuals acquire the greatest glory. Since you know as well as we do that right, as the world goes, is only in question between equals in power, while the strong do what they can and the weak suffer what they must.”
It will draw the ire of IT “experts” around the globe when I urge that those with brains must now find the submarine and get out of this horrible spend and spend more cycle. Much of the IT spending is wasted. What’s more, the majority of senior IT executives believe their defenses can be overcome, according to a recent study by McKinsey.
The situation is somewhat akin to the four years of trench warfare in World War I – none of the very highly educated generals on either side could find a way out of that mess apart from throwing men into the meat grinder. Only the arrival of the U.S. Expeditionary Force under the command of General John J. “Black Jack” Pershing would change the situation: the U.S. Forces did not follow trench warfare rules and quickly presented innovative war concepts. The U.S. Forces changed the war just like the submarines did on the high seas.
So where are the submarines? What are the recommendations and solutions?
- Let us return to the old and effective standby lessons propagated by such luminaries as Sun Tzu, Clausewitz, or Mao: collect intelligence.
o Who are the attackers and how can they be dealt with? We know that the most effective cyber warriors come from China and Russia. But do we work with the government to go after these criminals?
- Let us use low cost low technology means: often analog technology will defeat digital. Keep things simple and maybe, just like the Russian’s recently did, invest in typewriters.
o Using the collected intelligence we need to define what is truly sensitive data – much of what can be found on corporate networks is of little commercial, strategic or tactical value. But companies and governments have large bodies of vital data. This data needs to be placed on stand-alone computers that are not connected to the web. Hackers cannot get at those.
o Who in an organization is “leaking: information or directly aiding the enemy? Honest and frequent background reviews are essential. Many of the data breaches can be traced back to insiders. Better background reports are essential.
- Surprise the enemy and engage in deception: Place false information on your computers – basically have a simple sting operation in place.
o By doing little in terms of expensive yet ultimately worthless cyber defenses you will drive the enemy batshit crazy. The hackers will want to know just what is going on? Where is the gold?
Agostino von Hassell
The Repton Group LLC