The One Where I Say the Quiet Part Out Loud
Over the last 20 years, the cybersecurity market has steadily grown into a thriving global industrial complex. Thousands of companies, dozens of conferences and too many trade journals, blogs and podcasts to count have all been selling products and services to make the cyber domain secure.
So, why aren't we more secure?
Both cybercrime and state-sponsored military cyber aggression are on a upward trajectory as the skill, sophistication and sheer number of bad actors continues to increase. Given private industry’s technological overmatch, shouldn’t the frequency and severity of cybersecurity events be trending downward instead of up?
The problem is one of fundamental misalignment. Cybersecurity provider business models are predicated on protracted cyber malfeasance. If there’s no aggression, if there’s no crime, then there’s no business. The cyber industrial complex doesn’t profit from deterring or denying cyber hostilities. They profit from a continued state of emergencies and uncertainty. As long as shareholders are happy with sales, this dynamic won't change.
History shows us that for-profit security is a terrible idea. Until the mid-19th century in America, firefighting forces were owned and dispatched by insurance companies. This meant if your house or business wasn’t insured, no one was coming to put out your fire. And as cities grew and spread, so did the need to provide security at scale. Local fire departments were established and citizen-funded to assure equal protection for all.
Security at scale is most effective as a well-regulated public benefit. In the physical world, every aspect of daily life is overseen by agencies that provide the equitable security of people while traveling, working, driving, in business, making purchases and so on. However, in the cyber domain, there's no central authority for the prevention and prosecution of unlawful or unsafe behavior. It’s every individual or every company for themselves, with no coordinated strategy to address the growing threat.
Less tangible but more concerning is the damage cyber aggression does to the companies that provide critical goods and services (e.g., emergency services, energy, water, banking, logistics and transportation). These companies are all subject to thousands of serious breach attempts every single day. As a result, American critical infrastructure is suffering a slow death by a thousand papercuts, the cybersecurity industrial complex is getting rich selling Band-Aids and cyber bad actors continue their assaults with impunity.
Given the increasingly complex cyberattack surface and upward trajectory of malicious behavior, we’re on track for more frequent and pervasive security events. What does that mean for you? If the cyber domain is a continuous conflict zone, then your finances, personal data and other digital assets (think photos, email and chats) are perpetually at risk. Rampant cyber aggression undermines the utility of a free, open, interoperable, global internet.
We simply can’t go on like this. As long as the counter response to persistent cyber aggression is a fragmented, triage-focused, poorly played game of whack-a-mole, bad actors will continue. A for-profit cyber defense system only perpetuates this dynamic. It’s time to reexamine current systems and demand security in cyberspace as a public benefit and basic human right.
(republished with permission. This article originally appeared in Forbes 24, July 2023)
As always, agree or disagree, I'd love to hear your respectful comments below. And shares are most appreciated.
The complexity of the digital network is increasing exponentially, rendering new attack opportunities regularly. On the other end, as consumers/employees and users of these digital systems, we are 'innocent'; we do not know what we do not know, which forces us to react to cyber-attacks and always be one or more steps behind the crime wave as oppose to be ahead of it. This is a war, and people's lives are at stake, same as with firefighting... but this is where the comparison ends... and I did not add my two cents and dark vision on virtual intelligent cyber warfare.
Director @ Guidehouse | Commercial Health IT Advisory
1yThis plays out also in security consumption based models (like from public cloud providers ) vs security subscription services - there is a constant push to consume more logs audit more resources analyze more threat data and it’s not sustainable
Information Security Leader| Cyber Resilience
1yThis was an interesting read. I think security would be better if we architected with Resilience in mind. Many security programs don’t need this wide plethora of tools. The more tools you have the more tools you will need. I do think the public-private partnership is effective if both sides are aligned on their roles. How many companies are lacking basic security controls such as business continuity or vulnerability management as it should be done. Is your security Awareness program mature to educate based on your environment. Because people are still the greatest threat to cybersecurity. As long as we have poor security governance and tooling alone is seen as the way forward. We will continue to have the same issues for profit.
Cybersecurity & Resilience for Strategic Leaders & Tactical Operators | Growth & Innovation Advisory | Critical Infrastructure Specialist | 🇪🇺🇬🇧🇺🇸🇩🇪🇵🇱🇺🇦🇨🇿 | EMEA 🌍 US 🌎 NATO ⚔️ ⚓️ 🛩️ 🛰️ | Let’s connect!
1yWe make Drawbridge for the digital world that provides absolute security, as drawbridges provide the flexible access security for fortification for ages. I keep hearing xxx excuses why what is in place is enough. In reality what I see the counterparty has in place equals to a guard securing a mile of a grown corn field. Thinks have to change, or we are dead.
Only ten thousand paper cuts?