There’s an assumption that bigger is somehow better when it comes to cybersecurity that doesn’t always play out the way one might expect. During an online Cybersecurity Summit 2017 event this week hosted by the Washington Post, Richard Clarke, former national coordinator for security, infrastructure protection and counter-terrorism for the United States, said responsibility for managing local elections should be taken out of the hands of county officials that run them today because individual counties don’t have the resources required to secure them against cyberattacks being launched by nation states such as Russia. The theory is that when it comes to IT security bigger is always better. Of course, later in the week, it was inconveniently revealed that the National Security Agency (NSA), the government agency with the most cybersecurity resources in the world, fell victim to a cybersecurity attack.
The problem with centralization is that it tends to create one fat juicy target, as opposed to hundreds or thousands of smaller ones. A centralized target may be able to marshal more cybersecurity defenses. But because of the value of the data being protected the number of attacks launched against that target increase exponentially. At that point, cybercriminals are playing the odds. They can patiently wait for that one mistake that provides them access to a treasure trove of data.
While there’s a lot of bipartisan support in Washington for doing more about cybersecurity these days, the debate about what should be done needs to consider some practical realities. It’s a lot harder to successfully penetrate thousands of distributed targets than it is one central data repository. The issue should be how to shore up the defenses of lots of targets versus making a case for trying to reduce the number of targets. There’s no such thing as perfect security. Any cybersecurity approach needs to address both improving cybersecurity defenses as well as realizing that the more targets the more likely it becomes that the size and scope of a breach is going to be more limited. In theory, for example, businesses could pool their resources to better secure their data. But once that centralized resource was compromised the number of businesses affected would be a lot higher than if each business had focused their efforts on securing their own data. There is strength in numbers. It’s just that strength has a lot more to do with the differential theories advanced by John Nash, the mathematician profiled in the book and movie “A Beautiful Mind”, than it does any notion of creating large castles to defend data that have their roots in defense strategies that were first crafted in medieval times.
There’s no doubt that cybersecurity needs to be improved across the board. One of the most significant ways being explored to achieve that goal is to assign organizations a cybersecurity rating. The cost of insurance for that organization would then include that cybersecurity rating as a factor. Arguably, organizations that not only encrypted data, but also dispersed it across multiple distributed systems that makes compromising any one system a useless exercise, would get the highest rating. Lower insurance costs would then provide the economic incentive to invest in the appropriate technologies.
Regardless of how organizations go about attaining better cybersecurity the one thing that is for sure is that there’s no government agency or other entity coming over the hill to rescue them. They’re all too busy right now trying to save themselves.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.