In this final chapter 1, we look to the future and some of its possibilities as they relate to our global, more interconnected than ever society; governments, businesses, groups, and individuals’ actions and reactions; technology; and the impact that all these topics have on cyber security.
If you consciously try to thwart opponents, you are already late.
Miyamoto Musashi, Japanese philosopher and samurai (1645).
The future is disorder. A door like this has cracked open five or six times since we got up on our hind legs. It is the best possible time to be alive, when almost everything you thought you knew is wrong.
Tom Stoppard, Arcadia
In this final chapter,1 we look to the future and some of its possibilities as they relate to our global, more interconnected than ever society; governments, businesses, groups, and individuals’ actions and reactions; technology; and the impact that all these topics have on cyber security.
When the first edition of this book was published in 1998, we discussed the future based on the impact of topics like those identified above. Much of what is required for cyber security and its program is based on proven cyber security techniques that have been around for decades, albeit under various names such as computer security, network security, and information systems security.
Although you will find much of the following redundant with this book’s first two editions, it is not being repeated because we are too lazy to start anew. It is because the same issues and same basic methods to solve them have not changed any more than the threats that the future holds. So, let’s take out our crystal ball and see what the future continues to hold for all of us.
Unfortunately, even the basics of computer security standards that have been around for decades have often not been meet. In fact, even U.S. federal government computer security standards, required to be followed by government agencies, often are not followed.
U.S. Secret Service refused to provide data on its computer security systems to the Department of Homeland Security … preventing it from being able to verify if it was complying with security policies, … The service … “refused to comply with mandated computer security policies,” according to the report by the DHS inspector general.2
Will this change in the future? Maybe, but probably not, if history is any indication; and if so, probably not to the extent needed.
In the business world, the same applies under the guise that it is not cost-effective. However, now and into the future, as lack of security influences the bottom line, we hope that that will change.
One of the problems is that we base our security requirements, including cyber security requirements, on “risk,” and business is fundamentally based on risk taking. When you base your security requirements on the concept of managing risk, you are accepting that you are only buying time and that, at some point, an incident will happen.
However, as constant successful attacks show, the costs to patch systems, to pay out money in lawsuits, and of the adverse public relations issues that follow and the losses in stock values as they plummet based on all that are higher than to “do it right the first time” and continuously update and improve over time. Corporate management just doesn’t get it, maybe never will. Governments, groups, and individuals have declared war. Will that increase or decrease in the future? All indications point to an increase.
Although not officially confirmed, at least one major business was successfully attacked because the default passwords that came with the software were never changed. That was identified as an issue at least as far back as the 1980s, if not before. That first hacker attack based on that vulnerability can be traced to at least the first 300-baud external modem based on a hacker software program using the BASIC program language. For those of you who don’t know what we are talking about because you weren’t even born at that time, it proves my point.
Why won’t these leaders in businesses, industries, and governments change? Some of the “blame” rests in democratic nations where people enjoy at least some semblance of freedom, and being told what to do and how to do it is something that they don’t like and try to avoid. Security and law enforcement people, and auditors, are always telling people what to do and what not to do. In the future, a way must be found to make them willing to do it or make security totally invisible to them, so that not even a password or biometric access control will be needed, unless error-free, and the user does not have to take any action. An “avatar” that is secure, maybe? Not an easy task.
Surviving into the Future
Senior corporate and government leadership support continues to be missing and is necessary to develop the appropriate planning, guidance, strategy, skilled workforce, plant, and equipment. Corporations and nation-states need to boldly accept the new reality lest they wish to lose and not be able to reattain the competitive edge. Bureaucracy has no place in a cyber security-protected environment with nanosecond attack weapons requiring nanosecond responses. As the past and present have shown, they have not changed, and personally I do not hold out much hope for that to change in the future.
Senior leadership is essential for security to be meaningful to the bottom line or national security of nation-states. Corporate espionage will continue to be as big a threat as government espionage—maybe more so. Netspionage3 has become a valuable tactic in support of a corporation or government agency’s overall espionage and competitive business strategy.
Information warfare attacks against global corporations have dramatically increased since that topic and term was coined more than a decade ago. Let’s face it, we certainly are in a global information war whose agents are all those who attack our systems and networks for fun, profit, and power.
They have grown in sophistication and are expected to do so, from governments to individuals around the world. Sadly, it has also never been easier. Financial losses due to attacks have been caused by successful security breaches, from financial fraud and theft of proprietary information to identity theft to sabotage and blackmail. A new term has come into usage over the past few years—“advanced persistent threat,” or APT for short. APT is used to describe an ongoing set of stealthy computer hacking attacks, often targeting a specific business sector, organization, or system.
The motivation for an APT can be for business or political gain. As the name implies, APT consists of three elements: the attack is of an advanced type, it is persistent, and it poses a threat. The term was first used to describe an ongoing series of attacks that originated in China, but is now more widely used. What is clear is that we can expect these types of attack not only to continue, but also to increase. Why wouldn’t they? We aren’t very good at detecting and responding to them, and as long as the benefits outweigh the cost, it is worthwhile for the nation-state or group that is doing them. There have not been any repercussions.
Attacks from a nation-state go on as we trade with them. There are no penalties for attacking our networks. So adversaries, and that includes general hackers, attack with impunity.
There is no silver bullet, no one-time expenditure of money to “fix the problem,” and no means to put the genie back in the bottle. Enlightened and dedicated leadership willing to stay the course is necessary to guide governments and businesses into the future.
New Old Approach to Security—Defensive Approach
The approach that responsible governments, businesses, and other entities must take in the future to ensure that we have the correct environment to endure is to at least get the basic security processes in place!
This will require a significant change in the attitude and approach that are taken at all levels of governance and management. We have been saying this since the 1980s and we say it here once again in 2016. We must get on a war footing. Good grief!
What will be required in order for the structures that we understand to survive is a large-scale adjustment in the attitudes taken on the whole subject. The truth of what we have said in the past, “… the threats are real; and the adversaries are serious about it,” must be realized. To a certain extent, that realization takes place generally only after a massive, successful attack. However, after it is over, and everyone has calmed down and begun to forget it, management goes back to business as usual and so do government agencies. We do not seem to be able to learn from either our own past or that of other organizations and seem to be doomed to continue to repeat it.
There has been fear (and still is) that a “pearlharbor.com,” as Winn Schwartau puts it, is coming. We have already seen it in the physical world. Can the virtual world’s Pearl Harbor be far behind? Mini ones are taking place globally and daily. However, as those of us in the profession have said this for so long, it is like the boy crying wolf, or like the Year 2000 “world will end as we know it” owing to the millennium bug crash that never happened; we must in the future choose our words more carefully and present the probable risks in a more objective way.
The Changing Environment
To the present day, we have a history of understanding the issues that are related to attacks and cyber security that are imposed by physical, procedural, or personnel means. We also now understand the attacks’ offensive and defensive worlds better than ever before and we hope we will get better at understanding the issues coming in the future, but understanding the issues and doing something about them are two different things.
The Need for Enlightened and Dedicated Leadership
If an environment in which organizations can feel safe from successful attacks is to be achieved, there need to be significant changes in the attitudes of both government and management at all levels of organization.
An infrastructure, at an international level, for collaboration between governments and law enforcement agencies already exists, but until ALL countries sign up to this and allocate sufficient resources to make it effective, there will continue to be issues.
There are currently countries that provide “safe harbor” to both organized criminals and terrorists that are using the Internet to carry out cyber attacks. Allegedly China is doing that relative to North Korea’s information warriors operating in facilities on the Chinese mainland. There are also other countries that are, themselves, conducting cyber attack operations. While this continues, our defenses need to be improved to meet every possibility.
Perhaps one of measures that can be put in place will be forums in which incidents can be reported in a suitable manner by individuals, companies, and governments and where best advice can be gained—without worrying about the political and power-play games.
While these exist in some countries and communities, they must be ubiquitous and easy to access. If attacks are taking place at nanosecond speeds over structures that do not recognize national borders, then any impediment that the current structures and organizations impose will encourage the perpetrator.
In government, in most of the democratic nations, an individual who will champion the cause of creating the correct environment for the protection of information systems is a conundrum. It would require a political nominee who is willing to put the cause that he or she is supporting not only above his or her own ambitions (cyber security is not an area that has a track record of producing new party or national leaders) but also above party loyalty. He or she would need to have seniority within his or her own party, cross-party support, and tenure in the post for a period of more than one term of office to have any significant effect.
Will that happen? I doubt it. When something happens, they will hold public hearings, look for scapegoats, get their faces on the news, pontificate from on high, but afterward go back to their old ways. If they want to find those partially responsible they have but to look in the mirror.
It is imperative that when looking at cyber security, cyber attacks, and the like, one should begin by understanding the global trends because that is the environment that will dictate much of the offensive and defensive environments and tactics and help one understand the reason for such attacks, as well as helping to understand the defensive needs and solutions.
Every four years the U.S. National Intelligence Council (NIC) publishes an update of its “Global Trends” series that identifies key drivers and developments likely to shape world events a couple of decades into the future.
In the “Report of the National Intelligence Council’s 2020 Project,” the NIC included an executive summary, some of which is quoted below:
…At no time since the formation of the Western Alliance system in 1949 have the shape and nature of the international alignments been in such a state of flux … The role of the United States will be an important variable in how the world is shaped, influencing the path that states and nonstate actors choose to choose …
New Global Players: The likely emergence of China and India as well as others, as new major global players—similar to the advent of a united Germany in the 19th Century and a powerful United States in the early 20th Century—will transform the geopolitical landscape, with impacts potentially as dramatic as those in the previous two centuries … how we mentally map the world in 2020 …
New global players are not really that new; however, they have increased in power and impact on the world stage. Such shifts and changes are causing the status quo to fade away. Thus, there will be more nation fighting and with that the use of cyber tactics to assist nations in gaining dominance.
Impact of Globalization
…Globalization as an overreaching “mega-trend”, a force so ubiquitous that it will substantially shape all other major trends in the world of 2020 … the world economy is likely to continue to grow impressively: by 2020, it is projected to be about 80% larger than it was in 2000, and average per capita income will be roughly 50% higher … Yet the benefits of globalization won’t be global … The greatest benefits of globalization will accrue to countries and groups that can access and adopt new technologies … China and India are well positioned to become technology leaders, and even the poorest countries will be able to leverage prolific, cheap technologies to fuel—although at a slower rate—their own development …
…More firms will become global, and those operating in a global arena will be more diverse, both in size and origin, more Asian and less Western in orientation. Such corporations, encompassing the current, large multinationals, will be increasingly outside the control of any one state and will be key agents of change in dispersing technology widely, further integrating the world economy, and promoting economic progress in the developing world … Thus sharper demand driven competition for resources, perhaps accompanied by a major disruption of oil supplies, is among the key uncertainties.5
Today’s economic wars have included offensive operations and these are expected to increase in volume and sophistication as the demand for economic power is supported and made more vulnerable by the world’s dependency on technology.
New Challenges to Governance
The nation-state will continue to be the dominant unit of the global order, but economic globalization and the dispersion of technologies, especially information technologies, will place enormous new strains on governments … political Islam will have a significant global impact leading to 2020, rallying disparate ethnic and national groups and perhaps even creating an authority that transcends national boundaries … The so-called “third wave” of democratization may be partially reversed by 2020—particularly among the states of the former Soviet Union and in Southeast Asia, some of which never really embraced democracy …
…With the international system itself undergoing profound flux, some of the institutions charged with managing global problems may be overwhelmed by them …6
Technology can free us or help enslave us. We are even so much closer to George Orwell’s predictions in his book, 1984. It all depends who has dominant power over it in each nation, business, or group, including religious groups. One has to just look at the latest efforts by the NSA, CIA, and their counterparts in Russia, China, Iran, and the like to see that we citizens of the world are in danger of losing more of our freedoms, but maybe even our humanity. Of course, many agencies cite doing this in the name of security for us all. Many also would give up more freedom for security, but when is it enough?
Like the Asian view of the world and life in Yin–Yang terms, we should look at our security versus our freedom in a similar fashion.
When do we know when we are giving up too much of our freedom and how do we get it back, or will it already be too late?
Since the first edition of this book was written, there has been a dramatic increase in terrorism. Terrorists’ offensive use of cyber war tactics, techniques, and cyber weapons has drastically increased and it is expected to do so into the future. Terrorists still prefer the propaganda effect or barbaric acts such as bombing, kidnappings, beheadings, and the like; however, they are ever increasingly relying on cyber weapons to exploit the vulnerabilities of their enemies—which are basically most of us.
In the past they have had to rely on the news media of the nations involved to propagate their messages, whereas now they have the means to get their messages to anyone who is willing to listen. Blogs and social media are great propaganda tools for spewing their hatred and are also great recruiting tools, as we have seen with “lone-wolf attacks.” Physical attacks, yes, but recruited online.
Pervasive Insecurity
Even as most of the world gets richer, globalization will profoundly shake up the status quo—generating enormous economic, cultural, and consequently political convulsions … The transition will not be painless and will hit the middle classes of the developed world in particular … Weak governments, lagging economy and extremism, and youth bulges will align to create a perfect storm for internal conflict in certain regions …
…The likelihood of great power conflict escalating into total war in the next 15years is lower than at any time in the past century, unlike during previous centuries when local conflicts sparked world wars … Countries without nuclear weapons—especially in the Middle East and Northeast Asia—might decide to seek them as it becomes clear that their neighbors and regional rivals are doing so …7
We must also remember the power that individuals now have to exploit those that they feel are against them, whether they be governments, businesses, groups, or other individuals, for example, even school bullying causing some to commit suicide—and on a global war front. The worse the economy gets, the more hostile and dissatisfied a nation’s citizens become. So, we may not have a global World War III, but certainly we are having thousands of global cyber attack skirmishes 24/7 and this, too, is certain to increase into the future.
Transmuting International Terrorism
The key factors that spawned international terrorism that has no signs of abating over the next 15years … We expect that by 2020 al-Qa’ida will be superseded by similarly inspired Islamic extremist groups … Our greatest concern is that terrorists might acquire biological agents or, less likely, a nuclear device, either of which could cause mass casualties …8
This has already taken place with the advent of ISIS, and surely more groups will follow and even look at other terrorist groups as their enemies as they all continue vying for global domination. Surely their use of cyber attacks will not be limited to only nonterrorist groups.
Policy Implications
…Although the challenges ahead will be daunting, the United States will retain enormous advantage, playing a pivotal role across the broad range of issues—economic, technological, political and military—that no other state will match by 2020 … While no single country looks within striking distance of rivaling US military power by 2020, more countries will be in a position to make the United States pay a heavy price for any military action they oppose. The possession of chemical, biological, and/or nuclear weapons … also increase the potential cost of any military action by the US …
…A counterterrorism strategy that approaches the problem on multiple fronts offers the greatest chance of containing—and ultimately reducing—the terrorist threat … Over the next 15years the increasing centrality of ethical issues, old and new, have the potential to divide worldwide publics and challenge US leadership …9
While governments around the world continue to think in terms of twentieth century weapons in this twenty-first century world, we must remember how vulnerable our technology-dependent governments and businesses are to successful cyber attacks. The more “advanced” a nation is and the greater its dependency on technology, the greater the exposure to cyber attacks.
It is a sad commentary, but chances are the use of cyber-offensive operations will continue to increase and the lack of viable defensive operations will allow more and more attacks to be successful, causing greater scales of damage as these cyber weapons continue to increase in sophistication while defensive tools continue to lag behind.
Offensive–Defensive Cyber Attacks
When will we get to the point at which a person, group, business, or government is going to say: “I’m mad as hell and I’m not going to take it anymore!” We are fast approaching that time, if not already past it.
If an entity is attacked, it is about time that the victims, in self-defense, go after those attacking them and not rely on someone else to protect them. Obviously, agencies such as the FBI and local police investigators come in after the attacks, run their investigations, and may even identify the adversary. Then what? No jurisdiction, so no prosecution. So, basically, maybe time for a little “Wild West” independent action?
What we need in the future is a covert “mirror-image” software program that will not only deflect the attack but have that program turn on itself and bounce back to attack the attacker.
Yes, some government agencies are beginning to take covert, offensive–defensive actions. However, more is needed at all levels of victimization. The “reap what ye have sown,” “eye for an eye,” old-style philosophy and justice maybe need to come back in vogue?
Some will criticize “vigilante” justice, warning that we can’t be like them; chaos will reign. The ones saying that are primarily those in law enforcement who fear that dependency on them will wane, politicians who fear losing power, and those who have no “skin in the game,” among others.
The Future of the Internet
Because of the power and influence of the Internet, some nations want to control it, others want to have the United Nations be responsible for its management. Governments don’t like something they cannot control to their benefit. The day the Internet falls into political hands to control it, our freedom on the Internet as we now enjoy it, we as users, is doomed. I would hope that, as users, we will not allow that to happen.
That being said, some are optimistic that new technology will allow global users to reconnect on a global scale using another form of technology as it supersedes the “old-fashioned” Internet. In fact, global users may even be able to establish their own mini-Internets and connect to other mini-Internets through advanced communications, even embedded microprocessor technology as a form of cyber-telepathy. They become their own Internet service providers. One can only hope.
Questions
• Are you preparing now for the future of cyber security, information warfare, cyber-terrorist attacks, and the like?
• Do you keep up with technology and project what-if new technologies into your future cyber security plans and program?
• What do you think the future holds for all of us if the Internet freedom we now have is taken away?
• Will you be a freedom fighter or a cyber security officer that “just follows orders?”
• Do you maintain a database of defensive software and offensive software (that used by the cyber attackers) that you can use when needed and also compare your database of cyber attack software to incoming events to see if they are an attack?
• What are you, as a cyber security officer, going to do now to meet the future challenges of cyber security?
Summary
The saying “the more things change, the more they stay the same” certainly seems to be holding true. Although we have and will continue to have advances in technology allowing for more sophisticated offensive cyber attacks and defenses, we are fighting more cyber battles and losing more of them than ever before.
In the future, we must reconsider our defensive approaches, fund them as a high priority in every entity, and go on the offensive as a defensive approach.
The future is disorder. A door like this has cracked open five or six times since we got up on our hind legs. It is the best possible time to be alive, when almost everything you thought you knew is wrong.