Rethinking Cyber Defense

We are not winning the cyber war.

There, I said it.

It isn’t that we are necessarily “losing” the cyber war, but we definitely are not gaining ground on our adversaries. No material impact is being made on the volume of cyberattacks. In fact, recent estimates indicate that 97% plus of companies have suffered some form of serious cyber intrusion, and that it takes on average anywhere between 7 and 8 months to discover that an attack has occurred.

It is not as if the cost to conduct cyberattacks is rising, either. One can find any number of reports detailing how cybercrime is essentially a risk-free activity, as there is little to no chance that perpetrators will be caught or punished.

In many ways, it is a bleak picture. As I have written before, the math is completely wrong here. The cost of conducting attacks is far too cheap, and the mountain of money being spent on cyber defense is making only a slight impact on the tsunami of successful attacks.

The thing is, it’s only going to get worse. Companies and governments rely too much on outdated models of cyber defense such as “signature” based defenses. Meanwhile, it is becoming so easy to create new malware that cyberattacks often use a piece of malicious code only one time so as to not set off current alarms.

So where does that leave us? Do we need Kryptonite to use against hackers? No, I believe it is time for a revolution in cyber warfare. Our cybersecurity model seems to only consider defense, focusing on ways to stop attacks or cleaning them up quickly. This “supply-side” approach just won’t work – the incentives for conducting attacks are just too attractive for criminals to pass up.

Download: Rethinking Cyber Defense