By Hendrik Troskie
Early in 2020, when I released my book The 4th Competitive Force For Good, I reference the losses to the global economy as a result of cybersecurity events to reach some 6 trillion USD by 2024. It is a year later, and those figures have been blown out of the water. Cybersecurity Ventures now predict annual losses to the global economy reaching 11.5 trillion dollars by 2025.
Let’s reflect on that for a second. 11.5 trillion dollars is the same as the annual economic output of Japan, Germany and the UK combined. It is rapidly approaching the economic output of the second largest economy in the work: China. That’s right. Think of the blood sweat and tears of billions of hard-working people just squandered, every year. Now think about what the world can do to address the UN 17 goals for sustainable living, or addressing global poverty around the world with that amount of money every year.
In the last few months the cybersecurity world was rocked by two significant cyberattacks. The first is the SolarWinds cyberattack. It was initially described as a sophisticated attack by government sponsored attackers. In fact, it has been claimed that some 1,000 professional hackers were involved in perpetrating the attack. The consequences are far reaching: some nine US state departments have been identified as having suffered a breach, more than 18,000 business have been compromised. Big names like Microsoft admitted that their source code was accessed. Precisely what they mean by accessed is not clear. I think we can safely assume that the source code has been transferred out of the company. The worrying thing is that having access to the source code is the holy grail for hackers. It gives attackers unprecedented abilities to develop software that exploits vulnerabilities in this code.
Another notable victim is the company FireEye/Mandiant. The global leader in attacker detection and response technology and services. Ironic? Indeed, but it is what was revealed that is more important than the attack itself. FireEye admitted that their own attack exploit software was accessed and copied. They promptly published details of the software plus mitigating strategies to prevent companies becoming victims of FireEyes attack tools. To much applause it must be added.
Now think of these attack tools as digital weapons. Why does FireEye have an arsenal of digital weapons? FireEye and many cybersecurity companies use digital weapons to test the effectiveness and efficiency of businesses to detect and respond to attacks on their networks. It is called red teaming or sometimes simulates targeted attack and respond assessments. This of course raises a number of important questions?
FireEye immediate informed their customer base on how to mitigate against the stolen digital assets and received a lot of praise for doing so. If we reflect for a second, we must ask the question. FireEye is in the business of providing detect and respond tools and services. So why did they have to inform their clients on how to mitigate against their digital weapons? Surely their customers should by subscription to FireEye have been resilient against these very weapons! The answer is that FireEye and other cybersecurity companies are in it for the profit. When they execute a simulated attack or red teaming exercise they must be successful in breaching the customers network. In order to do so cybersecurity companies stockpile digital weapons built to exploit vulnerabilities in technologies we all rely on. The right thing to do will be to inform the original manufacturer of the vulnerability, but that will disable the digital weapon. Some cybersecurity companies even boast about having exploit development teams, researchers that specifically stockpile vulnerabilities and digital weapons to guarantee their success in simulated targeted attacks. It raises serious ethical questions about the honesty and transparency in the cybersecurity industry.
The problem extends to beyond cybersecurity companies. Governments do the same. In fact, the US government have a stated policy towards stockpiling digital weapons in the ‘National Interest’. Under the Obama administration some form of control was implemented to limit the extend of the digital weapon stockpiling, but this control was abandoned by the Trump administration. Notably this is matter of public knowledge. It is not a secret. Most people I talk to seems to think it is justified under the idea of the national interest. Nevertheless, every now and again the government will inform a technology company of a vulnerability, but only once they have used their digital weapon and it has been exposed. Once the genie is out of the bottle it spreads around cybercriminal organisations like wildfire. The very recent attack on Microsoft Exchange server is an illustration in point. Some 250,000 business have been breached and there is a mad scramble to eliminate attackers form email systems whilst trying to maintain normal business activity. In the meantime, more attackers have joined the feast.
I predicted this problem in my book. In fact, let me be transparent and say that the control system that business and governments use to manage cybersecurity has predicted this problem as it has a negative feedback loop by design that will continue to expand the control gap to the point where control of information technology is lost. It is hard to look at recent cyberattacks, the growing losses of the global economy and not to think it has already happened. If the world economy is leaking away the economic output approaching that of the second biggest economy in the world, China, to cyberattacks, can we claim that we have cybersecurity under control? I suggest we cannot.
There is no point in trying to fix the problem with the cybersecurity control system as its stands. That is because the cybersecurity control system is the problem. It is time to rethink this solution, to stand back and ask ourselves the question, why are we doing cybersecurity control systems this way? It clearly does not work. How can we do this better? I have proposed an alternative in The 4th Competitive Force For Good. It is an alternative to thinking about business leadership, ethics in business and purpose that has already proved highly efficient and effective in addressing sustainability problems and the environmental crisis. Only then can we stop this dangerous game we are playing.
For more on Hendrik Troskie and his book The 4th Competitive Force for Good, go to https://www.linkedin.com/in/hendrik-troskie-ma-phil-3987298/