JASON HEALEY
It is non intelligence that cyberspace is insecure. Attackers take away keep had the wages over defenders for non exactly years, but decades. Quotes from decades agone become far clear that cyber defenders thence faced the same challenges nosotros make today (and amongst a similar lack of success). When was the concluding presentation y'all heard that had anything every bit smart every bit the following? “The scheme designer must live aware of the points of vulnerability, which may live idea of every bit leakage points, in addition to he must furnish adequate mechanisms to counteract both accidental in addition to deliberate events. The specific leakage points include physical surroundings, hardware, software, communication links, in addition to organizational (personnel in addition to procedures).
“A combination of hardware, software, communications, physical, personnel in addition to administrative-procedural safeguards is required for comprehensive security. In particular, software safeguards are non sufficient.”
That was role of the Ware Report, published inwards 1970.
Defenders take away keep non gained whatsoever lasting wages from iv decades’ worth of innovation, tens or hundreds of billions of dollars spent on security, or the tens of thousands of certified cyber defenders. Cyberspace remains “attacker advantage.”
Recently, a grouping of xxx leading experts amongst backgrounds every bit cybersecurity executives, technologists, onetime regime officials in addition to academics take away keep come upward together to degree the New York Cyber Task Force in addition to together, they launched a novel report on how to create a to a greater extent than defensible cyberspace.
Keeping cyber attackers from gaining a foothold inwards computers—and kicking them out in i lawsuit they do—remains slowly to imagine but hard to attain inwards practice. Why has this been thence challenging? Every cyber defender has their ain favorite reason. The New York Cyber Task Force identified the next every bit to a greater extent than or less of the most important:
Internet architecture: “The meshing is non insecure because it is buggy, but because of specific pattern decisions” to become far to a greater extent than open, explains pioneer figurer scientist David Clark.
Software weaknesses: Not alone is it impossible to write bug-free code, but, “There are no existent consequences for having bad safety or having low-quality software…. Even worse, the market-place often rewards depression quality,” said safety skilful Bruce Schneier in 2003.
Attacker initiative: An “attacker must uncovering but i of perhaps multiple vulnerabilities inwards social club to succeed; the safety specialist must prepare countermeasures for all,” according to the 1991 written report Computers at Risk.
Incremental solutions: Fixes typically target symptoms rather than underlying problems. To paraphrase Phil Venables, New York Cyber Task Force co-chair, the uninterrupted production of insecure information technology products forces companies to purchase ever to a greater extent than information technology safety products.
Attacker incentives: Cyber crimes, warfare in addition to espionage tin seem risk-free because of the often hard physical care for of attribution, relaxation of crossing borders to stymie police push clit enforcement, sanctuary sure as shooting nations offering cyber criminals, in addition to differing national laws.
Impact to convenience: Improved safety often imposes costs on relaxation of use. As a result, it is oft bypassed, or never fifty-fifty implemented, past times private users in addition to beleaguered information technology staff.
Arcane safety in addition to opaque products: “Most consumers take away keep no real-world agreement of [cybersecurity] in addition to cannot take away products wisely or brand audio decisions close how to job them.” This is every bit truthful today every bit when it was written inwards the 1991 Computers at Risk report. Cybersecurity has gotten thence complex that fifty-fifty information technology staff struggle to sympathize the products.
Longevity of assault methods: Attacker conception inwards cyberspace is often unnecessary because older, simpler tools rest effective against most targets.
Troublesome humans: People tin live tricked or grow disgruntled and, inwards the words of i expert, “are ever the weakest link.… You tin deploy all the technology y'all want, but people merely cannot live programmed in addition to can’t live anticipated.”
Rapid footstep of technological change: The accelerating footstep produces ever-larger potential assault surfaces in addition to ever-more skills, educational activity in addition to certifications necessary for successful defense.
Complexity: Defending this assault surface has required a profusion of novel tools. It has been known since at to the lowest degree 1980 that “increasing complexity increases cost” in addition to “decreases the predictability of novel costs.”
Sentient opponents: According to expert Dan Geer, “the i affair that may brand cybersecurity dissimilar … is that nosotros take away keep sentient opponents … [so the] puzzles nosotros take away keep to solve are non drawn from to a greater extent than or less mostly diminishing shop of unsolved puzzles,” every bit inwards physics or economics. Those opponents create out for access to our systems inwards pursuit of profit, intelligence, armed services wages or curiosity.
Lack of coherent strategy: Few, if any, of the diverse reports or cyber strategies lay out an overall approach to bind the function or guide betwixt competing priorities. They are instead lists of critical tasks amongst no underlying theory of how these tasks volition Pb to success.
The factors which take away keep made cyberspace less defensible make non take away keep to live iron-clad rules. Most of these are non “physics” every bit such. They are based inwards pattern choices, emergent behaviour in addition to specific decisions past times cardinal stakeholders. Individually in addition to collectively, they tin live mitigated, but alone if defenders leverage the massive scale of the Internet (and the universe of interconnected devices) at to the lowest degree every bit good every bit the attackers.
Even amongst the multitude of challenges to making cyberspace to a greater extent than defensible, the NY Cyber Task Force believes a to a greater extent than defensible Internet tin live inside reach. New game-changing technologies, such every bit the secure architectures permitted past times cloud technologies, tin radically alter cyberspace amongst wages in addition to scale inwards favor of defenders. But thence likewise tin operational in addition to policy innovations, which are often overlooked or discounted.
Most of the items on this listing are decades old are mostly good understood. The cybersecurity community volition alone solve the job when it moves past times Band-Aid cybersecurity solutions to addressing the underlying problems amongst solutions that give the defender the most wages over attackers at the to the lowest degree terms in addition to greatest scale. To quote the New York Cyber Task Force: leverage.
Buat lebih berguna, kongsi:
