Cybersecurity: State of the Union
September 06, 2017

Terry Critchley
Author of "Making It in IT"

I will illustrate the parlous state of cybersecurity today (mid-2017) with an analogy. Look at the graph below showing the losing margin of your favorite sports team over a few years:


Figure 1: Team Average Losing Margins

What do you recommend the team manager does; resign, buy new team footwear, patch the existing footwear, change their shirt colors? Have their hair cut? No, you might suggest that the team and/or manager is changed radically, taking into account the weaknesses that caused these disastrous losses and mitigating them.

An exact parallel exists today in the field of internet cybersecurity. There is a “team” battling to keep it secure and the opposition who are scoring at will, despite the team's efforts. The number of malware breaches (to use a generic term) are rising in near exponential numbers and, unless there are radical changes, this is set to continue unabated. Most pundits agree with this forecast.

You can find all sorts of numbers by a suitable internet search but the two things they have in common is they are large and increasing.

1. The internet by its very nature is open and, as such, prone to abuse, just like a building without doors or windows.

2. The software which drives the internet was written with openness in mind and not security in mind. It is thus very difficult to retrofit security (or anything else absent from the original design) into it.

3. The result of this is endless patching and re-patching, rather like fixing rust patches on a rust-bucket car only to find another pops up somewhere else on the bodywork.

4. There are factions making money out of selling security hardware, software and services to users and have a vested interest in maintaining the status quo.

5. Current thought puts a lot of the onus on the user (in the most general sense), which I believe is wrong. When I buy an airplane ticket, I don't expect to provide my own life vest, seatbelt and emergency oxygen; that's what I paid my money for. I'll play my part as requested by the cabin staff but that's all.

6. Not only are malware incidents increasing in volume but in sophistication and collateral damage inflicted.

7. The rise of mobile internet access and IoT (Internet of Things) means there is an added dimension to the problem, not to mention two orders of magnitude of potential targets. Targets even today include power stations and simulated attacks on car control systems and this, if nothing else, demands action other than continuous patching, exhortations to the user and hoping for the best.

8. The defense system today cannot cope and hasn't a hope of coping with this new internet security dimension.

9. Any radical new architecture (and an architecture is needed) will involve hardware and software vendors whose products drive the internet in changing their products to conform to this architecture. This conformance will have to be enforced by governments and other large consumers insisting on this conformity by all relevant suppliers. Similar mandates are in force now in some areas.

10. There will be some resistance to a new architecture from anyone who makes money out of the current status of cybersecurity for at least three reasons:

■ The architecture may reduce the need for their products and/or services

■ The wait for an architecture by cautious users will have a similar effect

■ Some of these vendors may be unable to retrofit the architecture onto their current products, originally designed without security in mind.

What is Being Done Today?

More of the same I'm afraid; more exhortations to the users (There have been annual warning to the US President every few year since 1992, saying exactly the same thing; "unless we do something (Mr. President) we are heading for serious trouble" or words to that effect), more selling of solutions and a host of new cyber defense projects across the world by governments, IT organizations and , in some cases, IT vendors. They are being developed in complete isolation (cybersecurity silos) and as a result will almost inevitably be incompatible and will hence fail to communicate with each other.

Trump cybersecurity advisors resign, painting bleak picture of US cyber preparedness

These projects will also be fairly public, rather akin to the NIST output, and the bad guys will love that as they will get advance inklings of what is going on. This has been issuing forth since 1970 and their reports can be numbered in hundreds.

A Few of the Initiatives:

US CNAP (US 2016 Initiative)

FACT SHEET: Cybersecurity National Action Plan

Taking bold actions to protect Americans (But nobody else?) in today's digital world.

UK CSS (UK 2016 Initiative)

NATIONAL CYBER SECURITY STRATEGY 2016-2021

The word "architecture" does not appear in the Govt. paper about the NCSS. It does say: "We want to create a cyber ecosystem in which cyber start-ups proliferate, get the investment and support they need to win business around the world, to provide a pipeline of innovation that channels ideas between the private sector, government and academia."
The Rt. Hon Matt Hancock MP, Minister of State for Digital and Culture [UK National Cyber Security Strategy].

Which is the exact opposite of what is needed. This represents silos within a silo.

The following "initiative" diagram shows the situation diagrammatically:


Figure 2: Whither a Cybersecurity Architecture?

Other Cybersecurity Initiatives

There are many, many others to choose from, each adding to the users' confusion as to which to select:

- US Homeland
- Israel
- Google
- FIDO (Fast IDentity Online)
- NATO
- Europol (European Police); cybersecurity is just one aspect
- Darktrace
- Fortinet
- Ingram Micro
- Accenture
- Arbor Networks
- And at least a dozen well-known software vendors working on their own "recipes"

I needn't go on as I feel I have made the point that too many cooks will spoil the (cybersecurity) broth. If the initiatives deliver results, it is highly unlikely that systems using different security architectures of frameworks will communicate without some serious work to provide compatibility.

The outcome is likely to be what we call in England "a dog's breakfast" or, in US terms, "a screw-up."

Dr. Terry Critchley is the Author of "Making It in IT", "High Performance IT Services" and “High Availability IT Services”
Share this

Industry News

December 11, 2019

Bonitasoft announced that the Bonita platform is now available with advanced low-code features that permit better collaboration between citizen developers and professional developers.

December 11, 2019

Solo.io announced WebAssembly Hub, a service for building, sharing, discovering and deploying WebAssembly (Wasm) extensions for Envoy Proxy-based service meshes.

December 11, 2019

Datawire unveiled the new Ambassador Edge Stack 1.0, an integrated edge solution that empowers developer teams to rapidly configure the edge services required to build, deliver and scale their applications running in Kubernetes.

December 10, 2019

Redgate Software launched its fourth annual State of Database DevOps Survey.

December 10, 2019

Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.

December 10, 2019

Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.

December 09, 2019

NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.

December 09, 2019

CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.

December 09, 2019

EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.