Security Strategy, Plan, Budget

Achieving an audacious goal by treating cybersecurity like a science

When humans discovered and learned to ‘obey’ the laws of physics and chemistry, we began to thrive in our world.  It enabled us to make fire, build machines much stronger than ourselves, to cure diseases, to fly.

What will it take for us to thrive in the world of cyberspace?  What are its laws – its set of primitives and rules?  Just like our scientists learned to honor the fundamental elements of matter & gravity in our physical world, our cybersecurity scientists must honor the fundamental elements of our virtual world - speed & connectivity.

However, organizations often ignore these fundamentals, bolting on cybersecurity solutions that slow you down or make it hard to communicate; they’re doing the equivalent of “ignoring gravity”.  Just as you wouldn’t want to be on a plane whose designer failed to accommodate the effects of weight or friction, you wouldn’t want to be on a cybersecurity platform that fails to accommodate the Internet’s fundamental forces.

To build a cybersecurity foundation that will work now, and continue to work in a world exponentially faster and more connected, we must start treating cybersecurity more like a science.

When the internet began, it was built upon principles of game-changing speed and a deep understanding of the importance of connectivity.  Security and privacy were not needed for its first small group of trusted users.  Consequently, security and privacy have not kept up as the internet has matured. In fact, it’s the cyber adversaries—not the defenders—who have shown to master speed and connectivity to overcome security and privacy.

A useful analogy here is found in the scientific study of the Big Bang.

The (Digital) Big Bang

Billions of years after the creation of the universe, physicists and chemists study the Cosmic Big Bang’s fundamental elements and their interactions, in part to explain what things are made of and how they behave; protons naturally stay separated because they repel each other, but check out the massive amount of energy that results from protons that get fused!

In the same vein, we can take on the mindset in cybersecurity to look at the birth of the digital universe and attempt to understand what is driving it forward.  Consider these facts:

  • It took just 50 years from the beginnings of the internet for the explosive forces of digital speed and connectivity to transform society from the Industrial Age to the Information Age.
  • 90% of all the data ever created was generated in the last two years.
  • The internet itself—a vast and hyperconnected data transmission system—now creates 2.5 quintillion bits of data per day. That’s a number with 18 zeros.

How do we make sure that information is kept separate (ala protons) but that when it’s authorized to be combined (fused), massive amounts of efficiency or effectiveness is achieved?

Our opportunity is to describe how the Digital Big Bang progressed over time, understand its significance and do something smart and productive about it.

The Origins of the Digital Big Bang

The internet has its roots in the desire to communicate at unheard of speeds, and share computing and information resources.  This prototype internet served as a communication platform for a tightly restricted group of specific users, what the internet’s creators got right were speed and connectivity—the digital big bang’s equivalent of matter and energy.  But they assumed there would be a shared sense of trust.

The Problem with Assumed Trust

It wasn’t until 1993 and the release of the first web browser that internet access became mainstream.  At that point, both the internet and its security—or lack of security—achieved greater significance.  The assumption of trust that was still deep within the DNA of the internet became a huge problem the moment the public could go online.  On an increasingly vast and anonymous network, that trust soon transformed from guiding philosophy to greatest weakness.

What came to be known as cyber-attacks soon followed, and the field of cybersecurity has struggled to catch up and compensate ever since.  For example, the lack of foolproof authentication haunts us in everything that’s done in cyberspace.

The Scientific Method

So, with the fate of the digital universe at stake, it’s time to borrow a page from the Scientific Revolution, which enabled humans to admit that we don’t know everything, and opened the door for scientific curiosity and inquiry.  Using these principles, we can launch a Cybersecurity Scientific Revolution in taking the following steps:

  • Acknowledge what we got wrong (e.g., authentication)
  • Implement steadily stronger strategies to become masters of the cyber domain
  • Replace outmoded assumptions and strategies with rigorous fundamental strategies that build up to advanced strategies
  • Acknowledge the weaknesses (and strengths) that humans bring to the domain, and leverage computers to compensate & augment them.

As digital connectivity – including cyber-physical interfaces (in the Internet of Things/IoT) – machine learning and artificial intelligence (AI) proliferate, it is more important than ever to treat cybersecurity as a science and a business enabler.  Not as a cost of doing business.  For example, on an airplane’s wing, friction actually helps increase lift, helping the airplane fly.  Cybersecurity should be viewed the same way.

Treating cybersecurity as a science will serve us well to keep in mind the connection between fundamental scientific principles and cybersecurity best practices.  What are the foundational primitives and rules that would have been beneficial to have at the beginning of the internet?  How can we create a better form of cybersecurity based on the nature of fundamental forces and accurate assumptions?

Embracing cybersecurity as a science can be an incredibly powerful and effective way to underpin innovation. It will enable us to focus on successfully leveraging the internet’s forces of speed and connectivity.

Making cybersecurity more scientific may seem like an audacious goal, but it is achievable with the right vision and engineering.  By doing so, we can further extend the power of speed and connectivity to thrive within the digital world.

A Winning Combination

If we hope to make cybersecurity more scientific, today’s solutions must be built to support and leverage the fundamental forces of speed and connectivity, and leverage the already-proven & emerging strategies.  As critical as these fundamentals are, though, they can easily be overlooked or forgotten by a digital culture that looks myopically to the near future, placing short-term gains ahead of long-term stability and sustainability.  Cybersecurity is a science—not an art.

At the same time, we need to stop expecting our network operators to continuously run ahead of ever-more sophisticated attacks.  You can’t outrun the speed of light.  Today, slow security is essentially no security.  Organizations can build their defenses with connectivity and speed, and go audaciously within the digital big bang.

bout the author: Phil Quade, CISO, Fortinet

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.