In the last few weeks, I’ve attended more than my usual number of international cybersecurity conferences, and the perspective, scope and dimensions of the discussion have evolved quite a bit in the last few years.
I’ve been speaking with people from different backgrounds on this topic at events hosted by the United Nations to discuss the counterterrorism angle, by NATO for its use of the military and warfare, by Interpol for the balance between law enforcement needs and public privacy, and even by the OECD for the asymmetries that developed countries face in protecting themselves.
This has allowed me to look at cybersecurity problems, and the wider field of risk management, through various lenses. But I’ve noticed that when talking about cybersecurity, observers are using terms that are simply unnatural. This is more than a semantics argument; more and more observers are saying that along with internet access, cybersecurity should be regarded as a fundamental piece of infrastructure for modern societies.
Welcome to the Code War
Historically, much of the jargon in cybersecurity has been borrowed from a military context, especially nuclear. People talk about “cyber deterrence,” a term that’s clearly derived from “nuclear deterrence,” the doctrine of preventing war among adversaries by stockpiling devastating weapons.
Indeed, observers have even used the term “mutually assured destruction,” referring to reciprocal annihilation in a nuclear exchange, when discussing the current state of cybersecurity. But these terms are unsuitable and the metaphors unfortunately don’t apply.
The war against internet users by non-state actors and cyber criminals is nothing like the Cold War. In fact, as I’ve argued elsewhere, the world has changed from a “Cold War” to a “Code War”.
People tend to project their own world onto that of cybersecurity, which generates confusion and incorrect assumptions.
Cybersecurity and risk management is a complex, rapidly evolving field of hazards both human and technological, and I think it’s worthwhile to use framing metaphors to understand and talk about it.
Being a medical doctor by training has helped me develop the mental agility to tackle complex cybersecurity threats, but it has also made me realize that the most useful metaphor for cybersecurity is actually the survival mechanisms of the natural world.
We’re all risk-management creatures
Security and risk management form an intrinsic part of the oldest, most basic systems of the animal world, inherited from the era of single-cell life.
In fact, the most fundamental security systems are coded in our DNA.
On top of these innate risk-management systems, we acquire security-conscious behaviours while growing. Our instinctive fear of the dark is one such DNA-coded risk-management mechanism.
Our constant safety checks, from scanning for any sharp objects around children, to paying an annual premium for their accident and health insurance, is another example of acquired risk-management mechanism.
The point is that we are all risk-management creatures.
All larger, more sophisticated approaches to controlling risk are variations of life’s basic drive for self-preservation. We cannot eliminate risk, but by preventing what we can, and implementing layers of small risk-mitigating actions – to use the parlance of cybersecurity – we avoid danger and serious negative outcomes such as death.
By the time we wake up and head for the office, we make dozens of automatic risk assessments.
Just like any living organism, our main goal is survival.
Our many senses automatically scan the environment and make sure nothing is amiss. By the time we are out the door, we have automatically checked dozens of variables that prevent us from missteps and protect us.
Biologically, we’re composed of various integrated systems, such as the immune, nervous and cardiovascular systems; these are all working together and sharing information in the forms of nerve impulses, hormones and T-cells, to form a layer of resilience that helps us stay alive.
I make this point because I think that companies can’t simply entrust cyber risk to a small group of people within the IT department. Cyber is so entrenched and we are so dependent on it that it’s a management issue that affects an entire organization.
Nature’s risk paradigm
The security similarities between biological and computer threats have long intrigued me, but the analogy between the two was recognized at least 30 years ago with the advent of the term “computer virus.”
Solutions in nature are abundant and elegant because our immune system has spent billions of years evolving into a distributed control system that consists of trillions of cells working together to manage a huge variety of threats in a robust, scalable and flexible way.
Its self-healing properties are also useful metaphors when we become victims of ransomware and we need to resort to backups to recreate lost or stolen data.
Besides self-healing, both immune and cybersecurity systems have many common traits.
They include detecting threats and preventing attacks, protecting the host (with white blood cells or antivirus software), sharing information about threats with other parts of the organism or network, and operating automatically.
The more you compare the two, the more similarities reveal themselves.
In immunology, the concept of "self" is taken to be the internal cells of the body, while "non-self" is any foreign material, such as bacteria, parasites and viruses. Distinguishing between self and non-self in natural immune systems is difficult mainly because the components of the body are made of the same basic building blocks as non-self matter.
Data is exactly the same: non-self data could include unauthorized users, viruses or worms, Trojan horses, or corrupt data. Data is data and distinguishing between offensive and defensive data is equally difficult, and the host system is also continually making changes to its data in terms of new users, programmes and patches.
Today's cybersecurity world can be described biologically as a defence system based on blacklists, which are defensive mechanisms, such as antivirus software (AV), that keep dangerous data out. But AV is one example of an immune system with antibodies and their T cells only: it can’t fully protect the host.
The immune system has many features that are highly instructive for cybersecurity:
- Multilayered protection: The body provides many layers of protection against foreign threats. From end-points to networks, it is important that one system level backs up another system in case it’s broken.
- Detection is distributed: The immune system's detection and memory systems are highly distributed, and there is no centralized control that initiates or manages a response. Likewise, detection within a computer network cannot be centred in one location. It must be shared throughout the network, and, better yet, through the larger organism that is the internet. Furthermore, when an organism detects an attack, it immediately notifies the entire system to enhance security. Similarly, cybersecurity systems need to automatically notify all users of an attack or vulnerability when one part is attacked.
- Protection from unknown threats: An organization would be much less effective if protected against only what it’s been vaccinated against, compared to one that detects unfamiliar forms of infection. Immune systems remember previous infections and mount a more aggressive response to familiar foes. Many cybersecurity products only scan for known patterns (such as virus signatures), which leave systems vulnerable to unknown attackers. Like the immune system, cybersecurity needs to learn from other factors such as behaviour and context.
Not short-term solutions, but sustainable success
Through evolution, nature provides thousands of efficient, effective solutions for threats.
Prevention and protection through a robust immune system that quickly and automatically shares threat information is fundamental to the resilience and ultimately the survival of every organism.
Today's IT security systems are just taking their first baby steps toward mimicking nature, and will eventually find a nifty way to autonomously maintain IT homeostasis.
That flexible, adaptive response is the key to long-term, sustainable success, both in nature and IT security systems.
Our security needs will evolve as quickly as new technologies advance, and make our lives faster and easier.
The problem will always be: how do we keep ourselves and our data safe in an increasingly interconnected world?
The answers may be closer than we think, based on hints we discover in the natural world.
This week I will be discussing this complex topic yet again in a multistakeholder setting at the upcoming Annual Meetings of New Champions, aka Summer Davos, organized by the World Economic Forum.