{"id":32581,"date":"2017-06-27T11:00:18","date_gmt":"2017-06-27T01:00:18","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=32581"},"modified":"2017-10-04T12:13:08","modified_gmt":"2017-10-04T01:13:08","slug":"inevitable-failure-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/","title":{"rendered":"On the inevitable failure of cyber security"},"content":{"rendered":"

\"Image<\/p>\n

While the Australian Government\u2019s Cyber Security Strategy<\/a> contains many good initiatives, the government\u2019s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet at the same time the data of the Australian people is safe and secure.<\/p>\n

The Prime Minister has spoken<\/a> about the importance of meaningful conversations about cybersecurity, but that narrative clearly has some internal inconsistencies and isn\u2019t a realistic or nuanced message. As the Australian Public Service, business and the broader community raise their levels of cyber sophistication, we need to continually reframe government communications to push real cyber resilience.<\/p>\n

Services delivered over the internet are exposed to several interesting asymmetries that all but guarantee that there\u2019ll be cybersecurity failures of consequence. Imagine a hypothetical government IT project (let\u2019s call it \u2018Project ORCA\u2019) that aims to provide a perfectly secure government portal to deliver vital services to the Australian public.<\/p>\n

Our first asymmetry is that the teams building online services have only finite time to deliver their products. This is a good thing, as we want IT projects to be delivered, and infinite timelines aren\u2019t helpful (even though that can feel like standard practice in government at times).<\/p>\n

By contrast, malicious actors (baddies and hackers) on the internet are not time bound; their time horizon is effectively infinite. ORCA, for example, while built over a relatively short time, will be exposed to attack for the rest of its working life\u2014which may possibly run from years to even decades. A successful attack on ORCA can be damaging to the government at any time throughout its life.<\/p>\n

Second, teams building online services have limited skills and capabilities. The Project ORCA team is limited to the pool of skills available within the team. The very best we can hope for is that it implements the best possible solution at that point in time. But even this best-case scenario isn\u2019t good enough.<\/p>\n

Malicious actors can not only access the state of the art at the time when ORCA is built, but are also able to use new vulnerabilities that are discovered after<\/em> the service has been delivered. In a very real sense, the Project ORCA team is trying to defeat hackers from the future!<\/p>\n

Third, the ORCA team is focused on delivering what it uniquely adds to and builds upon the best frameworks and architectures available at the time.<\/p>\n

Malicious actors, however, can attack not only what the ORCA team builds directly, but all the software and hardware that ORCA relies on and is connected to. The Project ORCA team can deliver its project perfectly, but the security of ORCA overall can still be undermined by factors outside the team\u2019s control. In recent years, for example, there have been several<\/a> very<\/a> severe<\/a> bugs<\/a> that have affected internet services in totally unexpected<\/a> ways, and Project ORCA can\u2019t mitigate that class of threats.<\/p>\n

Although this sounds pessimistic, this is broadly understood in private industry; breaches are common and inevitable, and there\u2019s a very real focus on resilience and recovery. The cyber-mettle of an organisation isn\u2019t measured by whether the organisation suffers a compromise, but by how quickly the compromise is discovered, how well it\u2019s contained, and how effectively it\u2019s cleaned up.<\/p>\n

Government\u2019s current narrative is focused on implementing the \u2018Essential Eight<\/a>\u2019. These are the eight highest priority actions from the Australian Signals Directorate\u2019s Strategies to Mitigate Cyber Security Incidents<\/a> that help prevent cybersecurity breaches. The Essential Eight grew out of what were initially branded the \u2018Top Four\u2019, and when implemented will prevent a large majority of cyber intrusions that the ASD currently sees.<\/p>\n

Even when these strategies are implemented, however, they are still only mitigation <\/em>strategies. That is, they make things less bad than they were before. They aren\u2019t a guarantee that security is perfect; they are just the first steps to take when your security baseline is very bad.<\/p>\n

Real security doesn\u2019t consist of implementing the ASD\u2019s Top Four mitigations, and then a year or two later expanding that to the Essential Eight. Real security is the ongoing work that arises from an acceptance that failure is inevitable: understanding your network; detecting and investigating anomalies; patching, monitoring and alerting; clean-up, backup and disaster recovery.<\/p>\n

The Prime Minister has spoken<\/a> about the importance of meaningful conversations about cybersecurity events. But by denying the scope of the problem our political leaders are preventing the meaningful conversations that they desire and lulling us into a false sense of security. The conversation needs to change to account for the inevitability of failure.<\/p>\n","protected":false},"excerpt":{"rendered":"

While the Australian Government\u2019s Cyber Security Strategy contains many good initiatives, the government\u2019s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet …<\/p>\n","protected":false},"author":618,"featured_media":32582,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[416,391,1597,728],"class_list":["post-32581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-government","tag-cyber","tag-cyber-strategy","tag-hacking"],"acf":[],"yoast_head":"\nOn the inevitable failure of cyber security | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"On the inevitable failure of cyber security | The Strategist\" \/>\n<meta property=\"og:description\" content=\"While the Australian Government\u2019s Cyber Security Strategy contains many good initiatives, the government\u2019s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2017-06-27T01:00:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-10-04T01:13:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"427\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tom Uren\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tom Uren\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg\",\"width\":640,\"height\":427,\"caption\":\"Image courtesy of Flickr user Spry.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/\",\"name\":\"On the inevitable failure of cyber security | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#primaryimage\"},\"datePublished\":\"2017-06-27T01:00:18+00:00\",\"dateModified\":\"2017-10-04T01:13:08+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"On the inevitable failure of cyber security\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\",\"name\":\"Tom Uren\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"caption\":\"Tom Uren\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"On the inevitable failure of cyber security | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/","og_locale":"en_US","og_type":"article","og_title":"On the inevitable failure of cyber security | The Strategist","og_description":"While the Australian Government\u2019s Cyber Security Strategy contains many good initiatives, the government\u2019s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet ...","og_url":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2017-06-27T01:00:18+00:00","article_modified_time":"2017-10-04T01:13:08+00:00","og_image":[{"width":640,"height":427,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg","type":"image\/jpeg"}],"author":"Tom Uren","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Tom Uren","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/5644461102_b67a8283f2_z.jpg","width":640,"height":427,"caption":"Image courtesy of Flickr user Spry."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/","url":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/","name":"On the inevitable failure of cyber security | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#primaryimage"},"datePublished":"2017-06-27T01:00:18+00:00","dateModified":"2017-10-04T01:13:08+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/inevitable-failure-cybersecurity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"On the inevitable failure of cyber security"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a","name":"Tom Uren","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","caption":"Tom Uren"},"url":"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32581"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/618"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=32581"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32581\/revisions"}],"predecessor-version":[{"id":32601,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32581\/revisions\/32601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/32582"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=32581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=32581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=32581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}