InPhySec recently submitted to the government’s Cyber Security Advisory Committee. This is a summary of our submission.
Its’s the money…
Cyber-crime is crime. Being delivered over the internet doesn’t alter the basic features: -
a) The motivation is money;
b) There is very little enforcement pressure (if you’re a cybercriminal you won’t get caught). So large, efficient criminal organisations flourish, with ‘black’ markets for skills, software, stolen data, credit cards and so on;
c) It’s global. Criminals can be based anywhere. New Zealand’s remote geography is irrelevant. We are just targets;
d) It’s the data. As well as personal information, credit card detail and so on, it’s also industrial and trade secrets, product formulations and manufacturing processes, pricing information, tenders and proposals. Most of the value of our companies lies in intangible assets (often under-counted, and very often under-protected). Data links them all and provides the soft underbelly – the attack vector;
e) It’s here to stay. Fixing cyber security won’t ever be ‘done’ – just as we know conventional crime is here to stay, and can only be managed down to acceptable levels; and
f) It’s just so much more efficient on the internet. All the benefits we see on the internet for legitimate business – scale, efficiency, anonymity, bulk data analysis, AI – are available to the criminals too. They’re just as clever as we are, they’re not burdened by compliance. They can “move fast and break things”. The good guys are not doomed to win.
What to do?
What does all this mean for New Zealand companies and organisations?
Get the right attitude.
Cyber security is a permanent social, economic and policy and political question we now face, literally in perpetuity. We need to develop the right attitudes: security of data will come to be seen as an enduring attribute of good management everywhere, not a one-off cost. Today, we hear companies and government organisations say that cyber is a management question, but then acting as if it’s an IT question, capable of being outsourced, delegated or managed with other competing IT priorities.
We need to rediscover the skills and resilient attitude of permanent, low-level conflict. The internet is – at best – a semi governed and certainly contested frontier. We know through research (Peter Turchin et al) that contested frontiers provide a cradle for successful, cooperative societies. But the same research suggests that, left to our own devices, it takes 2-300 years to develop the right social systems and values. We can’t wait that long. The scale and skill of cyber criminals is unprecedented, and so we need an unprecedented response.
What might that look like:
Tackle the skills shortage
Amateurs talk strategy; professionals talk logistics. There’s no quick, clever get-out-of-jail-free solution to cyber-crime. It’s here to stay. How do we organise for the long haul? Firstly, deal with the skills shortage that hampers us all now. A proper, national skills strategy is a central building block. New Zealand governments tend to leave such things to educational providers and immigration. Eventually, that might work. But there will be a lot of destructive adverse events before we get to eventually. The skills shortage in IT and cyber security is global and growing. We should do ourselves a favour and lead the development of a solution, not look to pick up the crumbs under others’ tables.
Think about the role of the State.
We leave a great deal of cyber security to individual companies and organisations. This is strange, because in the analogue world we see defence, security and law and order as public goods, most efficiently provided by the State. Indeed, as citizens and companies we give up any private right to violence in return for the State’s protection – laws, courts and order provided by the Police. Only the Crown may maintain armed forces.
Yet on the internet, the State is conspicuous by its astonishing absence. It’s as if every owner of a beachfront property is expected to provide their own frigate. The result in cyber security is fragmentation that is neither efficient (effective defence would mean over-investment in each case) nor effective (actually no one entity invests enough for it to work, not even the biggest companies).
The effect of this fragmentation in circumstances of profound skills scarcity is pernicious. Scarce skills are best maintained in carefully-husbanded centres of excellence. If they’re spread too thinly, they’re not ever effective and (worse) they lose proficiency through lack of appropriate professional challenge.
Yet this is the situation we face. How do we allow companies and organisations to build enough scale to provide a level of effective security?
Change the rules; change the incentives.
Two rule-making steps would help: -
a) Make cyber security maturity part of any audit. It’s just obvious. Poor cyber preparedness is a risk to the company’s assets (most assets are intangible and that means data). Investors need to know if management has taken the proper steps to secure and manage those assets. That should be an audit function; and
b) Specifically allow competing companies to cooperate in cyber security without running foul of the competition laws. Fragmentation of skills and effort, and of threat insights plays into the hands of the criminal. Companies are normally wary of cooperating too closely with their competitors (for very good reason, it leads to cartel behaviour and is therefore usually illegal). But in this case the benefits almost certainly outweigh the risks.
Why bother?
We could just leave things as they are. Many of us would muddle through. The current situation isn’t an obvious catastrophe. The Government could tinker with the CERT and NCSC operations, and maybe put a little more money into each. It wouldn’t tackle the skills shortage, nor the lack of critical mass in security provision. These might ease anyway. It might just take longer than we want.
So, all this might be desirable but not essential. Is there anything that changes that? There are two: -
a) New Zealand would suffer a lot of disruptive cyber attacks. The growing scale and sophistication of the attackers would mean we would become relatively more vulnerable, quite quickly. Some of those attacks might be really damaging (over time, they would be; it’s inevitable). Anything we can do to shorten the time it takes to get our defences in order may be really useful;
b) Other countries might improve their cyber defences faster than we do. (a policeman once said to me you don’t fix crime you transfer it to your neighbour). The contested frontier that is the internet is more or less common to the whole world, with every society and country trying to both manage and exploit the situation. If others move faster than us, our economy will be less attractive and productive as a place to invest and work. We already have a serious productivity problem; leaving things as they are is likely to worsen it. It’s a leap of faith to imagine that New Zealand could ever become a safe haven for data, but we could at least try to be a safer place.
Nothing proposed here is really expensive. It’s all feasible, and would make a start. Tackle skills, use audit rules to drive change and investment, and allow for service providers to acquire some scale.
