In ancient times when there was a total eclipse, many people believed that evil was taking over the world. In those days, before telescopes or astronomy, people believed that the sun was some sort of god: the Greeks called this god Helios and the Egyptians called him Amun-Ra. The idea that a god could be extinguished seemed terrible, some religions would hold sacrifices in order to restore their god. Even animals have been described as behaving oddly during an eclipse. With the upcoming solar eclipse, I’ve started to wonder whether something similar is happening in cybersecurity.
When I was in law school, there was this study that came out about the Legal profession. The study found that optimists outperform pessimists in every major profession except for one: the Law. Optimists dominate every other profession from doctors to salespeople to the clergy. This explained so much about my experience in law school. The people were all incredibly intelligent and motivated, but law school is a tough experience for even the most intelligent. Why? Perhaps it is because it requires you to be pessimistic to be successful.
I wonder what they would find if they did the study again today and looked at the Cybersecurity profession.
There are a lot of different perspectives inside the Cybersecurity industry:
- Optimist: Cybersecurity will improve eventually.
- Pessimist: Cybersecurity will keep getting worse.
- Quantum Theorist: Cybersecurity is both getting better and getting worse.
- Realist: Cybersecurity is one risk among many that must be considered.
- Nihilist: There is no such thing as Cybersecurity.
- Capitalist: There is money to be made in Cybersecurity.
- Alarmist: Unplug the Internets!
It doesn’t seem like there is much optimism when it comes to cybersecurity today. Every year is worse than the last when it comes to almost every statistic about hacking. It makes sense that there is a lot of pessimism, but we can’t resign ourselves that it will always be this way. We can’t accept that an exponential curve of increasing attacks should persist.
Are we just in the middle of a cybersecurity eclipse? Do we believe that the sun will come back? Or have we bought into the fear that vendors use to sell products or enforcers use to coerce compliance.
Over the last year, at nearly every conference I’ve attended, it’s been said that by 2021, there will be 3.5 million unfilled security jobs. The sky is falling! But what percentage of the total workforce is that? Does the workforce need to grow by double to keep up with demand? Or does it need to grow by 10%? Does this projected jobs gap take into account disruptive technologies like artificial intelligence and machine learning, which could help drastically reduce the amount of manual time spent hunting for and remediating malware?
Cybercriminals are also facing the same talent shortage. There is no question that attacks are getting more sophisticated and that breaches keep getting bigger. Does that mean that more and more promising young engineers are turning to a life of crime? I’ve not heard that the number of criminals is increasing exponentially, just that cybercriminals are making use of automation to help streamline their processes. But just like in the corporate world, there is an upper limit on how efficient a well-organized cybercriminal can become.
One of the explanations for the increasing volume of breaches might not necessarily be increasing numbers of malicious actors or increasing attacks. The rise of big data and cloud computing means we’re putting all our eggs in one basket and criminals are targeting those baskets. New laws have created more stringent requirements that companies disclose information about breaches, which has resulted in more breaches being disclosed. We also have better tools today to detect breaches, and coupled with the requirement to disclose means larger numbers of breaches. But that doesn’t necessarily mean that hacking and cybercrime has gotten worse, just that we’re talking more about it. I think it has gotten worse, don’t get me wrong, I just think it may be difficult to define just how much worse things have gotten.
Let’s embrace our pessimistic sides for a moment and consider what the worst-case scenario for cybersecurity might look like. If the number of attacks and vulnerabilities and data breaches continues to increase, how would we respond? Our communities and governments won’t stand by and let the Internet become a lawless Wild Wild West. What is more likely is that companies will pull their computers off the Internet, fragmenting into smaller disconnected networks. Governments might follow China’s lead and build firewalls to better protect their citizens and businesses.
What would a future look like where there is reason to be optimistic? Perhaps the volume of data lost or the number of successful attacks reported in a year could decrease rather than increase? What if the number of vulnerabilities discovered could start to decrease through secure computing practices and stronger screening? What if companies were less vulnerable through the use of AI, secure coding, and better hygiene?
What if instead we could be optimistic about the future of cybersecurity because we actually believed we could make a difference? Even if data breaches plateau, I don’t think we can call that a win. We need to make sure that security is baked into our culture rather than bolted on after the fact. Maybe by working together as a community we could start to turn the tide. Our cynicism may be well founded, but is that cynicism enough to get us out of the mess we are in? I don’t think it is. What we need is the belief that prevention is possible in order to find the solution.
The sun is always there, even during a total eclipse when we can’t see it.