Defeats do not mean a lost cyberwar

The channel is key to assist organisations win many individual battles, notes Larry Walsh

If you listen to the talk, the cyberwar with hackers, intelligence services and criminal organisations is over and the black hats won. Or at least they're on the verge of victory, leaving the digital economy a desolate wasteland, unable to operate as user confidence is sapped.

That's the view of some, including Alex Thurber, vice president of sales at WatchGuard Technologies. Last week, Thurber said the security community is falling further behind the hackers, and the result could soon destabilise the digital economy.

If nothing is done to tip the scales in favour of the defenders, Thurber believes the market will lose confidence in online services and resources, damaging the economy. Evidence of this possibility materialised this week in the US with the resignation of Gregg Steinhafel, chief executive of US retailer Target. He is stepping down as a result of the December 2013 breach of the retailer that exposed more than 40 million credit card numbers.

Target is the latest example of what will happen to companies that fail to protect their digital assets and customer information. The breach claimed the job of not just the CEO, but the CIO, and has cost the company $61m (£36m) in lawsuit settlements alone.

Other companies face similar recovery costs and lost user confidence following their breaches, showing how devastating the after-effects can be.

Statistics are against those declaring that hacking undermines the digital economy. While companies like Target suffer setbacks and damages because of security breaches, the use of the internet as a commerce medium increases unabated, according to the US Department of Commerce.

Growth of the digital economy has done nothing but climb each quarter for the last 10 years. Individual companies may lose customers and money, but the overall digital economy remains healthy.

Here's the problem: the cyberwar - at least in the context of commerce and economics - is not a war of attrition. It's an ongoing struggle akin to the Cold War, in which one side is always trying to top the other in advances. No sooner than hackers come out with a new weapon, the security community comes up with a new defence.

Many practitioners remember when security meant little more than firewalls and antivirus; today, it is layers of defences built on intrusion prevention, data loss prevention, application access control, identity management and other technologies.

Losing the cyberwar is a practical impossibility. Hackers, regardless of their stripes, are parasites. They rely on healthy hosts for sustenance. If they kill the host, they lose their energy source and will probably die. Think of it this way: what would happen if hackers brought down the internet? What if they crashed the whole thing?

Well, the hackers would be in the same position as the victims, locked out and idle. They don't want that any more than their targets do.

Nevertheless, the security community and their customers will lose battles. They'll lose many battles. No security measure or system is 100 per cent effective. History is replete with security measures thought invincible that were brought down by creative thinking and innovative approaches. The challenge is to minimise the security losses.

The problem isn't that the good guys don't have the right security tools, or that vendors aren't producing innovative technologies; there is a failure to apply sound strategies and management practices.

Take Target: Steinhafel is resigning because the breach could have been prevented. Like many companies, Target did a cost-benefit analysis in which it chose not to do something. The same thing happened at a company called TJX in 2007, when it decided not to upgrade its wireless encryption.

For short-term cost savings, businesses make decisions that could affect their long-term security posture.

Security is always about cost. The goal of any good security strategy isn't preventing incidents, but making them so expensive for the attackers that they move on to another, more economical target.

The challenge is not spending so much on security that the cost for the defender is prohibitive and erodes other business operations; it's about risk management, in which risk equals what could happen times the potential impact of a security breach, times the potential frequency of attack. Once a company calculates its risk, it can apply appropriate levels of security.

For solution providers, the risk management equation and the notion of winning more battles is an opportunity. Businesses don't have the resources to understand the threat landscape, calculate risk, or apply appropriate security measures. They need the help of objective, experienced professionals and teams that can see the global security picture.

In other words, the security opportunity isn't just about selling more technology, but the sound application of that technology. In doing so, security solution providers can help customers not just weather the cyberwar, but ensure they don't lose too many battles or suffer deep wounds.

Larry Walsh is chief executive officer and president of Channelnomics

For more US-focused channel coverage, see www.channelnomics.com