Cyber-Warfare Battlezone

In 1980 Atari came out with an amazing video game named Battlezone.  In it you drive a wire-frame tank around a landscape, shooting enemy tanks, UFOs and missiles.  The US Army even commissioned a version of the game as a training simulator!  I remember spending many hours and a significant amount of my pocket money trying to defend against the enemy onslaught.  Today I do much the same thing, but now it’s done by educating businesses on the cyber-threats that they face, and helping them develop the best-practice process and technology required  to safeguard their people, productivity and profits.

Good security practices are no longer optional or just “nice to have”.  The age of naivety has well and truly passed, and businesses that continue to operate with a head in the sand attitude are not able to effectively maximise the returns on their assets – assets that are increasingly digital, portable, and greedily desired by competitors and developing nations alike.  A recent Akamai “State of the Internet” report has shown that the combination of Indonesia and China represent 71% of the global attack traffic.  This is not stereotypical dysfunctional teenaged hackers, this is targeted, industrialised intellectual property theft.

One of the biggest blockers to effective security management is the belief that it is an IT problem, and that IT will solve it.  If this were true, then there would be no spam, no viruses, and no cyber-crime.  Yet 20 years of the best minds in the best IT companies, developing the best products has left us where we are, heading upstream without a paddle.  Security is a people problem, and until it becomes just business-as-usual, integrated into every business process, we will make little headway.  We already know how to deal with safety: safety is everyone’s problem.  We just haven’t realised that information security is business safety, and is also everyone’s problem.

The security foundations are able to deal with yesterday’s problems – patching, antivirus and firewalls – but they are no longer enough to keep us safe from today’s problems.  Today we live in a portable world, where the ability to work anywhere, anytime and have complete connectivity whilst doing so has meant that the implied protections of the past no longer exist.  Home networks are not as well protected as business networks.  Portable devices are left unprotected in airport lounges.  Social networks allow us to connect to our attackers in unimaginable ways.  Every protection we have built can and will eventually be bypassed.  It is no longer “if” but “when”.

The planned Data Breach Disclosure legislation in Australia will help us to help ourselves.  The intent is not to blame the victims, but instead give businesses incentives to protect their own assets, and break the culture of silence.  A company director is more likely to support a security improvement programme if they are the one who will be held personally liable for a data breach, the average cost of which in Australia was $2.13M last year.

Just like the Battlezone game, we need a radar to tell us when attackers are approaching, not discover it when having to clean up the mess.  Most businesses spend too much on protecting from attack, and not enough understanding the threat landscape they operate in, and detecting when the protections have failed.  In a video game we can just insert another coin, press start and try again.  We don’t have that luxury with our businesses.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com