RAND study: Cyber-defense must change course, or else

RAND today released the results of its multiphased study on cybersecurity's future, The Defender's Dilemma, delivering a frightening snapshot of defenders lost at sea.
Written by Violet Blue, Contributor
rand cyber defense study

Let's get this out of the way: Defense isn't sexy.

We mythologize being the hacker, not the hacked. That will never change, but in light of RAND's new report The Defender's Dilemma, something's got to give -- or else.

Under Juniper Networks, RAND today released the results of its multiphased study of the future of cybersecurity, The Defender's Dilemma: Charting a Course Toward Cybersecurity.

The study isn't as sexy as their previous report, Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar, and it won't grab headlines like its predecessor.

But for an attack landscape nerd and cybercrime junkie like me, the new study is actually more alarming.

The entire report is a bucket of cold water as to how unprepared, confused, and unsupported the people are whose job it is to protect your data.

RAND flatly states that today's combination of skyrocketing cybersecurity spending and its "questionable success" creates a setup in which "security efforts cannot continue on this course."

For the sprawling 162-page study, RAND "interviewed [18] chief information security officers (CISOs), reviewed the cybersecurity industry's slate of cutting-edge products, and assessed the struggles of the software industry (and its foes) to make or (alternatively) break secure software."

With estimated worldwide spending on cybersecurity approaching $70 billion per year, growing at roughly 10 to 15 percent annually (with no deceleration in sight), and a serious breach in news headlines practically every day ... the problems with defense demand answers.

RAND's Defender's Dilemma finds answers, and they are uncomfortable.

The Emo CISO

Some of the initial findings in Defender's Dilemma won't surprise anyone in the security sector. Yet the report provides solid ground for certain already-present beliefs, like that cyberinsurance is a dubious investment, and that no one really knows what to do with threat intel.


In its research, RAND found that leadership was lost at sea, with little motivation to row toward shore. "The concept of active defense has multiple meanings, no standard definition, and evokes little enthusiasm."

It also concluded that overall, "CISOs lack a clear vision on [cybersecurity defense] incentives."

Additionally, RAND's findings suggested that no one was confident that the U.S. government was going to be of help. "CISOs we interviewed did not express much interest in government efforts to improve cybersecurity, other than a willingness to cooperate after an attack."

How a breach makes a company look has evolved to be a top priority. "A cyberattack's effect on reputation (rather than more-direct costs) is the biggest cause of concern for CISOs."

RAND added, "The actual intellectual property or data that might be affected matters less than the fact that any intellectual property or data are at risk."

Got that? The data's actual safety matters less to the bottom line right now than people's perception of it.

For some of us watching on the sidelines, it helps explain why the field of cybersecurity startups increasingly, troublingly, favors appearance and connections (the promise of a silver bullet) over substance.

RAND's 21 interview questions to CISOs are included in the report.

"A progression from hope to painful commitment"

RAND's report takes a harsh look at information security's brutal, recent coming-of-age in enterprise security. "As companies learned that they needed to reduce not only the likelihood but also the impact of attacks, they turned to data loss prevention (DLP) programs and more-expansive use of virtual private networks (VPNs)."

Of course, measures begat counter-measures, and so on. "Attackers, in turn, made more use of stealth, obfuscation, and malware polymorphism. Defenders shifted to detecting attacks based on network behaviors and not signatures. Sometimes the same tools and techniques were used by both defenders and attackers"

As the novelty and innovation of each new technique was met with new countermeasures, it became harder to distinguish those that worked well from those that were merely added complexity and noise, thereby taxing an organization's limited time and resources.

Without metrics, it is unclear why consumers would pay more for good products over merely adequate ones.

And the best tools and largest resources could not get around the many security weaknesses that arose from human nature.

The subject of human nature as a security threat repeats in theme throughout the report. Notably, in the can't live with them, can't live without them sections on BYOD, and the reaming given to bad coding practices (particularly in regard to application security).

To determine an organization's possible losses from cyberattack, RAND established an organization's given subroutines represented in parameters discussed by CISOs.

RAND explained, "They are run in sequence, rather than in parallel, to represent a progression from hope to painful commitment:

  • We hope that training users suffices.
  • If that does not work well enough, we buy cybersecurity tools to thwart attackers.
  • If the combination of training and tools does not prove sufficient, we work on restrictions: first, to head off the burgeoning increases in addressable devices; second, to ensure that at least the most critical processes are protected through isolation.

See a news headline about breach losses? Question it.

The researchers discovered that at this point in time, losses are practically a subjective experience. No one actually knows how to estimate loss -- and so RAND broke down the process of cost estimation piece by piece (a model specification is provided in the report's appendix).

RAND said,

Our model portrays the struggle of organizations to minimize the cost arising from insecurity in cyberspace (over a ten-year period). Those costs are defined as the sum of:
  • Losses from cyberattack
  • Direct costs of training users
  • Direct cost of buying and using tools
  • Indirect costs associated with restrictions on the ingestion of BYOD/smart devices
  • Indirect costs of air-gapping particularly sensitive subnetworks.

RAND applies its cyberattack cost model to three example businesses, a medical practice, a bank, and a defense contractor (unclassified materials).

Not surprisingly, the team found that each tells a different story when it comes to losses. But RAND had a little fun with the model, and changed variables such as training, tools, BYOD levels, and isolated subnets (air gapping) -- and asking questions like, okay what happens if everything's infected?

You'll have to read the report to find out -- and also to see RAND nail it in its final Lessons for Organizations, and Lessons for Public Policy, citing conclusions on what's to be done, particularly with information sharing between organizations and government.

Perhaps the most curious conclusion, however, is RAND's own. "The best reason for being optimistic over the future of cybersecurity is the growth in ranks of those pessimistic about it."

Maybe there's a place for us in cybersecurity's future after all, dear reader.

Editorial standards