Commentary - Cyber security is an incredibly complex, problem that might be dubbed a “wicked problem” or “mess”, both literally as well as figuratively. In fact, the field of Morphological Analysis (‘MA’) is a field of study specifically “designed for multi-dimensional, non-quantifiable problems with seemingly non-reducible complexity” and defines different classes of challenges as follows:
Problem = Well formulated/defined issue, but with no single solution
Puzzle = Well defined problem with a specific solution
Mess = Complex issue which is not well formulated or defined (“Wicked Problem”)
From MA’s perspective, a mess or a wicked problem such as cyber security requires a holistic/system oriented solution as opposed to the “point solutions” that currently pervade cyber security industry thinking. In other words, problem and puzzle contexts cannot be used to solve messes. As noted by Michael Pidd in his book, Tools for Thinking, “One of the greatest mistakes that can be made when dealing with a mess is to carve off part of the mess, treat it as a problem and then solve it as a puzzle -- ignoring its links with other aspects of the mess.”
Another potent thinking aid or tool that can help characterize the context of the challenges facing cyber security is the use of metaphors. According to an extremely thoughtful and creative report by Sandia National Laboratories, ‘fortress’ and ‘cops and robbers’ are the two most prevalent metaphors used in cyber security today. The embodiment of these metaphors can be easily discerned in today’s security implementation stack of firewalls, anti-virus, intrusion prevention and detection systems and forensic analysis toolkits. Much has been written about the shortcomings of the fortress metaphor due to its static embodiment in an increasingly dynamic and mobile digital world, as well as the futility of the cops and robbers model against low-cost, dynamically changing malware, whose attribution is proving difficult to say the least. Suffice it so say, the exploration of new metaphors and models would be both intuitively appealing and empirically justified.
The Sandia report articulates other potential metaphoric models that seem to resonate more vigorously with cyber security, such as “warfare” (enemies, weapons tactics etc.) and biology/healthcare (importance of heterogeneity, programmed cell suicide/apoptosis, the role of disease enumeration in medicinal development and the importance of a system/ecosystem oriented approach). We strongly believe that the warfare and healthcare/biology metaphors both accurately reflect or model cyber security’s actual problem dynamics. However, we will focus on the warfare metaphor for purposes of this discourse for sake of expediency, as well as to directly address and dispel the currently popular notion that attackers have a natural asymmetric advantage over defender’s,.
It is true that attackers can choose where, when, how and how often to attack, they only need to find one weakness to be successful, while defenders need to protect against all and that to make matters worse, attackers possess potent, automated technologies for the distribution, morphing and attack payloads of cyber weapons, having simply ‘out innovated’ defenders, out maneuvered, out strategized and by default out generalled the software security industry. That’s the bad news. The good news is that although attackers have been winning battles, we are still at war and the history of warfare has historically been a see-saw of alternating advantage between attackers and defenders. Here’s a few ways that defenders can not only even the odds and win a few battles, but also potentially win the war:
- The defense not only knows the terrain, it created the terrain and can change the terrain.
- Message: Time to retake the high ground and redefine the battle.
- The defense can dig in and “mine the easy path”.
- Message: Materially reduce attack surfaces and remove automation as an attack tool
- The defense can invent new technologies to revert the balance of power back to defenders.
- Message: In war as in IT, you need to innovate to win.
The simple truth is that if you ask the wrong questions, think the wrong thoughts or develop the wrong metaphors, it’s easy to get lost and lost we clearly seem to be. But we are not lost without hope or a compass, for metaphor and systems-oriented thinking has much to add to the way in which we think about the problem of cyber security.
David Lowenstein is the CEO and co-founder of Federated Networks, an IT security company. He has successfully led corporations in the business process outsourcing, education and environmental services industries. He is currently the Chairman of the Board of Princeton Review.
Risu Na is the CTO and co-founder of Federated Networks. He has led development teams to create e-learning systems and co-founded iSoftech, a cloud-based knowledge management software manufacturer.