Paradigm shifts in cyber security

Are we on the cusp of another significant discontinuity, sometimes referred to as the fifth industrial revolution that will materially change our society, our use of Information Technology and our approach to cyber security?  Read on as I discuss the drivers behind this change, how it will result in a new paradigm of information security and query what this means for those of us involved in supporting the UK’s Critical National Infrastructure. In the cyber resilience world, these shifts reflect the ongoing tension between threat actors and service protectors and the evolving technology landscape.

Evolution vs Revolution

I trust that we are all familiar with the theories of evolution in the biological world and the concepts of continual improvement within the business sphere, Six Sigma like. However, I think we would agree that the change of pace is increasing.  We are moving from linear to exponential change!

Evolution is littered with examples of discontinuity and schism that break the evolutionary path. In the natural world such events are often driven by environmental cataclysms or the introduction of an invasive species into an ecosystem. 

At the lower end of the scale, the collapse of the red squirrel population as grey squirrels dominate is akin to a business model change, with market leaders collapsing in the face of new entrants. As we all know, the IT industry is awash with such examples. Computing has evolved from main frames to client server architectures, to cloud adoption and to the growth of micro services and serverless compute. Those organisations that do not adapt or re-engineer themselves simply vanish, failed, or consumed. It can be argued that evolution alone can lead one to ever greater specialism that renders one more susceptible and less adaptable to shock – less business resilient! 

At the higher end, think dinosaur extinction resulting from meteor impact. In a business sense, think of the industrial revolution and its impact on society as a whole. Indeed, we have arguably experienced several industrial revolutions that have changed human society, including the rise of computing and Information Technology. Interestingly, the pace of these industrial revolution events is also increasing, the first two being hundred years, then 40 and now 10. How long until the next one?

When I started my career 35 years ago, I worked at a bank branch that had over 120 staff but only one computer terminal. Sure, the staffing is significantly lower now, but on the other side of the coin, when I started in computer security, I remember going to a conference that had 50 people, most of whom I knew. This is the impact of recent Industrial revolutions.

Back to top

Emerging Technologies

Everyone you ask has a different list of what they consider to be key Emerging Technologies. By its very nature, the consequence of adoption is unclear. CGI have an Emerging Technologies community that is very much focused on identifying which technologies will make an impact, the nature of that impact and how we can work with our clients to ensure that impact is relevant and positive to their business. Each Emerging Technology is not developed in isolation. The challenge is about understanding how they interact and how such interactions can be leveraged into positive force multipliers. Even if we disagree about the relative importance of specific Emerging Technologies, I trust we can all agree that in combination these capabilities will materially impact our society and our organisations, and it is our responsibility to ensure this is for good. 

I often hear people say that cyber security is a constraint, and its specialists are people who say you cannot do X or Y and security impinges on business innovation. This might be true in a perfect world, with no bad or accidental threat actors, but here in the real-world things do go wrong. There are bad actors and when have you ever known people to behave how you expect?

I fundamentally disagree with the view that dealing with security slows down innovation. Indeed, I insist that it accelerates the commercialisation of innovation! Cyber security is all about ensuring we do things in a secure way, i.e., in a way that the outcome is likely to be as intended and not compromised by accidental or malicious acts that seek to pervert the intent.  Business objectives and IT innovation will only be successful if people have confidence that this is true. This is especially true of Emerging Technologies. If you do not trust a suite of Smart Home IOT technologies, then why would you buy them, much less have them deployed in your home. Would you get into a self-drive car dependent on AI analytics, sensor technologies and 5g communications if you did not have confidence that those components could not be compromised by threat actors, be they organised crime, state actors, malicious businesses or even mischief makers. Keeping on top of these technologies and how they can be secured is critical to their adoption and success, for organisations and society, whilst leveraging their advantages. 

Emerging Technologies can be used for both good and bad. As cyber security professionals, we must assume the worst but strive to ensure the best. There is plenty of talk in the media about the ethics of AI and the need to regulate. Regardless of how this lands, AI will be used by threat actors to attack our services who don’t care about regulations, and we need to prepare for that. 

Quantum computing is another case in point. It introduces all sorts of opportunities around data analytics, sensor technologies etc., but its capability to compromise many of the current cryptographic controls based on asymmetric cryptography is widely discussed and increasingly becoming a real-world concern for countries and business. Many of our clients are actively monitoring the situation and developing their engagement plans.  Ask yourself, what is your organisation’s dependency on susceptible algorithms? What data and services does this expose? What are your options for introducing quantum resilience? What is your plan and strategy for doing this, and what are your priorities? Who will your partners be?  

Back to top

Discontinuity & Heightened Threats

Emerging Technologies are not the only discontinuity driving factor. It is the combination of technological and societal factors fuelled by growing geopolitical tensions and the climate crisis. 

Everyone in the cyber security world understands the growing sophistication and capability of bad threat actors and the evolving nature of such threats. The relatively recent growth of ransomware and wiperware threats is a good example of this evolution. Organised crime always has the ‘challenge’ of converting a compromise situation into a monetary gain. Ransomware combined with crypto currency provided a new means to achieve that goal. 

Wiperware opens opportunities for extortion, but a threat of ‘we could do something’ is less compelling than ‘we have done this, and you need to pay us now’. Wiperware, however, is easier to execute and is attractive to those who just want to cause harm. The growth of radical activists is a case in point, and relevant to several areas of the CNI, yet so is the growth of state actors. The Ukraine conflict/war has resulted in some notable cyber activities but perhaps, so far, less of a widespread contagion. It has highlighted our exposure in areas such as energy security and our dependency on key services and the potential attractiveness of those who might want to impinge on our ability to prosecute our support for or undermine public support for Ukraine. 

The nature of such threats is also changing. Internet based attack has been a focus for many in recent times, but the ability to externally penetrate a service has become increasingly challenging as defences are evolving. Why not bypass all of that and compromise the supply chain instead? The supply chain is becoming ever more complex, partly due to globalisation, but also due to the growth of disaggregation, the adoption of agile/devsecops and the adoption of SAAS like services. Manging that complexity is challenging at the best of times, and that complexity is being exploited. Solarwinds is a classic example of such an attack, with a well-funded, well resourced, reputable organisation. I was lucky enough to have a briefing from the Solarwinds CISO and it was a compelling story and one every CISO hopes to avoid. 

Back to top

Evolution of Cyber Thinking and Paradigm Shifts

What does evolution and discontinuity/schism mean for cyber security?

During my almost 30 year career, I have seen a significant evolution in our field. In my early days it was all about computer security, but the rise of information centricity represented a shift towards Information Security which then morphed into cyber security with the growth of the Internet and World Wide Web (which I call the Interweb). Of late, I am seeing a growing focus on cyber resilience. It is far more than the resilience of the physical infrastructure; it is more of a general recognition that the ongoing conduct of operations are within the expected norms. These are overlapping concepts, and I could have drawn a Venn diagram, but there is a clear direction of travel which reflects the change and emphasis in our thinking. 

Once again, when I first started my career, much of the emphasis was on perimeter defence to stop the bad guys getting in. This quickly morphed into the concept of layered defence and defence in depth avoiding single points of failure. This was supplemented by the idea that this is a lifecycle activity through monitoring your estate, identifying suspicious events and acting on them. 

With the introduction of concepts like Mitre ATT&CK, this morphed into a more risk informed model of understanding your adversary, identifying their activities, and ensuring that the response tactics, techniques and procedures are in place to respond. Much of this evolution in thinking is aligned to military concepts. Layered defence has had a reboot of late, with the rise of zero trust architectures and frameworks aligned to concepts like self-healing of components with an element of adaption. 

With the incoming 5th Industrial revolution our thinking is once again morphing into a concept of prevalence and information dominance. Historically, defence has always been on the back foot. ‘The defence must always get it right, when the malicious party only has to get it right once’ is the common saying. Defence in this world is all about the balance of risk, as you struggle to build and maintain the business case for your security investments. It’s about trying to limit the likelihood and impact of malicious events, and this becomes even harder with increasing complexity and growing threat actor capabilities. In many ways, it’s like fighting with one arm tied behind your back, and while people have occasionally talked about active response and striking back, the reality is often illegal (and we are supposed to be on the side of the good) and this comes with all sorts of risks associated with retaliating against the right people. 

When you combine the above capabilities with the rise of advanced analytics that enable us to filter the noise and find the nuggets of truth, the rise of AI can help identify anomalous behaviours from the data and allow us make judgement calls about the nature of these. The rise of elastic compute allows one to spin up new compute, data and services in real-time. The growth of honeypot-style technologies is getting us to a place where we can not only identify potential attack and compromise, but actively respond in a passive defence mode of operation. 

If we can identify an attack as it occurs, we can protect our real assets from that attack. We can divert and distract the attacker into a make-believe world where we can monitor and learn the attackers capabilities and intent. We can feed that attacker false and misleading information and sow doubt into the minds of the attacker. Put yourself in the shoes of an attacker: you have found a weakness; you are executing an exploit; you get access to some data. This all sounds great, but is it a real asset; is the data true; is the defence learning about you; can you use the data, and do you dare pass it on? Is it tagged or structured in such a way as to make it easier for law enforcement to trace to source? Are you wasting precious time and compute? Is it even viable to continue your attack in such circumstances? Would it be better to go and attack someone else?  

Even malicious parties must believe they are getting some sort of return on their investment. This scenario is turning the traditional business model on its head. The key to its success is that you need to have a better view and situational awareness of what is going on than your attacker and you need to implement controls that ensure that this is true, and that this information dominance helps you prevail. Once again, this aligns to military thinking. It’s not quite cyber warfare but it has many similarities. You are not just trying to stop an attacker; you are changing the societal and economic dynamic – and that gives you the upper hand. 

Back to top

What to do?

So, what should we do? In true hitchhikers guide or Dad’s Army style there is no need to panic. 

Much of what we do should still be focused on getting the basics right. NCSC keep stressing this and they are absolutely right. Most successful exploits are still the result of failings that could be avoided by following standard good practice. Security resilience is still all about managing risk. There are some stable elements in our world, and this remains as true today as when I started. 

But the risks are evolving and so must the controlled approach we take in response. Consider your resilience maturity and roadmap, but don’t gold plate and don’t set unrealistic expectations. It is better to successfully deliver small steps than fail to deliver nirvana. Make sure you prioritise based on business need; cyber resilience is all about ensuring we enable the business. Provide that essential confidence I mentioned earlier. Leverage the tools and techniques available to you. I am a great fan of the Cyber Assessment Framework. I especially like the good and bad behaviours concept and the application of indicators of good practice is genuinely helpful (see the white paper for more details) Make sure you are using a profile that suits your business. Finally, make sure you monitor and consider the impact of Emerging Technologies. I genuinely believe they will transform our lives and how we conduct cyber resilience, I am sure we will all have a few surprises down the road. When I try to explain to my kids my early working life without computers, the Word Wide Web let alone mobile phones, they think I am winding them up. Change is the one continuity, and we need to adapt to it and not be afraid to seek assistance in doing so.

• Learn more about CGI in cyber security