-

Resilient Cyber Note: This is the first ever guest-post I’ve had on the Substack and I couldn’t be prouder for it to be from Ross Haleliuk. Ross runs the “Venture in Security” blog that covers building and funding the cybersecurity landscape of the future. His pieces are incredibly detailed, thought-provoking and well-written and I’ve learned tremendously from them.

-

When Russia started an unprovoked and unjustified war against the sovereign nation of Ukraine, the world as we were used to seeing it shuttered. Putin’s actions highlighted a truth that has long been forgotten: the world order as we know it is nothing but an abstract concept we as species have created and agreed to uphold. In this piece, I am sharing philosophical reflections on the problem of security, how it is relevant to the events we are seeing today, and why we need to change our underlying assumptions about cyber peace. 

Our physical protection is weaker than we think

When we think of security, we typically see it as a part of the objective reality. It makes intuitive sense as we seem to be surrounded by the systems and processes put in place to protect us. There are metal detectors in the airports, police patrols on the streets and public events, and armed security at the border, and we know that most of the time, they work as designed. What we rarely think about is that the reality of security is a bit more complex, and the systems we put in place to provide protection are much weaker than we would like to admit. 

I have been reading about lock picking and noticed that it is a common hobby among security practitioners. A few months ago, curiosity finally took over and I bought a lock picking set and a few practice locks. It took me less than a day to realize that most locks we see around daily can likely be opened in a few minutes by a rookie lock picker, and a few seconds - by a professional. The vast majority of the locks are as good as leaving the door open with the sign “don’t come in, please”: it’s a great intent, but pretty bad execution. 

Safety and security are outcomes of societal agreement 

Although lock picking didn’t become my hobby, it made me realize that our sense of safety is completely unfounded. The reason that most of us don’t become victims of burglary daily is not the strength of our defenses (there is none), it is that most people agree to live within the boundaries of the law. In other words, we as a society agree that entering other people’s property is bad, and choose not to do it. 

The law itself is a concept we as a society have designed to set and agree on the boundaries and to collectively hold one another accountable when the boundaries are crossed. If someone chooses to deviate or disregard this agreement and illegally enter the premises of, say, their neighbors, the door locks are not going to stop them. 

Methods of enforcement for societal agreements vary

Establishing societal agreements is not enough; we need to create methods for their enforcement. Institutions such as courts, police, border protection, audit, and the like are designed to enforce the rules people have agreed to play by. The strength of these organizations is important, but what is even more important - is the perceived strength. The moment people stop caring about the agencies that enforce the law, the moment they can defy orders without any consequences, our legal system will fail. 

The other case that would cause our systems to fail is when the percentage of people who choose to go against the societal agreement goes well above the forecasted maximum, rendering the enforcement mechanisms useless. A common example of that is revolutions: once the number of people who want a change of the societal order greatly outweigh the forces that keep that order such as the army and the police - the regime will lose control over the situation, and the system will fail. 

Our cybersecurity measures are weaker than we think

Although our door locks are pretty useful when everything is okay, and the number of burglars is within the expected norm, they become entirely useless during lootings and mass unrests. The same is true for cyber defenses: what we have in place is more or less fine against the limited number of cyber attacks during the time of cyber peace we are living in now. Today, the vast majority of cybercrime is financially motivated, and with some exceptions like the 2015 Ukraine power grid hack, the critical infrastructure is not under attack. If any of the nation-states choose to abandon the current rules of the game and fight for destruction, the defense measures we have today will all fail. 

Today, all big military powers - the US, China, and Russia - have the technical capabilities to shut down hospitals, stop airlines, open dams, and cause subways to collide with one another. This isn't science fiction - it’s the side effect of digitization, the absence of security-first product design, talent shortage, old infrastructure, and low cybersecurity maturity of people, countries, businesses, and organizations. As a society, we are completely unprepared to defend against advanced attackers - our security tooling is not able to withstand the onslaught of nation-state attacks focused on destruction. 

As in the example of Russia’s unjustified war against Ukraine, any piece in cyberspace only exists until one side chooses to stop playing by the rules we as a society agreed to. So far, the fight in cyberspace has been driven by money. When making money is the main objective, cyber attacks look more like burglary, not looting: bad actors take what they need, and leave a way to come back for more. With rare exceptions, they are not looking to bring permanent destruction. However, it’s worth remembering that all it takes is one person, and the world order as we know it will be shuttered.

A Reality Check

As noted above and discussed in the recently published National Cybersecurity Strategy, cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

We do our best as security practitioners to embed cybersecurity into our digitally driven ecosystem where software is pervasive, but as we see with criminals largely driven by financial motives, our methods aren’t infallible nor formidable and the societal and legal constructs we put in place don’t function as deterrents or impediments.

As domestic polarization increases, coupled with global economic headwinds and geopolitical tensions rise, the illusion of security we hold dear could potentially deteriorate in ways that go beyond the traditional CIA triad and impact things like life and limb.

As it is said, behind every glorious facade there is always hidden something that is ugly, and the ugly thing we have hidden here is that our digitally-driven society is incredibly vulnerable and and ripe for destabilization and it could be argued it is hidden in plain sight, as for many of us, this uncomfortable truth is palpable.