A New Era for Cyber Resilience

As we welcome and celebrate the beginning of a new year, and the end of the first quarter of the 21st century, does a new era for cyber resilience appear elusive? What will change in the next quarter of this century?

Episodes of payment card fraud, compromised credentials, corporate data breaches, phishing emails, SMS spam, and ransomware targeting institutions and consumers will inevitably, and yet again, become headline news in the weeks and months ahead. The professional hackers and cybercrime syndicates have made significant advancements with ingenuity to break security countermeasures with impunity. The lack of resolve by governments and law makers across the world continue to embolden malicious local and global actors. Without government will and resolve, societies may discover that the great promises of the digital era were merely a mirage. “Round up the usual suspects” can no longer be the line to tow. The accelerated weaponization of artificial intelligence (AI) and quantum commuting is the final wake-up call to bureaucrats around the world. This is not an exclusive problem for the west or east, north or south to deal with. It is a global curse with profound consequences. The cyber button (in the hands of many unknown actors) will become far more dangerous to humanity than the nuclear button (in the hands of a few known actors) in the decades ahead due to the willful ambivalence and short sightedness of many politicians and corporations.

Cyber warfare can only be won with cyber resilience, not cyber apathy, political biases, and economic excuses that empower the offense to stay two steps ahead of the defense. The digital landscape is glittered with billions of insecure connected and addressable devices – a lucrative business model for cyber criminals. The tools and techniques that hackers have mastered are enormously powerful and exploit the psychology, benevolence, and cyber attention deficit of fatigued owners and gullible users/operators. The real and lethal threats lie ahead. Cyber physical devices provide a ubiquitous and fertile staging surface for highly scalable, remotely controlled, and stealth mode attacks. From historic precedent, the technology that powers drones and satellite data in military warfare will inevitably be repurposed for nefarious purposes by nation-state and lone-wolf actors. The inconvenient truth is that the industry has let its cyber guard down. When informed regulators fail to set high standards, the exploiters succeed in their mission with dual-use crypto technologies and unprotected data streams/lakes.

Every major cyberattack and data breach is followed by headlines in the media and forgiveness to shower sympathy and solidarity with the victims. That is not a solution to the underlying root cause of the chronic problem. From iPhones to Windows endpoints, Linux servers, and despite published common vulnerabilities and exposures (CVEs), vulnerability exploitability exchange (VEX), and known exploited vulnerabilities (KEVs) on closed-source and open-source software bill of materials, hackers have breached the much hyped and outdated multi-layer defenses, extensive network and security operations center (NOC/SOC) policies and compliance processes – which neither AI nor redundant network based security moats and bridges will magically prevent. Cyber threats are perennial, and learning is a continuous process. Cyber risks, however, can be managed with application security by design.

In his 1953 essay, The Hedgehog and the Fox, philosopher Isaiah Berlin categorizes thinkers as either hedgehogs or foxes. Hedgehogs see the world through the lens of a single defining idea, whereas foxes are influenced by a wide variety of experiences and do not accept that the world can be boiled down to a single idea. Our behaviors are therefore not influenced by reason, rather by our experiences, passions, and sentiments. Herein lies a clue, and glimmer of hope, for the future state of cybersecurity. For the hedgehogs, the single defining idea, or first principle, for cybersecurity is establishing categorical trust in digitally. Things that connect in cyberspace must be verifiable unconditionally as trustworthy. For the foxes, the wide variety of experiences with sophisticated cyberattacks, data breaches, and network intrusions prove that trust must precede security. The common ground operative phrase here is “digital trust”.

Users are no longer the exclusive or dominant force on the Internet. There are a significantly larger number (in the billions) of cyber physical devices than humans on our planet that have become an integral part of our daily regime at work and at home. Digitally connected does not imply digitally trusted. Therefore designing and hardening devices for trustworthiness from factory to field, whether deployed at work in the enterprise or industrial network, or at home in the private wireless network, is the emerged reality to achieve cyber resilience in the coming decades. Ensuring the trustworthiness of data with labels and classifications is a foundational element of data driven ethical AI. Consumption of data with an assumption of authenticity is a catastrophic fallacy for the guardians of cyber safety in the emerging trend of automation and artificial general intelligence (AGI). Inspecting the authenticity of large training datasets is a necessary guardrail for deep learning, to fine-tune pre-trained models, and to tweak machine learning algorithms. The intelligence is in the data on the wire, the processing is by the neurons that fire.

The enforcement of regulations (e.g., EU Cyber Resilience Act, EU Artificial Intelligence Act), implementation of NIST standards (e.g., 800-53, post quantum ciphers), compliance specifications (e.g., IEC-62443, NERC-CIP), and adoption of open and interoperability standards (e.g., CISA, Margo, E-APL, FCG) is necessary to protect critical rungs of the digital automation ladder (infrastructures, devices, and services) against emerged persistent threats and cyber risks. The pace of technological innovations is the problem and solution in cyberspace.

Check us out at Symmera to schedule a meetup, live demo, and discuss partnership for integrated solutions.