You're being attacked like a nation state: Why aren't you defending like one?

You're being attacked like a nation state: Why aren't you defending like one?
© Getty Images

Ten years ago, I used to visit senior business executives to talk about the growing cybersecurity risk. “Why are you telling me this stuff?” they would often ask. “I’m a businessperson, not a spy.”

The sad reality is that while in decades past only the military and national security communities needed to worry about sophisticated cyber attacks, today a far wider range of organizations are potential targets. Those cyber attacks might originate from nation state sources – the attack on Sony Pictures attributed to North Korea, or the attacks on energy companies attributed to Russia – or they might come from organized criminal groups that have added sophisticated cyber crime to their inventory of duplicitous ventures. Of course, in some cases the difference between the two may not be entirely clear.

ADVERTISEMENT

Nation states and private sector organizations are now being attacked by the same actors in much the same ways, however their approaches to protection remain remarkably different. Government defenses are far from perfect: there have been egregious breaches within governmental organizations, such as the U.S. Postal Service just last November. However, when nation states identify assets or resources that they really, really want to protect (most usually, classified intelligence), they do a pretty good job of it. The same cannot be said of the private sector.

If we know how to truly secure our most prized data and systems, why are more organizations not following the lead of national security?

The simple answer is cost. Strong cyber security is difficult, and historically has required significant investment, justifiable only in the most extreme cases. I use the word ‘historically’ advisedly: there have been big changes that are starting to change the calculus and make strong security accessible to a much wider market. Unfortunately, because this world has been so tightly bound up in secrecy, these changes are not well known and have not yet been well communicated.

Back in the 1990s/early 2000s strong cyber security was achieved in a simple way: by physically and electrically separating sensitive systems from other less secure systems – the traditional “air gap.” This was an extraordinarily measure to take, not so much from a technology spend perspective, but because of the implications for operational efficiency and the restrictions it imposed on innovation (for example, taking advantage of new technologies). Unsurprisingly, the approach did not find many takers beyond the military and national security sectors. Decision-makers in civilian government and across the private sector decided that the costs outweighed the benefits and that was that.

Unbeknownst to these decision makers, this was just the beginning of the story. Military and national security organizations are not anti-efficiency or anti-innovation; they too wished to take advantage of the explosion in web-based capabilities. Physical disconnection was a disabler; this created a pressing demand to find ways of overcoming the hurdle.

Significant technological advances in recent years have enabled us to bridge the gap, allowing connectivity while maintaining high security. The challenge now is to address the remaining barriers to wider business adoption and help more organizations achieve nation state-like levels of defense.

ADVERTISEMENT

There are three main hurdles to be overcome: secrecy, the economics of technology, and buying behavior. Firstly, because much of this development has taken place within secretive national security communities, the technologies are not well known. Secondly, the core economics of all technology are that significant up-front engineering costs need to be amortized across large markets in order to deliver cost-effective prices – hence many of these products remain expensive. And thirdly, because most customers still do not know how to evaluate strong security products, the market generally flows to products that make strong claims (“military-grade”) rather than those with strong substance.

Changes are afoot. Some nation states, like the U.K., now seem to be recognizing that continued secrecy is impeding their ability to access cost-effective strong security, while some early investors are seeing the potential opportunity in taking these strong security technologies to a wider audience in order to lower the price-point. However, buying behaviors remain the biggest barrier to strong security: Nation states buy cyber security very differently to the private sector.

Some aspects of cyber security are obvious: If you have an easy-to-guess password, someone is likely to guess it. But much of cyber security is far from common sense. Even professionally-designed enterprise-class IT platforms designed to carry out function A can turn out to be capable of carrying out undesirable functions B, C and D in the hands of skilled cyber attacker. The vendors providing these platforms claim — with honesty and conviction — that their technology is secure. The counter evidence only emerges under intensive and highly technical scrutiny (the source of further up-front cost). Demanding this level of scrutiny is something that nation states do, and other buyers do not.

In the past decade, record spending on cyber security technologies has delivered relatively limited effect. The attackers still appear to be winning, leaving many top-end corporate buyers deeply cynical about the benefits that security products claim. Market structures for scrutinizing security products to determine which really work (and which really do not) are still nascent, but in keeping with technology market norms there is a potential tipping point ahead.

Once buyers take steps to demand it, the potential is there to deploy much stronger levels of security than today, protecting a much wider range of organizations from even the most sophisticated attacks. This starts with a change of mentality; with business executives recognizing that they’re being attacked like a nation state and thus face a pressing need to defend themselves accordingly.

Henry Harrison is co-founder and CTO of Garrison, a cybersecurity business. He previously worked in cybersecurity both as an independent consultant and as Technical Director of Cyber Security at UK defense and security company BAE Systems.