By Phil Reitinger
In Monty Python’s Holy Grail, after a massacre of wedding guests by Sir Lancelot, the King of Swamp Castle says, “This is supposed to be a happy occasion. Let’s not bicker and argue about who killed who.” As cyber security goes these days, sometimes I feel like the King of Swamp Castle, and sometimes like the wedding guest who yells about Lancelot, “He’s killed the best man!”
Ironically, the King of “Swamp” Castle is right. The core issue in cyber security these days is that offense beats defense. If someone devotes enough resources to compromise your network over enough time, the odds are significantly in his or her favor. Thus, you often hear stated “there are only two types of companies: those that have been hacked and those that will be.” Until we can change this basic equation in favor of the defense – by building a cyber ecosystem that can defend itself, by devoting more resources to prevention especially of systemic risks, and by much broader use of resilient technologies like trustworthy secure systems (see NIST Sp. Pub. 800-160) – worrying about “who killed who (sic)” may be a waste of time.
But while placing blame on the cyber murderer may be a waste of time, it is not always so, and looking for the murderer has value. Even if offense beats defense, we need to avoid resignation, and must guard against:
- Know-Nothingism – U.S. President-elect Trump is correct that “hacking is a very hard thing to prove.” That doesn’t mean we shouldn’t try to prove it or attribute the hack where possible. Even if, for example, general deterrence of hackers by criminal prosecution is not effective because the risk of getting caught is low, specific deterrence of particular persons, entities, or countries is possible. And knowing sources of threats – threat intelligence – can be critical in mounting an effective defense.
- Silence – When we have information on threats and hacking, we heed to share it. Attribution, even if far short of certainty, can be invaluable in determining the motivation behind an attack and its likely target. Knowledge about attacks and compromises, even if attribution is completely unknown, can improve the defenses of others. Last, speaking openly about attacks and their effects helps prevent characterization of malicious hacking and cyber risk as normal, acceptable, and immutable.
- Fatalism – Sometimes folks want to throw up their hands. “Stop hacking? Fuhgeddaboutit!” Again, U.S. President-elect Trump is substantially correct that “no computer is safe,” but that doesn’t mean that no computer should be safe, or that it is not possible to do a much better job of making computers safe. The new U.S. Administration will have some challenges here, with its preferences against regulation and expending additional resources.
In other words, the wedding guest is right too. If Lancelot killed the best man, or even likely killed the best man (because Lancelot has a bloody sword and best man a stab wound), then that is worth knowing, saying, and acting upon even if a better suit of armor for the best man would have stopped the attack.
The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.