{"id":52466,"date":"2019-12-11T12:25:19","date_gmt":"2019-12-11T01:25:19","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=52466"},"modified":"2019-12-11T12:25:19","modified_gmt":"2019-12-11T01:25:19","slug":"cybersecurity-how-are-we-doing","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/","title":{"rendered":"Cybersecurity: how are we doing?"},"content":{"rendered":"
<\/figure>\n

Making judgements about the state of cybersecurity isn\u2019t easy. Much depends on the metrics we use to measure success and failure, where it\u2019s all too easy to fall into the trap of doing things right rather than doing the right thing<\/a>.<\/p>\n

Asking ourselves whether we\u2019re doing things right merely asks us to measure our progress down a prescribed path. Judgements about whether we\u2019re doing the right things are harder to make. It\u2019s entirely possible we\u2019re not even on the right path, regardless of how far along it we\u2019ve come. A word of warning: this is a fairly dense and difficult topic.<\/p>\n

Cybersecurity\u2014at its core\u2014is cloaked in both technical and operational obscurantism. Operationally, an important chunk of what we might think of as cybersecurity\u2019s bandwidth is about countering subversion, espionage and sabotage<\/a>\u2014all activities where the defender must be just as adept as the attacker in the black arts of disinformation, hiding and diversion. Trying to measure whose artistry is blacker, when both sides are doing all they can to conceal their true capabilities, is a fool\u2019s errand.<\/p>\n

We might consult those in the actual business of cybersecurity, of course, to ask whether things are getting better or worse. But the business model of many in the industry, and even messaging by decision-makers, typically feed on fear, uncertainty and doubt.<\/p>\n

Alternatively, we could interrogate manufacturers to examine whether enhanced security features are now the default attributes of their products. The answers would be mixed. Many newer applications originate in civilian offices and research facilities a long way from government. They may be found, often without differentiation, in the civilian, national security and military worlds.<\/p>\n

Another option is to make some judgements about success and our own situation based on the health of that which we are seeking to protect. Let\u2019s do that.<\/p>\n

First, let\u2019s look at the current apparent trends in the environment. There lies perhaps the strongest case that we are failing. The Australian Department of Home Affairs discussion paper<\/a> makes the case that the environment is increasingly threatening and that the costs of mitigating those threats are increasing\u2014as do report<\/a> after report<\/a> from industry.<\/p>\n

Plus, there\u2019s an increasingly threatening geopolitical environment. Advanced persistent threat actors<\/a>, driven by geopolitical interests, are progressively more brazen, targeting national security, commercial and personnel systems and data across a wide range of sectors, regions and activities. There are deepening concerns over supply chains<\/a>, \u2018insider threats<\/a>\u2019 and the theft of intellectual property<\/a> developed in Western universities<\/a>, research institutions<\/a> and companies<\/a>.<\/p>\n

Non-state actors are proving not merely resistant but more adept at exploiting the internet than nation-states. Child exploitation<\/a> is increasing. Successes against groups such as Islamic State<\/a> may prove ephemeral as they adapt. Ransomware is a tool of choice of criminal groups and pariah states, and is now directed at a wide range of industry sectors, from small and medium-sized businesses to local and state governments<\/a>. Once code is in the wild, anyone can use it, broadening the number of possible attackers and deepening their arsenals.<\/p>\n

It\u2019s not pretty and it\u2019s fair to conclude that we are worse off.<\/p>\n

It\u2019s hard to assess expenditure on cybersecurity\u2014after all, it\u2019s often rolled into other programs<\/a> or comprises a series of disjointed activities. Australia<\/a> spent $238 million over four years on its 2016 cybersecurity strategy, with another $300\u2013400 million allocated to Defence over 10 years.<\/p>\n

The UK government assigned<\/a> \u00a31.9 billion ($3.7 billion) to its 2016\u201321 cybersecurity strategy, while the US government is seeking<\/a> US$17.4 billion ($25.6 billion) for cybersecurity in 2020 alone. As the UK public accounts committee also noted<\/a>, it\u2019s often hard to see the value of such expenditure.<\/p>\n

Cybersecurity must contend with threats and vulnerabilities that are often unknown, uncertain and exhibit non-linear behaviours. They may lie dormant for months, even years, or be constant and escalating. They may arise either from external actors or from internal issues that may be deeply technical (in code, logic or architecture) or simply social (practice, process, cultural).<\/p>\n

Cybersecurity also feeds on technical debt<\/a>, particularly the type that represents failure to maintain and update systems and ensure adequate support over time. Funding mechanisms typically favour new builds through capital funding rather than maintenance, patching and updates, support and skills development, all of which draw on operating expenditure.<\/p>\n

That funding pattern invariably means that the newest, shiniest bit of kit gets the most attention\u2014attention that in many instances may be better devoted to the legacy systems and processes within which the new piece of kit is nested. The result is the steady accretion of complexity, cost and vulnerability.<\/p>\n

A good deal of cybersecurity is about doing the technology well. But that requires constant attention, adaptability, and a sound partnership with and knowledge of the business; good governance and culture; expertise and capability; and sufficient funding. And, of course, we are simply not as good as we think we are\u2014or should be\u2014at building, integrating or running highly complex, distributed and changeable technological systems.<\/p>\n

External costs and inertia may be found in the modern legislative environment. Thickets of regulations impair flexibility, adaptiveness and capability. They tend to encourage compliance, focusing minds on \u2018ticking boxes\u2019, often with little effect on actual cybersecurity.<\/p>\n

Given the costs and difficulties, notions that government should resolve other organisations\u2019 cyber problems are likely to be short-lived: the complexity, costs, resources and assumption of liability required are simply too great.<\/p>\n

It\u2019s unrealistic to expect a government agency<\/a> to possess sufficient capability or awareness of an external organisation\u2019s local systems or activities to protect it without risking damage to that organisation\u2019s business. Imposing standardisation risks imposing additional costs and impairing adaptiveness, the ability to learn and overall resilience.<\/p>\n

Within the older Western democracies\u2014weakened by populism and sclerotic economies\u2014it may be tempting simply to exert top-down control rather than undertake the difficult work of empowering individuals and building trusted communities. That temptation increases particularly as China strengthens its economic and technological prowess.<\/p>\n

But restricting the ability of individuals and organisations to secure their interests and identity and control their own data does not simply undermine the cyber resilience of individuals, organisation and society. It also risks our credibility and our identity as a Western, liberal democracy.<\/p>\n

Cybersecurity is just as challenging and contentious as other areas of security in our increasingly unsettled world\u2014perhaps even more so, given its reach into our everyday lives.<\/p>\n

It\u2019s difficult to argue that here, too, we are doing things right, let alone doing the right thing.<\/p>\n","protected":false},"excerpt":{"rendered":"

Making judgements about the state of cybersecurity isn\u2019t easy. Much depends on the metrics we use to measure success and failure, where it\u2019s all too easy to fall into the trap of doing things right …<\/p>\n","protected":false},"author":861,"featured_media":52468,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[391,2138,332],"class_list":["post-52466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyber","tag-cybersecurity","tag-technology"],"acf":[],"yoast_head":"\nCybersecurity: how are we doing? | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity: how are we doing? | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Making judgements about the state of cybersecurity isn\u2019t easy. Much depends on the metrics we use to measure success and failure, where it\u2019s all too easy to fall into the trap of doing things right ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-11T01:25:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"788\" \/>\n\t<meta property=\"og:image:height\" content=\"443\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lesley Seebeck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lesley Seebeck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg\",\"width\":788,\"height\":443,\"caption\":\"An asian woman concentrating on a touch screen display. The point of view is from behind the screen, looking through the data & images to the woman's face and hands as she manipulates the windows of information.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/\",\"name\":\"Cybersecurity: how are we doing? | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#primaryimage\"},\"datePublished\":\"2019-12-11T01:25:19+00:00\",\"dateModified\":\"2019-12-11T01:25:19+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity: how are we doing?\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4\",\"name\":\"Lesley Seebeck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g\",\"caption\":\"Lesley Seebeck\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybersecurity: how are we doing? | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity: how are we doing? | The Strategist","og_description":"Making judgements about the state of cybersecurity isn\u2019t easy. Much depends on the metrics we use to measure success and failure, where it\u2019s all too easy to fall into the trap of doing things right ...","og_url":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2019-12-11T01:25:19+00:00","og_image":[{"width":788,"height":443,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg","type":"image\/jpeg"}],"author":"Lesley Seebeck","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Lesley Seebeck","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/12\/GettyImages-885690052.jpg","width":788,"height":443,"caption":"An asian woman concentrating on a touch screen display. The point of view is from behind the screen, looking through the data & images to the woman's face and hands as she manipulates the windows of information."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/","url":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/","name":"Cybersecurity: how are we doing? | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#primaryimage"},"datePublished":"2019-12-11T01:25:19+00:00","dateModified":"2019-12-11T01:25:19+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-how-are-we-doing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity: how are we doing?"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/234257d47cdae20040ac334973efd4d4","name":"Lesley Seebeck","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f091ef55cb0dfe06e4e0cb2511a3fb7b?s=96&d=mm&r=g","caption":"Lesley Seebeck"},"url":"https:\/\/www.aspistrategist.ru\/author\/lesley-seebeck\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/52466"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/861"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=52466"}],"version-history":[{"count":5,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/52466\/revisions"}],"predecessor-version":[{"id":52471,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/52466\/revisions\/52471"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/52468"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=52466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=52466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=52466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}