Cleantech Market Intelligence
Security as a Self-Fulfilling Prophecy
Why are the good guys always chasing the bad guys?
A decade ago, a well-known company invited several security experts including myself to Amsterdam to help develop their security strategy. While there, a local consultant told me a success story of the Amsterdam police. They’d tried for years to keep up with the pickpockets in Dam Square but just never could. The thieves were too shifty – they’d just vanish into the night.
Finally someone had an epiphany: Why not follow the victims instead? So, once trained to identify the targets (presumably, tourists wearing white shoes and white socks), the police simply followed the prey, waiting for the pickpockets to show up. Which they duly did.
I’ve often wondered why we can’t do that in Cyber Security. We react, rather than anticipate. A new virus appears; we release a new signature. Somebody embezzles a billion dollars; we enact Sarbanes-Oxley. National Security can fall into the same trap. Following a recent bomb scare cargo shipments from Yemen to the U.S. were grounded. The underlying assumption must be that terrorists can only dispatch payloads from Yemen, nowhere else.
React, react, react. Who’s got the initiative?
Having already completed Pike Research reports on Smart Meter Security and Smart Grid Cyber Security, I’ve just finished researching Cyber Security for Electric Vehicle charging infrastructures. This field being so new, it is quite a bit less defined. In discussing EV Charging with Cyber Security vendors, a pattern emerges in their approach. A typical response: “We know that will be an issue at some point. But there’s no market for it yet, so we’ve consciously chosen not to address the risks now. We’ll revisit the issue later / next year / sometime / (unintelligible).”
What just happened there? From a market portfolio perspective, this is perfectly logical. For a brand manager to chase undefined markets can be career-limiting. But from a security perspective? The market will be defined when the risks become unbearable. In the meantime, who has money to spend on threats that don’t exist?
Donn Parker, a pioneer of Information Security, once said, “A successful security program is the non-occurrence of unpredictable events that cannot be quantified.” Where does one find the ROI in that?
So we create our own crises, don’t we? Intentionally, it appears.
The solution? I can think of two, one of which is realistic:
• Security vendors can begin building solutions for problems that may occur in the future. This of course carries the risk of building incredibly complex solutions for a problem that never arrives.
• We track threats less and start tracking our assets more. Rather than listing everything the bad guys can’t do, put a protective wall around the things we care about.
Okay it’s obvious which one is realistic. And there are already some green shoots in this area. Some are simple, such as hardening systems. For a trivial example, email clients and web browsers have no place inside an EV charging infrastructure. Encryption is of course a protective barrier, though poor implementation and key management can limit its benefit. Then there is software such as whitelisting, which allows an OS to perform only permitted actions, rather than attempting to enforce a taboo list with millions of items – and rendered incomplete on a daily basis by new attacks.
It may not be time to decommission antivirus. But we have to start doing things that are focused on our assets rather than on the criminals. Otherwise we’ll continue chasing the bad guys, who will continue to elude us. They’re really sneaky, you know.