A changing landscape needs a fresh perspective

A lightbulb on the horizon of a circuit-board landscape with abstract digital connective technology.
Peshkov / Getty Images

The Australian political class is keenly aware of the importance of cyber security. The nation’s privately held banks, utilities etc. are (rightly) viewed as a critical aspect of the nation’s ability to defend itself from hostile states and other actors. But there is a fatal flaw in our system that is gaining public attention.

Currently, regulators are strict on ensuring the security of assets and businesses that are vital to Australia’s operation; energy, communications infrastructure, banking sectors and so on.

This focus on viewing cybersecurity from a national defence perspective has flaws that Shadow Treasurer Jim Chalmers MP touched upon at the NAB National Cyber Security Summit in October. In his address, he noted that our collective cyber security is “only as strong as the weakest link”. This is explicit recognition of the changing nature of cyber attacks.

Rather than attempt to go in through the heavily fortified and firewalled front door, attackers now choose to target low-value assets and less secure related businesses. They then use this foothold to (often very slowly) work their way towards where they want to be: personal records, payment data, research papers etc.

Mr. Chalmers also correctly points out that simply requiring all businesses that may touch a critical asset to have a greater level of security would be an economic catastrophe. The cost of doing business for many of these, often young, enterprises would skyrocket. The state would need to step into the lives of thousands of businesses that, up to this point, have run autonomously, which presents its own set of issues.

But where Jim and I disagree is on the solution to this problem. Jim’s proposal is to invest more on bringing in the best talent, and to improve communication between national and international enterprises.

It’s a safe recommendation. Yes, investment into developing and attracting better cyber security talent will help the industry. As will better international coordination and national collaboration. But what we really need from the government is to enforce a brand new perspective on the challenge of cybersecurity, before we can begin to tackle this new challenge.

Seeing the forest, not just the trees

The fact that Jim got the problem right but the solution to simply “invest more into what we are already doing” is telling.

If that were an effective approach, we’d be seeing less economic damage from cyberattacks, not more.

What we need is a policy that accepts that breaches will happen, and works to minimise the damage done. We need to move away from utilising firewalls in every instance - hoping somehow that this time, the implementation will be perfect.

The best and most effective security approach for enterprises is what has been coined “Zero Trust” policies, where organisations should not, by default, trust anything outside or inside the network perimeter. Under Zero Trust, organisations verify anything and everything that’s trying to connect before giving it access.

Zero Trust is the model for effective security that answers the economic and national security questions posed by the changing tactics of hostile actors. Localising and isolating threats through security segmentation technology means that the network of critical assets applies policies to individual workloads for greater attack resistance. It also severely curtails the ability of an attack to move laterally from one area of the network to another.

Zero Trust is a framework that covers everything from user access, defending external networks and internal networks as well. Visibility enables defenders to see threats moving laterally inside a network, as attackers adapt their tactics to target the weakest points in the network, bypassing traditional perimeter defence solutions entirely.

The solution of fixing all the ‘weak links’ will never work, no matter how skilled the technician or how well threats are communicated. Whilst we continue to engage in such thinking, the economy suffers, and we become increasingly vulnerable to east-west attacks. A perspective shift is needed if we are to properly address the changing threat landscape.

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?