Cyber security is becoming more prominent in both the public and private sectors, yet there is still a great deal of confusion about what it actually involves.
In fact, the term “cyber security” itself is misleading. The historical term for it was “information security”, and it is worth keeping this in mind. What seems a minor distinction is actually an often-overlooked element of cyber security: ultimately, it is about protecting data, and data is information. In this day and age, information is a form of currency, a source of wealth, albeit a volatile one.
It is here that one of the main problems with cyber security becomes apparent.
You cannot be resilient against information loss in the same way you can against destructive attacks, such as denial of service, which has plagued banks in the US in recent years. Once certain bits of information have been stolen, there is nothing you can do to recoup their value. This, combined with the knowledge that 100% security is neither achievable nor desirable, shows us that instead of trying to prevent leaks, what we really need to do is tolerate them.
The issue of intellectual property theft is a polarizing one. In the Mandiant report on China, the vast majority of public reactions in the private sector were split between retaliation and self-defence, often mistaking one for the other. Beefing up your offensive capabilities as a company and defending yourself by “hacking back” brings to mind the romantic Wild West. Good for a movie, not for a coherent and sustainable strategy against cyberattacks.
History has taught us over and over that privateering or arming civilians who are vulnerable to attacks almost always results in unexpected and disastrous consequences. A diplomatic approach to the issue might yield better results, but a process that it is usually riddled with setbacks has been made even slower after Edward Snowden’s revelations of US surveillance.
The solution can be found through a combination of technological and strategic means. If we are to become tolerant of information leaks, we first need to break down the problem into three actions:
- The creation of a pricing model for information
- The classification of data based on its value
- The enforcement of these classifications
Snowden’s leaks showed just how difficult the whole process is, even for government agencies with significant resources and personnel. Furthermore, in most cases the pricing model is dependent on the company or individual.
Based on this, the chances that we will become tolerant of leaks look bleak, not only because the necessary resources are beyond the budgets of most organizations, but also because current technology is not trustworthy enough to allow total control of information.
Nonetheless, new advances in machine learning (a branch of artificial intelligence) and software-defined networking (a process that allows more control over network flows) could help in automatically classifying information and in enforcing boundaries.
The cyber security industry does not currently – nor will it in the future – have a bulletproof solution to intrusions and data leaks. Clearly, a fundamental shift is needed in the way companies think about their security. Corporate boards and CEOs need to take it seriously and plan accordingly. A great place to start is in assessing the value of the data that is handled daily in their organization. If that understanding trickles down to the rest of the company, we all might be in a stronger position when it comes to cyberthreats.
Author: Vincenzo Iozzo is Entrepreneur in Residence, Rakoku Holdings
Image: An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho. REUTERS/Jim Urquhart