If you've been following along, I have discussed the notion that computer systems fail similarly to biological systems. A practical approach to addressing the issues concerning cybersecurity (digital pathogens) should include approaches taken in the physical world to address the problems of healthcare and illness.
So we know we can gather information about systems that are vulnerable to attacks. We can also assess when and if systems have been attacked and are still under attack and perhaps terminally infected unless we take action. We need to consider making things better in a consistent and proven effective way.
Let us harken back to the days of “Snake Oil,” which was a time when anyone who had an entrepreneurial spirit could bottle whatever they wanted to bottle and hawk it as a cure for anything and everything. Depending on how good the salesman was, it could convince many that they had the medicine, and sales could be brisk. Some things did cure some things (nothing cured all things), and some treatments made things worse and could even kill you.
Enter the US Food and Drug Administration…AKA the FDA. The FDA - and later their counterparts in other countries - was established to require peer-reviewed scientific methods to test the safety and effectiveness of medications or treatments for illness. Although some persist, it quickly led to most snake oil's demise, fewer deaths from treatment, and more cures for disease. Eventually, this idea caught on worldwide, and thankfully medical treatments now do what they claim they do most of the time.
Eventually, the USA also created a “Center for Disease Control,” which works with healthcare and the FDA to gather information about illness and coordinate a consistent and approved response. For the most part, it works very well, and other nations, of course, have taken equivalent measures.
In the digital world, we've various national agencies that gather information about “Digital Diseases” and coordinate responses, but lacking any actual global regulatory requirements means this isn't always successful. Moreover, we don’t have a digital equivalent of the FDA. You see, dear reader, it's still possible, and even likely, that many treatments for digital pathogens are, at least in part, Snake Oil.
We as security professionals are left to our wisdom and intelligence to determine proper and practical courses of treatment, which of course, starts with diagnosis and then should end with empirically measurable results (e.g., lab work) to determine how well it all works.
This was in fact one of the reasons to establish Arctic Security. The empirical observation is that something is profoundly broken because most organizations should have basic security measures. Yet we can still observe about 40 million unique systems affected by a cybersecurity problem every month. Without external validation, these organizations don't know they have a problem. Are their current security measures viable, proven and sufficient?
So let us ponder this notion. How would we create a system that consistently deals with digital pathogens and coordinate it globally? The cybersecurity authorities are mainly concerned with the incident response (treatment of symptoms). Some countries actively work to mitigate future problems with vulnerabilities (preventive healthcare). Some agencies engage in monitoring and detection, trying to stay ahead of the curve, akin to work done by the CDC. But who certifies what cybersecurity treatment works, and is it an effective remedy for the issue?
There has been some progress in this area, but it was traditionally linked to topics like comparing antivirus products and IDS systems. Lately, Mitre attack evaluations have done some work to look into how well security products detect known adversary techniques, but this is still relatively early days. It leaves many kinds of security systems entirely out.
It seems like a great discussion to have at the beer counter… I'll expand on this on the next week's blog.