Information security is a profession with many talented people working to address rapidly evolving problems. Unfortunately, there are equally talented people working to find ever more complex ways to thwart our efforts and access the valuable data we are trying to protect. It’s a very sophisticated game of cat and mouse, and any advantage we can gain to stay one step ahead of criminals is invaluable.
We can sometimes be our own worst enemy. There remains a silo mentality in the industry that causes opportunities to be missed, work to be duplicated, and invaluable knowledge to be hidden because organisations believe they have a vested interest in maintaining secrecy.
Governments and companies are often working on projects that could benefit from the work of others. They face the same problems and fall foul of the same hacks and scams. By sharing our successes and failures, our industry can advance much quicker and will stand more chance of reducing cybercrime and information loss. The idiom “a problem shared is a problem halved” applies.
A fairly straightforward example is that of a malware attack like the recent one on Google, designed to sit hidden on computers and allow them to be accessed remotely. These breaches can remain undetected for years and spread – in the more serious cases – to millions of computers.
If one company detects a rogue programme or piece of code, then they can probably remove it from their system. If they share this knowledge with others, then everyone can get rid of it.
But more importantly, sharing means the information security community can learn about how the malware works, what weaknesses it exploits, and discover unique aspects that enable its identification. This leads to solutions that can address whole strains of attack variants. Weaknesses can be patched and security measures can be designed to deal with these threats. In some cases, it may even be possible to identify the source and prevent future attacks.
The only way overall security will improve is if organisations are open about these issues and share information with others. Google and Adobe should be praised for coming clean over recent attacks. It only takes one organisation to break the silence, and a common response can be applied. Learning from mistakes has been successfully employed in the health and safety field for many years, and can improve cybersecurity in the same way.
The idea that many companies aren’t aware of what may be on their system is worrying. Moreover, that companies may not be sharing because they don’t realise the significance, the benefit, or they are scared of a negative backlash, is cause for serious concern.
This need for collaboration doesn’t stop with reporting attacks once they are detected. The information security field needs to share successes as well as failures if we are to prevent attacks from happening in the first place. Plenty of companies are working in the same area and addressing similar problems. Sharing knowledge with competitors seems illogical, but in fact it is anything but.
By being more open from the start, and by looking at collaboration opportunities, two companies can develop the same product twice as fast, or address two separate challenges without competing against each other.
Perhaps, most importantly, it is collaboration outside the industry where there are some of the most significant gains are to be made, both in terms of profitability and solving future problems.
The security industry tends to address existing problems, rather than new ones. This is understandable because it’s much easier to sell a solution to an existing problem than one that doesn’t yet exist – but this mentality really needs to change. Technology is advancing rapidly and is being developed with functionality, not security, in mind. If we don’t do something now, this will cause serious security problems down the line.
Mobile phones are a good existing example where little consideration was given to security. They are ripe for exploitation as they increasingly converge into smart devices and are used to run third-party applications and remotely access data. We will shortly be faced with complex security procedures in order to use them safely – and no doubt various embarrassing and costly data loss stories – because the security issues were not addressed at the outset.
One of the next big technologies will be smart meters, which are networked for monitoring and billing of electricity usage. The UK government is committed to rolling these out across the country, but again very little thought has been given to information security in this plan. If it is not considered during the design process, then we risk creating a national system that is completely unsecurable.
Security professionals need to actively seek out ways to get involved in these projects from the start. They need to meet the people designing these systems and the policy makers supporting the projects. Security personnel will need to justify their involvement by highlighting the costs of risks down the line if proper precautions are not designed in from the beginning. If we get this right, then there is good money to be made, the future of the industry will benefit, and people will be able to go about their digitally enabled lives with the confidence that they are safe and secure.
The technology and know-how is often there. The problem is very much one of attitude and communication. We are not sharing the information to allow us to effectively exploit our expertise.
Those involved with security – whether they are CIOs, security companies or policy makers – need to work together to identify the problems and help develop appropriate solutions. As cybercriminals become even more advanced and rapidly changing technology offers more opportunity for errors and exploitation, collaboration will be the most effective way forward. Addressing the silo mentality in the information security industry is going to be one of the biggest and most important challenges we face over the next few years.
Tony Dyhouse is director of the Cyber Security Programme for the Digital Systems Knowledge Transfer Network. He is one of QinetiQ's senior managers, and has a wealth of experience in the areas of information risk management, network intrusion detection, penetration testing, incident response and forensics. Dyhouse’s career spans more than 25 years in the IT industry, with experience in telemetry, operational management of WANs and LANs, and the application of various security technologies. His work has been applied to both public and private sectors and Tony is a great advocate of fostering better communication and cooperation between these sectors within the UK. With this in mind he participates in several forums and working groups relating to the threats, old and new, faced by a converging world.
The Digital Systems Knowledge Transfer Network is an independent body set up by the Technology Strategy Board to combine expertise in distributed computing, cyber security and location services to help address the challenges of digital Britain. The Cyber Security Programme brings together business, government and academia to develop effective responses to cyber security threats.