My first encounter with the founder of one of the leading cybersecurity product companies in the world was at the RSA Conference in San Francisco. I would guess this was around 2008-2009. In the vendor hall, he had a booth next to the one I was staffing on behalf of my employer. Every hour on the hour he gave a compelling talk about “the adversary” and how his product was taking a new approach to addressing the threat so that finally all our businesses could be protected. It was a compelling story, and I admired that particular piece of technology because in practice, in my experience, it seemed to work. At least, it seemed to have the capability to do the sorts of things that we all agreed were needed in order to combat our most sophisticated adversary. I recall at the time thinking, “he’s right, this could work.” I wasn’t alone.
A little later, while at another private gathering of defenders representing various tech companies that cooperated with the US Intelligence and Defense communities toward our shared goals of national defense, this product company popped up as the new gold standard. We were all encouraged to take a look at what this company offered, with the added implication that if we were united behind this tech, we could expand our collective capabilities even further. The members of this community were literally operating against the world's most organized, capable, resourced, and persistent threats, and some believed that we finally had the strongest wall we could build around our digital castles. We believed we could win.
I recall at the time sharing stories with a peer in this community who would later co-found one of today’s top cybersecurity companies. We were sharing war stories about the fact that we had the knowledge and capability to prevent a certain adversary from their success, but we lacked permission and policy to do so due to company priorities and what is often called company culture. But we, the practitioners studying the adversary, knew it was possible to defeat them.
Still a bit later, I found myself working for said product company. At that point, I was a true believer in the story and the capability. It seemed that we could, finally, defeat the most sophisticated adversary that had been plaguing us for years, and I was excited to be part of the company leading that charge. In my role, I was responsible for threat research and adversary intelligence; to know the threats to this particular company and to provide recommended countermeasures to effectively defend against them. In the course of my work, there came moments when our defenses were breached and adversaries were finding success against us.
It was in one of these moments that this famed product company founder and cybersecurity leader who once stumped next to me in the RSA vendor hall made the claim that no one, in fact, can effectively defend against “the adversary.” He called trying to do so “an impossible mission.” He made this remark in response to my organization’s executive leader reporting on an incident and requesting additional resources and actions to improve our defenses. The request was dismissed as futile, thanks to the mythology of an all-capabile and undefeatable adversary. Afterall, why waste company resources on a problem that cannot be solved? The truth was, we hadn’t even yet exhausted the capabilities we had. There was still a lot more we could leverage from the technology and more we could do with policy that would significantly strengthen our defensive posture. But all of this would require more staff, changes to policies, and operational rigor. Things that would create friction with business objectives at a time when investors were demanding exponential company growth.
But this executive isn’t alone. I’ve seen this play out at nearly every tech company I have worked for.
For some reason, when the reality of cybersecurity confronts executives with the fruit of their decisions and where they have softened security for the sake of business opportunities, they often default to a stance of believing that cyberdefense is “an impossible mission.” Obviously this is an attempt to deflect blame and accountability, and to justify continuing forward with business as usual as growth targets and profits are prioritized over principles.
But as the cybersecurity leaders make these claims, they have to echo them into other conversations, and so the adversary mythology grows and becomes part of the greater narrative of the industry and a larger scapegoat that allows businesses to be reckless rather than prudent.
The myth is something like this. The adversary is a collective being made up of all the individual and organized threat actors in the world. Their combined strength represents unlimited resources, knowledge, weapons, and opportunities to act. They are constantly at work, without break, and always maturing their tools, techniques, and procedures at a pace that exceeds our ability to keep up with countermeasures. They move faster than we and have none of our operational or business constraints. The myth is essentially that “the adversary” is all knowing, all powerful, ever present, and inexhaustible. Our industry has even gone as far as making superhero action figures that represent “the adversary” which further adds to the mythology.
After spending decades researching and watching and developing countermeasures against the most sophisticated nation state adversaries in the world, I can tell you the truth: they have limits, and we have the advantage. We knew this once, and we readily admitted it. In fact, it was the premise that elevated the top 2 cybersecurity companies to their current places of success. But this is a narrative they have since abandoned as they have chosen to continue accelerating that success as their new first principle.
But the reality is, we do have the advantage.
We choose the context and attributes of the battlefield. We choose what systems we will adopt, what infrastructure we will use, what standards we will set, if we will enforce and require certain security controls, or if we will simply recommend and offer them. We choose who we hire to configure and operate the technology. We choose our CICD processes and standards. We get to decide when code is ready for production. We configure our network ingress and egress points and decide what will be allowed to traverse our networks and which systems can communicate and how. We decide what software and applications we will use, including versions. When updates and patches are released, we decide if and when we will apply them. We make a decision about who will have privileged access to our systems and what they can use that access to do.
You see we choose what we put before the adversary. It is what we put before them that they have to probe, study, and ultimately attack. It is by our choosing. The battle is on our terms. Not only are all these decisions ours to make, but the adversary is also operating under our terms but usually in a capacity that is less than ours.
For a Silicon Valley tech company worth over $130 billion to claim they lack the resources to sufficiently defend against a group of a dozen individuals in a 3rd world country working side-jobs as hackers in a coordinated effort to make some extra money, is simply insane. It’s a lie.
The adversary does not have unlimited bandwidth. They do not have unlimited lists of 0-day exploits for all the software and applications we use. They do not have secret knowledge about code that is inaccessible to us. They don’t have smarter developers and coders. They don’t have unlimited compute resources to break our secrets or run operations at a faster pace or longer term than we do. They don’t have TTPs that circumvent all our best practices. They cannot know more about ourselves than we do. They don’t even have greater numbers of attackers than we have defenders.
They have not yet adopted AI to the extent that all of our defenses are rendered impotent. Although this is increasingly becoming the implied claim of some cybersecurity companies.
These threat actors, in reality, breathe the same air as we do. They use the same Internet. They use the same applications. They rely on the same network traversal paths.
No, this is not an insurmountable problem. We can defend against the adversary. But that does require diligence. It requires intent on our part. It requires principles that we will uphold and they need to be part of our business priorities, not viewed as working against them. Security isn’t friction, it’s a force multiplier and an enabler. That is, unless your business is in selling failed cybersecurity technology.
But this exacerbates our problem. As a smaller business entity looking toward those with billions of dollars in market cap net worth, it may seem prudent that you simply follow their lead. If that company cannot defend against the threat without constantly reinventing their product with new versions and features, then why should I suspect I can? This creates the false impression that you must buy your way out of the problem, and so the vendor halls of the cybersecurity trade shows expand endlessly, year after year, with new products claiming to have finally solved the problem. It seems to me we are not even trying anymore.
I saw this same lust for business growth compromise another cybersecurity company I worked for, who intentionally neglected the best practices they preached to customers. As a result of not following best practices and industry standards, a simple code update deployed to customer systems throughout the world caused widespread Internet outages for many of the world’s largest companies. The damages were so severe that many assumed this would be the end of that company.
Did some elite hacker break in through the most hardened defenses the cybersecurity world has to offer? Did some employee find a loophole that no one else knew existed? Did the employee go rogue and intentionally bypass protections? No. The company leadership and culture simply failed to do what they tell the world is crucially important. They relaxed values to favor business growth, because it had worked so far. Their solution was to adopt the best practices & standards that have been known and used for decades.
We do not have a technology problem in cybersecurity, nor do we have insufficient standards or ineffective best practices. We have a first-principles problem. If going fast and expanding business revenue is the true priority, then we should be honest and own up to that. Creating a myth about our adversary to be a scapegoat is self-serving and is what drives the insatiable urge to buy more stuff from an industry that solved our core problems decades ago.
The adversary problem is an addressable one. We have the advantage. We have the opportunity to limit the options the adversary can use against us. We know what to do. The question is, will we do it?
At Practive Security, we believe the cybersecurity mission is a noble one worth pursuing. It’s a fight worth winning, and we believe it is one that can be won. But we must first dispel the myth of the undefeatable adversary. Then we can get to work on making security not only effective and preventing and limiting damages, but we can also make it a competitive advantage.
Our approach focuses on the truth, on values, and on principles. We believe we have effective standards we can follow. We believe we can establish and manage standards that will be effective. We believe we can harness existing technology in ways that will be effective. We believe we can partner with the business to help ensure top goals are met.
It starts with an inward focus. Know yourself, know your limitations, and set your priorities. Build standards, and leverage people, process, and technology to implement and maintain them. This must be part of the company business strategy as an overall company mission enabler and protector.
Next, know your adversary. Keep that knowledge rooted in the truth and orchestrate your policies, capabilities, and practices toward defeating them.
Focus. Know. Decide. Act.
This is a winnable war.