Ask A [cybersecurity] Futurist

Welcome to the inaugural “Ask a [cybersecurity] futurist column. This month’s question comes from Anna Borg.

She asks:

How can we change the “rules in the game” and make it less interesting to use the internet for attacks on organisations and societies including democracy. We will never “win the game” if we are forced to play defence play 24/7, 365 days per year. How do we change the incentives for attackers?

I won’t sugar coat it, this is a complex and interconnected problem. Our increased cyber attacks are a symptom of a much larger problem. (Which means the solutions will not just address the cybersecurity problem at the core of this question, but bigger problems that society deals with.)

The Complexity of Cybersecurity Threats

For defense teams, the current state of cybersecurity feels like an endless battle, with organizations and societies constantly reacting to the latest threats. For hackers, it’s a landscape with abundant vulnerabilities if one is willing to put in the work to find (or create) the magic key — like a recent Advanced Persistent Teenager.

Cybersecurity is a long imbalanced game of whack-a-mole. Defenders have to guard everything, while attackers have the luxury of focusing. So how can you move out of a reactive mode to stay one step ahead of the next attack? And further, how can we make it even pointless for attackers to target us in the first place?

Understanding Hacker Motivation

To change the rules, we need to understand why cyber attacks are happening. What drives someone to become a black hat hacker? Or to start a black hat collective? Or join an elite nation state hacking team? I’ve spoken with security professionals, hackers and analyzed research data, and the motivations come down to: money, espionage, and the thrill of the con.

Viktor and Giselle from Better Call Saul

In a survey I conducted last year with identity-security experts, financial gain and espionage were the top motivations, followed by a desire for notoriety or the thrill of hacking. Most hackers today aren’t lone wolves; they’re part of organized collectives that pool their skills and resources to hit bigger, complex targets. They might even employ the Silicon Valley approved “AAS/as a service” business model.

There’s another factor that’s often overlooked: socioeconomic conditions. During my research for the paper Shifting Paradigms: Using Strategic Foresight to Plan for Security Evolution, I was genuinely surprised to hear about the overproduction of well-educated young people unable to find good jobs after their security education. There are very few well paid entry level security jobs — even in the US and developed nations.

Changing the Incentives

So how do we change the incentives to make cyber-attacks less appealing and less profitable for would-be attackers?

I’m going to skip over the obvious answer of creating/using better security technology. Everyone is racing to implement better tech solutions, but this is just a band aid — admittedly a really big band aid. I’m going to talk about non-tech solutions.

Economic Solutions

If it’s true that we are overproducing highly educated security people, could we solve some security problems by having full employment for all educated security experts?

One scenario in Shifting Paradigms envisioned this idea.

5.10 Scenario 9: Money, Cash, Hoes

In this scenario, whose name is inspired by the Jay Z song, security defensive work has become so attractive and well-paid that black-hat work is no longer attractive, and people with security-relevant technical skills are almost universally employed in defensive jobs. Governments can still hire offensive hackers, but criminal syndicates have a very hard time competing with white-hat employers.

Changes from Today: Employers pay great salaries, offer significant flexibility and benefits, and recruit extremely aggressively, especially in poor countries with good technical talent and in ungoverned spaces. There are many good entry level security jobs.

Could one of the most effective ways to reduce cybercrime to increase legitimate employment opportunities for those with technical skills? If well-paying jobs in cybersecurity or other tech fields were more readily available, especially in economically disadvantaged regions, would the incentive to engage in illegal activities diminish?

I think this scenario is illustrated in Wired’s recent article about Priscila Barbosa, Queen of the Rideshare Mafia, which describes the elaborate identity theft and fraud Priscila engaged in. Barbosa took IT classes back in her native Brazil and was a successful entrepreneur until the recession caused business to disappear. She came to find her fortune in the US — which she did. But because she overstayed her visa, she could not work legitimate jobs. I’d like to imagine, that if there was a legitimate way to work in the US, she would have never participated in criminal activities. And maybe, if there had been good tech jobs in Brazil, she might not have even needed to seek her fortune in the US.

In my view, Barbosa is a victim of economic lack of opportunity.

Disrupting [Criminal] Business Models

What are the business models that make cybercrime profitable? I remember Kim Cameron, Identity Architect, saying (not sure if this is his quote or he was quoting someone), that “the most profitable business model on the internet is crime. Back in the 90s and again now.”

Even entrepreneurial criminals have embraced the successful “as a Service” software development model. But to me, this echoes back to the economic themes. If there were legitimate economic paths half as successful, would there be less interest in criminal activity?

Nation-State Attacks

Nation-state hackers are a whole different beast. Their motivations are tied to geopolitical loyalty and belief. To reduce these types of attacks, we need to focus on improving global cooperation and reducing international tensions. This might sound idealistic, but fostering peace and global coexistence could significantly decrease the incentive for nations to engage in cyber warfare.

Reducing the Thrill

Then there’s the issue of hacking for fun, cultural subversion, or “the thrill of the con.” This is harder to combat, but one approach is to create more avenues for ethical hacking while embracing the dark side of hackers. Bug bounty programs, for example, allow hackers to flex their skills in a legal, constructive way. These programs are subversive in their own right but channel that energy into something positive.

Finding Solutions

Is the solution simply a transparent and interdependent global economy with legitimate well paid jobs so we can all live our best lives without stepping on someone to do so?

I don’t know about you, but that feels like a big and impossible solution — perhaps a bit too utopian. So, I want to leave Anna with some reasonable actions she or her company might take.

1. Entry level security roles: Increase well paid jobs & support development programs to transition people into well paid jobs. As part of this, eliminate the rockstar mentality, and hire someone who is good enough for the job and then treat them well.
2. Embrace the Lulz factor: Embrace the shadow of cybersecurity by engaging and encouraging the exact hacker mindset but to improve security — and again, offer an economic incentive. Bug bounties are both subversive and helpful.

Both of these ideas could have a corporate initiative with a budget, KPI and program manager. They could be funded out of HR or professional development, IT or risk management line items. Companies could partner with universities, hacker collectives and government agencies, maybe sponsoring a hackathon or participating in a local cyber wargame activity.

Got Questions

If you could see the future of cybersecurity, what would you ask? Submit your question for a chance to be featured in the next “Ask a Cybersecurity Futurist” column.

If you found this insightful please consider booking me for a keynote talk or a lunch and learn session. Or sign up for the Future of Cybersecurity newsletter.