‘Accountability as Innovation’ Needed in Cybersecurity
Oren J. Falkowitz
When accountability is used as innovation, it not only drives social change but also helps solve seemingly intractable problems.
In the fall of 2014, CVS decided to stop selling cigarettes. The company would forego $2 billion in revenue, because “the sale of tobacco products is inconsistent with our purpose – helping people on their path to better health,” said Larry J. Merlo, President, and CEO, CVS Caremark. The company recently launched another initiative; this one aimed at promoting more realistic body images by refusing to materially alter the beauty imagery in their stores, packaging or communications, and encouraged their suppliers to do the same.
Sacrificing short-term gains to reinforce the company’s mission has understandably been a big positive for their brand—and it’s been great for their business. In December of 2017, CVS announced it would buy Aetna, a move that could very well reshape the health insurance landscape in this country.
Cybersecurity is an industry that can desperately use a dose of accountability-as-innovation.
Accountability in cybersecurity is virtually non-existent. Despite billions of dollars spent worldwide on cybersecurity solutions, our position in cyberspace is now more precarious than ever. Recently, the World Economic Forum’s (WEF) Global Risks Landscape 2018 ranked cyberattacks alongside extreme weather events and the prospect of nuclear war as the most likely and dangerous risks threatening the stability of society.
That means, on the internet, “attackers could trigger a breakdown in the systems that keep societies functioning.” Which we just saw happen last month when cyber actors held critical services provided by the city of Atlanta for ransom and even took Baltimore’s emergency 911 response system offline. We’ve moved far beyond hackers playing tic-tac-toe, defacing websites, and stealing passwords and credit card numbers.
The resulting damage from ineffective cybersecurity is significant, with large-scale attacks becoming more commonplace as well as more damaging. Consider these statistics:
- In 2017, companies revealed breaches of more than 4 billion data records, more than the combined total for the previous two years.
- Last summer, attackers held more than 300,000 computers hostage in the UK’s NHS, bringing the system to a complete halt and forcing hospitals, surgeries, and pharmacies to use pen and paper to run the nation’s health system.
- The estimated annual cost of responding to cyberattacks is now $16.59 million per company, representing a year-on-year increase of 27.4%.
- On April 1, Saks and Lord & Taylor were breached, likely resulting in the compromise of more than 5 million payment cards.
- The cost of cybercrime to businesses will rise to astronomical proportions, expected to top US$8 trillion by 2022, just five years from now.
It’s clear we’re moving on a trajectory from data theft to data and network ransom, to data manipulation and physical destruction. And if we don’t begin to change the economics of being a bad guy on the internet, which is a really good business today, it’s not going to get any better.
It is possible to establish in cyberspace advantages for defenders over attackers. However, we first must reject the ideas that every attack is unprecedented, that attackers have the ultimate and long-term advantage, that volumes of damage equate to severity of impact, and that there’s nothing that can be done.
Then, the innovation part of the accountability equation needs to kick in.
We must preempt instead of react. Typically, cybersecurity solutions act like a police force: when there’s an event, they’re called in to solve it. React and respond. A more effective approach is to act as a bodyguard. If an event occurs, a bodyguard fails. This method preempts incidents, and this preemptive posture is one that every organization needs to adopt for success in cybersecurity.
We must be methodical and scientific and avoid the continued cargo-cult science, in which erroneous conclusions are formed by misinterpreting the causality of results. The reality is that approximately 95% of cybersecurity incidents and damage begin with phishing. It is not the majority; it is the absolute root cause of our insecurity. Let’s focus where attacks start.
We need to leverage economic power in the marketplace where cybersecurity solutions compete. You wouldn’t pay for a car you couldn’t drive off the lot, or a meal you didn’t get, and you shouldn’t pay for cybersecurity that doesn’t work. The equilibrium of the marketplace in cybersecurity needs to be restored so that companies who build better products can succeed.
So, what can you do to get the kind of cybersecurity worthy of your investment? Here are three imperatives:
Invest in what works. Training is not effective at stopping phishing. Likewise, buying insurance against the possibility of a breach is a misuse of resources. Preemption is the proven strategy of success, rather than remediation and autopsy.
Focus on the root cause, not the symptoms. Solutions that stop 99.9% of attacks are fine, but it’s the .1% that do all of the damage. You need solutions that stop those few, most dangerous attacks, which almost always begin with some flavor of phishing. In WWII, British planes returning from bombing runs were inspected for bullet holes. Allied officers reasoned that the pattern of vulnerability they showed was where the planes should be more heavily armored. But, the opposite was true. The extra armor needed to be placed where there were no holes. The planes that were shot in those places were the ones that did not return. Focus on the .1% because phishing attacks penetrate your traditional defenses.
Insist on a guarantee of performance. If the cybersecurity company you’re negotiating with doesn’t offer some kind of guarantee of performance, don’t do business with them. If they’re willing to take your money in exchange for their product, they should tell you what you can expect.
Shifting our collective mindset about what we expect from the cybersecurity industry can pay tremendous benefits for all concerned. The companies that are daring enough to be held accountable for the efficacy of their solutions will do very well by raising the bar. Those that do not will be part of a long-overdue industry shakeout. And customers will finally get something that up until now has been unavailable at any price: Cybersecurity they can rely on to keep them safe and secure.
Oren J. Falkowitz is a co-founder and CEO of Area 1 Security, a cloud-based cybersecurity firm that stops phishing. Prior to joining the private sector, he served at the National Security Agency and United States Cyber Command.