Accept Cyber Immunity while Rejecting Fear
To create a more secure future, we must stop fearing and start immunising.
I’ve been working in cybersecurity for over 15 years. During that time, I witnessed the growth of the FUD (fear, uncertainty, and doubt) hype firsthand, along with other information security veterans. I must confess, it worked. With that one, neuromarketing science got it right. Fear did, in fact, aid in the sale of security products. FUD, like any strong drug, had an adverse effect. It didn’t have just one, but several.
We can’t get away from FUD as an industry because we’re addicted to it. FUD presents itself to us in the form of some of our clients seeking proof that what we’re warning them about isn’t simply another potential breach but a real threat. Unfortunately, the best proof that a threat exists is when something horrible occurs. That’s how the media became addicted to FUD. The more millions of dollars, euros, or whatever other currency someone loses, the more compelling the story becomes.
Enter the regulators, who have a tendency to overreact by imposing stringent compliance standards and sanctions. This essentially traps security experts, product developers, marketers, the media, and regulators in a strategic trap known as the prisoner’s dilemma in game theory: a situation in which all participants must utilise inferior strategies because to do otherwise would result in a loss. In the case of the information security business, using that inferior method means spreading even more misinformation.
To get out of this bind, we must first recognise that the future cannot be built on the foundations of the past.
The future I’m referring to is not far off; it’s now here. Robots are already driving trucks and exploring Mars. They compose music and develop new culinary recipes. From many viewpoints, including cybersecurity, this future is far from flawless, but we’re here to empower it, not hamper it.
According to Eugene Kaspersky, “the idea of cybersecurity will soon become outdated, and cyber immunity will take its place.” That may sound strange, but it has a far deeper meaning that deserves to be explained. Let me go over the concept of cyber immunity in further detail.
Cyberimmunity is an excellent term for describing our vision of a safer future. In reality, no organization’s immune system is perfect. Viruses or other hostile microbiological items continue to mislead it, if not attack the immune system itself. Immune systems, on the other hand, share one key characteristic: they learn and adapt. They can be “informed” about potential dangers through immunisation. We can provide them with ready-made antibodies in times of need.
We used to deal largely with the latter in cybersecurity. We needed to be prepared with remedies when our customers’ IT systems became infected. But that’s when the addiction to FUD began, with security firms offering quick comfort for diseases that hurt terribly. That “superpower” sense has become intoxicating for information security vendors. “Yes, it’s time for hardcore antibiotics,” we said, “because, believe us, the condition is that serious.” However, employing strong antibiotics makes sense only when the virus has already infiltrated — and we can all agree that this is far from desirable. In our cybersecurity scenario, it would have been preferable if the immune system could have prevented the infection from taking hold.
IT systems are now exceedingly heterogeneous and cannot be regarded in isolation from humans—those who control the gadgets and those who interact with them. The demand for “immune system education” has become so great that we are really seeing a trend toward prioritising the provision of services — even over products, which used to be primary. (These days, the “product” is frequently a customised solution, something tailored to the peculiarities of the IT system into which it is intended to fit.)
Understanding of this vision didn’t come all at once. And, like with vaccines, it is not a one-shot technique, but rather a series of vaccination attempts with the same goal in mind: increased cyber immunity for a safer future.
First and foremost, a secure future can only be constructed on a secure foundation. We believe this is feasible if all systems are designed with security in mind from the start. Real-world applications in the telecom and automotive industries are already putting our innovative method to the test. Because automakers are particularly concerned about safety, our goal statement of “creating a safer world” is crucial. In the automotive industry, security truly means safety.
We anticipate that, like biological vaccination, the concept of cyber immunity will be regarded with suspicion.”Can we really rely on the immunisation and its provider?” is the first question I’d expect to hear. Trust in cybersecurity is critical, and we feel that merely offering our word is insufficient. If clients of a cybersecurity business want to see the security and integrity of software, they have every right to do so — in the form of source code. We make that available, and all clients need is a pair of sharp eyes and a computer to figure out how things operate. However, we do demand a clean PC for that code reading to ensure that viewers cannot meddle with the code themselves. And, just as you might consult with several doctors, having a trusted third party review the code makes sense. With IT solutions, that outside observer may be Big Four auditing company personnel who can explain what those bits and bytes actually imply for your business.
Another crucial factor is the immune system’s ability to withstand threats. Cybersecurity software is still software, and it is not without vulnerabilities. The only way to learn about these weaknesses is to disclose them — to white-hat hackers, who discover flaws and report them to vendors. The concept of paying a prize for discovering a software fault was first introduced in 1983 and was simply excellent because it significantly lowered the financial incentives for black-that malware attacks (who peruse found flaws or sell them to other cybercriminals). On the other hand, white hats require guarantees that the company they examine will not turn on them and prosecute them.
Where there is a demand, there is a supply, which is why we’ve lately heard proposals for partnerships between researchers and firms in which the former can try to crack the latter without fear of being charged with a crime as long as they follow the guidelines. Moving in this direction, I believe, is a step toward a safer future—one with less fear-mongering than in the past—but the path will be long.