It seems that no matter how many Cybersecurity
Awareness Months roll by, how many elite security professionals and parachuted
in, or how much money is lost into a black hole, the issue of big data breaches
just gets worse year-on-year. They're so regular that they barely make the
mainstream news these days, short of them being catastrophic. In 2020, more than 36 billion records were exposed in
malicious cyberattacks, and we lay in wait to see how many will be harvested in
2021.
Threat actors are constantly scanning for
opportunities, and while not every attack is a disaster, they occur on average,
every 39 seconds. We're not even close to
winning the fight, and the bad guys have a huge advantage over the defenders of
our data.
However, it seems change is in the air, with
the Biden administration making cybersecurity an early priority in his term,
to the tune of an extra US $10B in funding. This is, without question, a step
in the right direction, but will this actually make a dent in cybercrime that
is escalating in frequency and sophistication?
Cyber threats will take a
(global) village to solve
Effective defense against increasingly potent
cyberattacks cannot be the remit of just a handful of countries, and
unfortunately, a cohesive strategy has been lacking across the board for a long
time. However, with nation-state threats on the rise, many governments are
sitting up and taking notice.
The SolarWinds attack affecting the US government
was a clear warning of what is possible, and an indicator of the potential
devastation if any critical infrastructure was breached. Recently, the FBI
issued a warning that a Florida water system was attacked, with the
threat actor able to contaminate the water supply remotely. They were stopped
before serious damage was realized, but a more advanced attacker could have
caused destruction on a massive scale that would put lives at risk.
Slowly, but surely, governments around the
world are investing more in cyber defense. The UK made record investments in the cybersecurity sector,
and established a new task force. Australia beefed up its cybersecurity strategy
(especially for infrastructure), and places like Israel and Denmark are
considered best-in-class for their cyber programs. Japan
is ranked fifth in cyber defense; a welcome vote
of confidence following a 2018 statement from then-Minister for Cybersecurity
Yoshitaka Sakurada that he'd never
used a computer.
A strong, coordinated global cybersecurity
response is vital as we rapidly progress into future tech, and every government
body should illuminate it as a key focus.
More money doesn't mean fewer
problems
If we take the United States, United Kingdom,
and Australia as examples, all of whom increased investment in government-led
cybersecurity and expertise in the past couple of years, it may seem as though
security is finally a priority, and the "good guys" are getting what they need
to win the battle.
It certainly helps, but it's only part of the
bigger picture. That funding can buy super teams of experts (as has happened
with Biden's cash injection), comprehensive bug-bounty programs, and
top-notch incident response and mitigation in the event of disastrous breaches,
and it's this approach to cyber defense that ensures we'll still make minimal
progress, no matter how much money is thrown at task forces and threat
response.
Every government needs to look beyond reactive
security measures, and sink some serious effort (and funding) into a more
preventative strategy. If the focus remains on reacting to successful
cyberattacks instead of working to prevent them in the first place, no amount
of money will drive down growing risk. A genuine, proactive security approach
would see budget allocated to infrastructure hardening, and rolling out
effective security training and upskilling with the aim of reducing the attack
surface as much as possible right from the start.
The cybersecurity skills gap may
never close, but there is wasted potential
Highly trained, specialist security personnel
are in huge demand all over the world, and it's unlikely we will ever see a
glut of those cyber gurus. However, this is all the more
reason for governments and organizations alike to start getting creative, and
savvier with the resources at their disposal.
A truly preventative approach to cyber defense
starts with every person involved in the software development and
infrastructure process being as security-aware as possible for their role.
Developers, in particular, need the right security upskilling and right-fit
tools for the job, so that secure coding can be intrinsic to their process.
This goes a long way in ensuring that common vulnerabilities can be addressed
before they ever see the light of day. This alone is a powerful - not to
mention cheaper - step that reduces pressure and rework further down the
software development lifecycle.
We need to reinforce a human-led approach to
cybersecurity best practices, and it's going to get better results than a heavy
reliance on automation, tools, and reaction to problems that have already been
embedded and discovered - a strategy that is clearly not working if we look at
the number of breaches happening today.
##
ABOUT THE AUTHOR
Matias Madou,
Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. When he is
away from his desk, he serves as an instructor for advanced application
security training courses and regularly speaks at global conferences including
RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec, and BruCon. He also
loves a Fortnite battle or two (or three, or four... ).