Well-known cybersecurity firm Crowdstrike greets travelers who arrive at San Francisco International Airport with a rather bold claim advertised throughout the terminals. The advertisements pose a pernicious yet seemingly tidy answer: “Yesterday’s Antivirus Can’t Stop Today’s Cyber Attacks. Crowdstrike Falcon Can.”
Irresponsible hyperbole? Or is it a pitch made in good faith, albeit one as confident as it is ignorant? It doesn’t much matter. It is 2017, and we now have ample evidence proving that the false promise of so much cybersecurity — that risk can be entirely eliminated with one simple program — will, barring a technological revolution, never be realized.
The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?
The answer is one that must chagrin any CISO spending exorbitant amounts of money on cybersecurity programs: The entire conception upon which cybersecurity rests — of constructing a castle, against which any marauding attackers stand little chance of breaching — is barely of use.
It would be mildly amusing but for a simple fact: The integrity of sensitive data, ranging from your grandmother’s medical records to your personal financial information, relies on its secure storage by a dizzying array of institutions. It is no exaggeration to say that cyber risk — the accumulated potential for the exposure of privileged data — is a matter of life and death, as seen in the frightening effects of cyberattacks on the healthcare industryacross the world. The existing conceptions of how IT systems can be secured and protected must be discarded in favor of a new and more diffuse understanding of cyber risk.
The concept embodied in the Crowdstrike ad — that, at last, here is the program that will, like the little Dutch boy, plug the hole in the dam — is insufficient for combating the real and growing threats looming across the digital landscape. Unsurprisingly, ransomware is exploding in popularity, as the low-cost, easily usable malware proves continually effective at extracting money. But there are grander threat vectors looming: crimes such as electronic bank robberies, digitally enabled high-seas piracy and cyberattacks against electrical grids are not science fiction premises; rather, they are real crimes that will only grow more common. The false promises of cybersecurity doctrines have been repeatedly laid bare over the course of the past few decades. Antivirus programs, once relentlessly promoted as an indelible part of any IT configuration, are now dead even to their creators, having proven thoroughly ineffective in combatting cyber risk — indeed, even posing to be a liability at times. The “set it and forget it” model, with its focus on an endpoint solution to be instituted without much thought, typically relies upon an out-of-the-box program sold by a third-party vendor. If even the most seemingly impregnable of such barriers are laid down, hackers will be able, with time, to build a higher ladder.