Are the good guys and girls winning the cyber wars or are we slipping behind as cyber-battles become more of a competition between AI systems rather than human hackers and defenders?
Panellists on the session were first asked whether we were winning or losing the cyber wars so far, and Assaf Mischari, Partner and the Head of Research at Team8, a company-building venture group based out of Tel Aviv, Israel felt attackers were favoured over defenders at present.
“I am pessimistic,” said. “Unfortunately, I think we’re losing. There’s a gap between attackers and defenders and the gap is driven by asymmetries.”
Mr Mischari said some of the asymmetries in advantage between attackers and defenders had been known for a long time, such as attackers only need to be right once while the defence has to be perfect.
Attackers pay no price for failed attempts and they can buy defenders’ security products and train on them before mounting cyber assaults.
New trends also worry Mr Mischari such as the addition of automation and machine learning into cyber attackers’ arsenals.
“I think we have a bigger asymmetry coming in. Currently, advanced attacks are taking days, weeks, sometimes even months to create,” said Mr Mischari.
“Think about what happens when the attacker has the equivalent of an autonomous driving car that can do the entire attack in five minutes. Unfortunately, our defences are not built for five minutes,” he said.
Jonathan Fischbein the CISO at Check Point, a US-Israeli multinational provider of IT security products was less sanguine about the state of the cyber wars than Mr Mischari.
“In the big picture, I wouldn’t say we are losing, but we are definitely not winning,” said Mr Fischbein.
“We need to understand that there is a lot of capability and sophistication on the adversary side. Especially with nation states incubating the top knowledge of technology. This is a cat and mouse game and will continue to be so”.
Maj. Gen. (Ret.) Professor Isaac Ben Israel, Head of the Blavatnik Interdisciplinary Cyber Research Centre at Tel Aviv University is more optimistic about the course of the cyber wars. The cyber world is complex, Mr Ben Israel said, and the state of play is not binary in terms of winning or losing.
“I don’t think we are losing,” he said, especially if cyber is viewed more like everyday non-digital crime. Cybercrime is something we should reduce to a bearable level. It would be great to eliminate cybercrime, but no one hopes to achieve that in reality.”
Given that cyber security is about risk mitigation rather than complete threat elimination, what are the best practices for keeping organisations cyber safe?
To keep cybercrime constrained we need to move way beyond ticking compliance boxes, according to Nicholas McKenzie, Chief Security Officer at NAB.
“You need to go above and beyond to ensure your organisation is cyber resilient,” Mr McKenzie said. “This is an arms race we are dealing with.”
“You need to move on to the front foot and ensure that you’ve got new and innovative practices in place. At NAB we practice active defence which is a way of continually stress testing critical systems that support business operations through a threat led series of tests using red teamers and ethical hackers to understand and adopt the tools, techniques and procedures that adversaries are targeting us with.
NAB has recently initiated a bug bounty program, that exposes its internet facing systems to a number of highly vetted security researchers who can prod security holes and vulnerabilities like a malicious actor would.
“We reward the researchers when they uncover vulnerabilities. We are the first bank in Australia to do that and it is worth noting that that no customer data is shared as part of that process,” said Mr McKenzie.
Panellist Bianca Wirth, National Lead Director, Security Strategy & Governance at KPMG Australia accepts that small business often does not have the capital and the expertise to deal effectively with cyber security but highly recommends all that organisations first up put effort into understanding their critical security risks and prioritizing a mitigation approach.
“It’s about understanding and taking a risk-based approach to dealing with threats that are high priority and will cause your business the most pain. Ms Wirth’s other concern is to make cyber practice more human-centric.
“People are going to start rethinking how to do security better and we need a more human-centered design approach,” she said.
Panellist Abigail Bradshaw, who heads up the Australian Cyber Security Centre (ACSC) said many cyber attacks could have been stymied if people followed the Essential Eight cyber safety regime.
“At the ACSC, we promote basic cyber hygiene practices that start with patching and making sure privileged users are privileged users. Application whitelisting, configuring Microsoft Office macro settings are the sorts of basic hygiene practices, we promulgate over and over,” Ms Bradshaw said.
“They’re good for government and they’re good for everyone. When we look at successful exploitations, often those basic practices would have prevented or precluded the exploitation,” she said.
Meanwhile, future technology is approaching at high speed and the cyber realm will change as rapidly as every other technology area.
Panellist Yigal Unna, the Director General of the Israel National Cyber Directorate (INCD) believes the pace of change in cyber is only going to get faster and faster and defenders need to quickly build skills in the next generation of cybercrime defenders.
“The pace of change is just getting a tougher. It’s not about which technology is which, it’s more about how we prepare ourselves to meet these new challenges and how to a flatten the market and organise public and private sector connections to get fresh blood into the business on the white hat and ethical side,” said Mr Unna.
Professor Ben Israel believes the cyber battles of the future are going to be about attacker AI versus defender AI.
“Once the bad guys learn that we have AI in our machines protecting the networks they will develop adversarial AI to learn the way our machines are protecting our system and to deceive those machines. It’s AI vs AI,” said Professor Ben Israel.
On the positive side he sees a future where AI can detect and prevent zero day attacks before they happen.