We all know about the cold war period of geopolitical tension between the Soviet Union with its satellite states, and the United States with its allies after World War II (until 1989-1991). George Orwell used the term cold war in his essay “You and the Atomic Bomb” (published on 19 October 1945 in the British newspaper Tribune), contemplating “a world living in the shadow of the threat of nuclear warfare (a military conflict or political strategy in which nuclear weaponry is used to inflict damage on the enemy. Nuclear weapons are weapons of mass destruction).”1
After decades of arms racing, spying (e.g. by means of phone taps, pigeon cameras, spy shoes with a heel transmitter, gun-mounted lipstick heads, pens with a hidden camera, etc.2), crises and constant threats, through which many companies became very rich, the solution was not to create even more weapons or more threats; the solution came from different politics and a revolution of the people.
In digital security, we are also currently in our own cold war. We see hackers getting more organized, state-sponsored, and more sophisticated on the one hand, while on the other hand, we see cybersecurity products, services and startups rise massively and constantly creating new and more sophisticated tools. But do we see a decrease in the damage caused by security incidents? According to Ponemon3 the average total cost of a data breach increased from $3.54 million in 2006 to $8.19 million in 2019 and the odds of experiencing a data breach within two years increased from 22.6% in 2014 to 29.6% in 2019.
There are actually three types of “events” for which you pay the most: Marriage, Babies, and Cybersecurity.
The result of this cyber cold war is that both the hackers and the cybersecurity companies make massive profits. We move to more self-learning, artificial intelligence, machine learning security products (e.g. Darktrace, SentinelOne, and a whole lot more4) while attacks become more intense using the most recent technologies and social engineering. The question is: will this ever stop? Will this cold war end in a truce, in peace, in a place where companies and citizens can again focus on things that really matter, instead of constantly being on guard against the threats that are out there?
Looking at history, one can doubt whether this cyber-arms war is the right way to go. Knowing this, shouldn’t we shift toward a new approach? Two “crazy” thoughts on how we can change this paradigm and move to a truce.
- Remove the incentive for “good” and “evil” people engaging in this cold war. Because is “Anonymous” really evil when all they want is justice? Or is that hacker in a country where hacking pays the bills actually evil or just finding a way to survive? Is that security company that is constantly selling more security products, trying to go the stock exchange as soon as possible, really good? The question here is how can we remove the incentive from both sides to continue with this cold war? Isn’t that a social-political question in which governments need to play a role?
- Is an Open Internet really the right way to go? Haven’t we proved that we actually can’t take that responsibility? Not only hackers, but also governments and citizens? If we know that about 45% of all email traffic is spam, the dark web is full of illegal content and activities and there are somewhere between 150,000 and 500,000 phishing websites active each month (COVID-19 has led to a 350% increase in phishing sites).5 6 Is the Open Internet not a complete failure? What if we would try to implement a “zero trust” approach for the whole internet? (Zero trust7 eliminates the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify, by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control8) People might think about the Great Chinese firewall or other internet controlling states, but it’s a question whether the solution itself is wrong or the way the solution is being applied is wrong.
Although these ideas might not be easy to implement, the current approach is we believe not the right way to a lasting solution. To end this cold war, we need to change direction. On a macro level we need to need to change the global social-political direction. At the meso level we need more awareness, “soft controls” and education. And at the micro level we need technology.
This blog is based upon the book “Leading in Digital Security“
- Ponemon Institute, Cost of a Data Breach Report 2019
- Bobbert, Y. scheerder, J. (2020) Zero Trust Validation: From Practical Approaches to Theory