Passive Cyber Defense: The Laws of Diminishing and Negative Returns
By Steven Chabinsky
Monday, May 6th, 2013 @ 4:25AM
* Remarks at ACD/EWI’s April 9 briefing, “CyberThreats & The Economy.”
It’s time we turned our cybersecurity efforts towards “Active Defense.”
Our current efforts, geared towards “passive” cyber defense, are fixated on continuously monitoring and patching systems. Passive defense does not work and will never work against serious cyber threats. The concept doesn’t work well in the physical world and we should expect no different in cyberspace.
My talk is about both diminishing and negative returns. I would like to suggest an alternative. I was with the FBI for 17 years, and for the last 15 years the strategy of the United States and globally has been to work with the vulnerability mitigation side. This includes the Department of Homeland Security, for example, and private sector. And it has really strayed away with the folks who are going after the threat actors: the FBI, CIA, NSA, in conjunction with the private sector.
I want to show you why what we’re doing isn’t working. Why it will never work. Why it doesn’t work in the physical world and how we should expect no difference here. It will take just a very brief introduction to a qualitative discussion of risk.
Then we’re going to charge through, I think that if the balance is really good, and it’s going to lead back to this slide. [A slide from a previous presentation was up on the meeting room screen. It shows the front wheel of a bicycle locked to a rack. The rest of the bicycle has obviously been stolen.]
When I say “passive defense,” I’m talking about looking at your vulnerabilities. Looking about your defenses. How you mitigate the fact that you are penetrable. Your systems are penetrable. Someone can break in. That’s all we keep hearing.
There’s this focus on the victim. It’s absolutely incredible how much cost today is borne by individuals and the private sector in trying to defend their security with little to no return on investment. It’s incredible the amount of time, effort, opportunity cost that’s going into a failed strategy, and how our response to that continues to be information sharing efforts to do more of it. We keep blaming the victim.
So let’s talk about this.
Risk has three components to it. There’s only three levers to all of risk. Threat reduction, vulnerability reduction, and consequence reduction. That’s it. There’s a classic formula that doesn’t do much quantitatively, but is very good qualitatively. It’s risk equals threat times vulnerability times consequences. This, strategically, is very helpful to recognize. It’s a multiplication, not because you get big numbers at the end which justifies a big budget if you’re the chief security officer.
That is not the reason for it. It’s because multiplication has a quality that addition doesn’t. That is, if you multiply something by zero, you zero out the formula. It means that if you could get threat down to zero, it doesn’t matter how good vulnerability or your consequences are because there’s no risk. And that plays its way out. Bring all the vulnerabilities to zero. Makes no difference how big a threat or consequences there would be. Same thing, of course, on consequences.
What you see in the physical world is that vulnerability mitigation makes really good sense against opportunistic threat actors. Meaning they don’t care if they target you or they target someone else. So, you lock your door, you don’t keep your keys in the car. Because if someone wants to break into a house, they won’t break into your house if you have a decent lock. If someone wants to steal a car, they might not steal your car if someone else has the keys in their car.
But what’s very interesting is as soon as there’s a targeted attack — meaning that it’s not the same to the bad guys — it’s not a crime of opportunity. They want you. They want your house, your place of business, your intellectual property, which is not fungible.
You will find that in the real world, we move to threat deterrence. We put alarms up on houses and businesses. We put cameras up. What those say to the bad guys is the following, “We’re not going to spend any more money on vulnerability mitigation.” We’re not going to try to make it so that we have doors that you can’t break into, windows that you can’t open and you can’t smash through. So that you can’t dig a tunnel through the ground, that you can’t rappel through the sky to get onto my roof. Forget it all.
We’re going to concede this ground to you. You can break in, but now it’s not about me anymore. Now it’s about you. I’m going to put up an alarm now. I’m going to put up a camera. I’m going to detect who you are and we are going after you now. It’s threat deterrence. When you’re monitoring something, if the alarm goes off at 3:00 in the morning and the monitoring company calls you, they say, “Sir or ma’am, your front door was just broken into, but don’t worry. We have the locksmith on the way.” How absurd! We’ve got the police on the way.
In cyber security, that intrusion detection system is going off every single minute and the response has been to send a locksmith. How absurd! It’s absolutely ridiculous. It doesn’t work. It will never work. It will never work against targeted attacks.
We have none other than the National Institute of Standards and Technology that stated to chief information security officers, “you will get so many alarms that you’re just going to have to prioritize which ones you need to look at.” Can you imagine the world where if you had cameras and alarms and you call up the police and you say, “Well, there’s one guy that came to my house, he’s got a chain saw. The next guy had a rifle. The next guy had a battering ram.” They say, “Well, which one would you like to look into?”
That’s if they’re even talking to you at all. The shift, this notion in cyber that we’ve decided that it’s about vulnerability mitigation and we’ve given up on threat deterrence is absolutely why we’re in the state we’re in. Sometimes you cannot build the defenses that are necessary.
You hear the statements that everybody is being intruded upon, small, medium, large businesses hacked. Google, Microsoft, Apple, Facebook, RSA.
If these guys can’t keep the bad guys out, where does that leave most of our country?
We’ve got dissident groups, newspapers, small and medium businesses, which, by the way, do most of the research and development in this country. They’re all being broken into, left and right. For some reason, we keep telling them, “You know what the government’s role is going to be? To give you more information to better protect yourself.”
It will never work against targeted attacks. It can’t work. But they keep putting in more money without return on investment. That’s called “diminishing returns.”
What are negative returns? Negative returns are when you actually make the problem worse by your reaction. That’s what we’re doing here, because every time we have our businesses spend more money on security against targeted attacks and raise the bar to this level, guess where the well-resourced, very capable organized crime groups and nation-states bring the threat? To a higher level.
It’s very inexpensive to create a better offense than a defense in this dynamic area. It would be similar to thinking about this building and how expensive it would be to create a 20-foot brick wall around this building. Think about how much money that would cost, and how cheap it would be for me to go to Home Depot or Lowe’s (I don’t have sponsorship yet) to buy a 30-foot ladder? That’s what’s happening every day.
We keep going to industry. I’m talking about regulation. They’re asking, “What’s the incentive for people to follow a framework of regulation?” The incentive would be to show that it works. The incentive’s not tax incentives. The incentive is to actually show that the security actually will keep out persistent actors, but, barring that, we’re having all types of crazy discussions.
Sometimes you need to go after the threat, and that’s where Stewart Baker’s point goes in. We have a resource in this country that are not being used for threat deterrence. It’s called the private sector.
When you talk about the private sector doing anything other than vulnerability mitigation, people start getting anxious. They start talking about vigilantism. That’s nonsense. Forget vigilantism. Forget retribution and retaliation out of the private sector.
The private sector can do a lot hand in glove with the FBI, with the military, with the NSA, with the CIA, in ways that are quite stabilizing, that are not retribution. We know what that looks like in the real world.
We know that if you’re on an airplane and someone is charging the cockpit door there are three ways you can respond. You could sit in your seat and do absolutely nothing, and you can have this conversation with yourself. You could say, “My lawyer–I’m actually not really afraid of that guy–but my lawyer said, ‘If I tackle that guy, it’s assault and battery. If I then hold him in place, it’s a kidnapping,'” which is all true. So better not to act in that circumstance. Unless you think — that this is just an example — “That’s different. That’s defending life.” Same thing is true if there was a purse snatcher who’s running down the street and someone yelled, “Hey, stop that guy! He’s got my purse! He’s got my wallet!” Same thing. You could see everyone just standing there. That’s not civic responsibility.
Then you have the opposite end of the continuum, where everyone says, “Hey, this is a good time to beat somebody up!” You run after the guy, charge him, you get him, you kill him. That’s it, and then you leave.
Both of those are wrong responses. The center is where you need to be, where people stabilize the situation, because sometimes the private sector is the only one with the capability, resources, nimbleness. The fact is that they are on scene more likely than the government. The fact is that in our country, we don’t have our government everywhere. They [the private sector] are on scene, and they can stabilize the incident. They hold the person in place. They return the property, and then they hand the guy over to law enforcement. We know that’s how it’s supposed to work.
But we haven’t been able to bring that into this cybersecurity world. Until we realize that at the end of the day, when you’re talking about advanced threats, it is about threat deterrence.
When you talk about advanced threats, putting more money into vulnerability mitigation is escalatory and has negative return. The private sector in our country, especially when you think about transnational businesses, they have the resources, the capability, the global reach, but are lacking clear authority.
The government has clear authority, but is lacking the resources, capability, and global reach. These two sectors have to work together. We’ve got to change this paradigm.
A colleague of mine, Melissa Hathaway, recently writing in Georgetown’s Journal of International Affairs, started with a quote from Darwin, which I thought was very important. Sometimes you have to go back to the basics.
If I were to say “Survival of the …,” you’ll all say “fittest.” That’s how you’re all going to fill it in, and we’re all wrong. It’s not the fittest that survive. It’s not the strongest. It’s not the wealthiest. It’s not those who think they’re the smartest. It’s those who adapt the best.
We keep applying the old failed models and putting more and more money into them thinking that somehow will make it better. We’ve got to change this paradigm. We’ve got to right this risk model. We’ve got to forget about adding more costs to the victim. We have to stop blaming the victims for their security. They’re not to blame. The bad guys out there are to blame, and we’ve got to shift toward threat deterrence.