“The Hitchhiker’s Guide to the Galaxy,” by Douglas Adams, could actually be a guide to cybersecurity if read in a different context. The crux of the problem in present-day cybersecurity practice is summed up in this exchange from the book:
After seven and a half million years of computing, “The answer to the Great Question of life, the universe and everything… is Forty-two,” said Deep Thought, with infinite majesty and calm. “But it was the Great Question! The Ultimate Question of Life, the Universe and Everything,” howled Loonquawl. “What is forty-two?”
“I checked it very thoroughly,” said the computer, “and that quite definitely is the answer. I think the problem, to be quite honest with you, is that you’ve never actually known what the question is.” And so another, even bigger computer had to be built to find out what the actual question was!
No one is spending time to ask the right question. While a security analyst is busy deciphering 600-page reports and a CISO negotiates an increase in the year’s cybersecurity budget, the board only wants to know if their organization is secure. To answer that question, Dmitri Alperovitch, who discovered Operation Shady RAT, said, “There are only two types of companies—those that know they’ve been compromised, and those that don’t know.” Former FBI director Robert Mueller took it a step further, adding, “And even they are converging into one category: companies that have been hacked and will be hacked again.”
Cybersecurity is not how many breaches you’ve detected or prevented, or how many vulnerabilities were patched; it is not how many times you’ve trained your employees, whether you’re in compliance with regulations or the amount of malware detected. Given everything organizations are doing to secure themselves, like Loonquawl, they’re still failing to ask – and correctly answer – the right question.
In my opinion, that question is, “How likely are you to get hacked, today?”
The answer to that is based on two other unanswered questions:
1. How current, or real-time is your information?
2. Are you quantifying your cyber risk?
For organizations to get information that is both current and relevant, it is imperative that their cybersecurity strategy be deeply intertwined with supervised machine learning and artificial intelligence (ML/AI) and has an objective output; so much so that one does not exist without the other. However, ML/AI-based technology can be a double-edged sword. It self-learns and acquires knowledge, yes, but it can only do so by emulating what already exists. This, along with other factors, is being leveraged by cybercriminals to wreak havoc. It is taking the entire industry to counter them.
In one example, criminals used AI-based software to impersonate the voice of the CEO of an unnamed German parent company of a British energy firm. The attackers called the energy firm’s CEO and, using voice-generating AI software, impersonated his boss to demand a transfer of $243,000. The CEO was asked to make an urgent transfer of funds to a Hungarian bank account, but once the first payment was made, the fraudsters called not once or twice, but three times to demand more urgent transfers! The CEO later described his eerie experience. “Less than a minute after finishing the call with Johannes (the parent company’s CEO), the fake Johannes rang again. His voice was identical, but as soon as I asked who was calling, the line went dead.”
AI and machine learning are here to stay, but without proper supervision, they will not be much use in cybersecurity; much like Deep Thought’s answer, they’re still asking the wrong question. In “The Hitchhiker’s Guide to the Galaxy,” to calculate the answer to the Ultimate Question, a special computer the size of a small planet was built from organic components and named “Earth.” Ten million years later, the Ultimate Question was revealed: “What is six times nine?”
The correct answer is 54, not 42. Merely five minutes prior to completion, a glitch in the matrix disrupted the supercomputer’s calculation, nullifying the effort that began millions of years ago. One glitch, one error is all it takes to derail the effort your security team has put in. This is why you should always know the probability that your organization will be breached at all points in time. Only then will you be able to properly prepare for an impending disaster, be that in terms of lost business continuity, reputation and regulatory repercussions. Security executives need to realize that not all cybersecurity technology and activity equals true progress.
If I were to make a comparison, preparing for cyberattacks without knowing your breach-probability is equivalent to bracing yourself for a cyclone when you’ve been warned of an earthquake! Rather than putting all your eggs in one basket and making your next investment in cybersecurity, take a step back and ask yourself the right question: How are you going to measure the progress you’ve made? It’s a simple equation; the smarter your question is, the more accurate your answer. In my experience, the only thing that is assured is that numbers and mathematics never deceive.