The Cyber Tipping Point—Are We There Yet?

As known cyberattacks are
being reported as increasing in number, frequency and severity, you have to ask
whether we are reaching, or have already reached, a tipping point where
everyone gets so disgusted or frightened with the incessant and egregious
barrage of attacks that they tune out. On January 9, 2017, I posted a Bloginfosec
column with the title “Alleged Russian Hacks … Is This Cybersecurity’s
Tipping Point?”

Each time that I raise
the question about reaching society’s cybersecurity-risk breaking point, I am
astonished at the apparent level of tolerance of the population at large. You
would think that everyone would be up in arms about the constant drumbeat of
successful attacks on personal data and, more recently, seemingly foolproof
ransomware attacks. How could this be happening?

In part, I think that the
reason for this attitude is an unwarranted faith in technology to solve all the
problems. Much the same holds for climate change. Many whom I talk to on global
warming are convinced that there will be a “silver bullet” to resolve the
buildup of carbon dioxide in the atmosphere. I hope that they are right. However,
what such thinking generally does, in these and other cases, is to delay any
mitigation efforts. People look to other warnings from the past, such as the
Malthusian idea that the world population will grow beyond its ability to feed itself,
and Y2K, which many believe was a non-event (it wasn’t), and extrapolate them
to current problems, believing that somehow we will overcome the adversity and
then move on.

Are we actually beyond
the point of no return for climate change and cybersecurity risk? In my opinion,
we really are. Why do I think this? The main reason is that I am seeing experts
in both fields beginning to deemphasize preventative approaches and take on
resiliency, continuity, recovery and reconstruction challenges. For example,
the NIST Cyber Security Framework (CSF) (available at https://www.nist.gov/cyberframework)
lists the following five areas: identify, protect, detect, respond, and recover,
where protection is outnumbered by activities during and following a successful
attack. Perhaps that is a bit of a stretch, but we are definitely seeing a
swing of emphasis towards resiliency, which, to my mind, suggests that we have
given up somewhat on trying to defend against all attacks.

Not that I don’t think
that resiliency should receive more attention—I think that it should. As a
practitioner with extensive business continuity and disaster recovery experience,
prior to focusing on information security, I am perhaps more sensitive to signs
of a gradually growing switch away from prevention and towards recovery among
cybersecurity risk articles and books. Indeed, my most read article on ResearchGate,
by far, is “Investing in Software Resiliency,” which was published in the U.S.
Department of Defense’s Crosstalk Magazine in September/October
2009. Indeed, one of my earliest publications on the topic was an article,
“Security during Recovery and Repair” first published in 1989 in Auerbach’s
Data Security Management series and later in the Handbook of IS Management 1992-93 Yearbook, which was edited
by Robert E. Umbaugh and also published by Auerbach. At that time, I was
concerned about reducing the increased vulnerability that systems encounter
during a disaster recovery operation. I was also interested in the backup and
resiliency of security tools and personnel.

While it is prudent to
consider resiliency at the best of times, the recent interest in recovery versus
prevention suggests that successful attacks are considered to be all but
inevitable, so we had better accept that fact and move on with resolving the resulting
problems. That is a defeatist attitude, in my opinion, which should have no
place in the minds of those charged with defending us against both cyberattacks
and climate change, but it is gaining credence as the fight against these
dangers faulters.

We need to determine
whether to spend the trillions of dollars to try to halt the progress of cybersecurity
threats or to spend possibly many more trillions on responding to the
consequences. Either way is a very expensive proposition, but one that has to be
addressed if we are to survive in both the virtual and physical worlds.
Addressing these cyber and climate issues really is a Hobson’s choice, but
experience has demonstrated that it is most often cheaper to spend the
preventative dollars up front than to pay for the cleanup after disaster hits.


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2019/12/23/the-cyber-tipping-point-are-we-there-yet/