AISA 2017 – Changing the game: how changing our mindset can drive infosec success

As the President of the Cyber Threat Alliance, Michael Daniel has worked with the US Federal government on cybersecurity policy and strategy. He spoke at the 2017 AISA Annual conference on the importance of taking a risk management, rather than technical, approach to cybersecurity.

For many senior managers, information security is either too hard to understand or the problem is impossible; it’s either inexplicable or fatalistic. But neither of these are true, he said.

The problem is hard because cybersecurity is not just a technical problem. It is also economic, psychological and human behavioural challenge, all rolled into one he said. You can’t delegate it to a “geek in the basement” and expect it to be resolved. It’s not about finding a technical solution but managing it as a risk.

Cyberspace is governed by a different set of rules to the physical world. Distance, borders and proximity are different in cyberspace when compared to the physical world. Analogous tools, to those in the physical world, don’t work in cyberspace. We need to come up with different models and tools.

Cyberspace is still new he said, and we are still learning. We haven’t had the time or experience to develop a comprehensive frameworks required to address cyber-risk, said Daniel.

Daniel said the strategic context for cybersecurity is that the threat will continue to get worse, states and criminals will continue to expand their use of cyber-weapons, and physical world constructs we cling to won’t work.

In today’s world, the threat surface is broader than ever before. Depending on whose research you believe, we are adding between five and ten million devices to the internet each day. This is unlike the physical world, which is fairly finite.

The frequency of attacks continues to increase and attacks are becoming more dangerous and the disruptive nature of those attacks are increasing.

The threat actors Daniel described fell into the four groups we often see. There are hacktivists, criminal organisations, terrorists, and nation states. The distinction between these groups is important as our defensive postures need to vary when we design our security systems, depending on which groups we see as being most likely to attack us.

All hackers face constrains. They need far more time that we see on Hollywood – Daniel said his analysis suggests “Hollywood hackers” take just 22 seconds to break into a system. But reality says they need more time, are constrained by computing capacity and can only try a finite amount of times to carry out their attack before they are detected.

Nation states are also constrained by the ability to use intelligence information as, when used, that data could lead to detection. They will also often need to use systems in third-party countries and they might need to work with other agencies in their own governments – something that is often hard to achieve.

Daniel says navigating this threat environment starts with building a cyber toolbox. At the top of this is the mindset. That means thinking about cybersecurity as a risk to manage and not a technical problem to solve, That mindset shift needs to enter the c-suite and drive the development of a holistic risk-management framework and communication strategy.

He noted that companies that had been attacked were, unsurprisingly, most open to listening to the message of better risk management when it came to cybersecurity.

Then companies need to have security performance metrics, an incident response plan and ensure there is accountability for cybersecurity.

Not all that needs to happen inside the business. External expertise, information sharing with other organisations and establishing relationships with government agencies are also important.

Part of the challenge starts with driving changes in the security industry, said Daniel. Cybersecurity businesses need to change the basis of how they compete. Rather than focussing on how much data they collect about threats, the focus needs to be on how that data is used.

We also need to change how we operate so threat actors have to change how they work. By forcing them to retool, threat actors can be thwarted by how we work.

And by coordinating actions that disrupt hackers – not actively hacking them back – we can create disruptive actions that make it harder for attacks to succeed.

The group Daniel leads, the Cyber Threat Alliance, is a group of, currently, 12 compounded who have agreed to share cyber threat information so hacker networks can be disrupted.