Cybersecurity does not get mentioned as one of the new transformational technologies of the 21st Century because it has not yet made the transformation, but it is the technology in greatest need of a transformation. In fact, a complete paradigm shift may be required in the area of cybersecurity. I first began working on cybersecurity at IBM with a system called RACF on the mainframe in the 70’s. The current model of cybersecurity is based on the traditional model of building security—the ability to put locks on doors and make unique keys for the locks. The reality is that other technology transformations like big data, mobile computing, the Internet, supercomputing (with speeds in the 10 petaflop capacities soon to hit 20 petaflops), are making traditional cybersecurity obsolete. The very concept of a truly unique, unbreakable key is being challenged. To think about this, you need to look at the industry standard DES that was our first major attempt at using mathematics to create a truly unique key, and it worked extremely well for 25 years before it was broken. AES is considered state of the art today and has lasted for twelve years, but while some experts say it is unbreakable, others say that the NSA and the Chinese government have already broken it. And if the Chinese have broken it, then you can expect the Russians and the Israelis to have broken it as well. If they haven’t, with the combination of supercomputer processing speeds, big data, and the advancement in cryptanalysis, it is inevitable that it will be broken in the near future. The fact is that with enough computational processing power and a large enough sampling of data, any current encryption algorithm can and will be broken.

Furthermore, the problem is not limited to keeping attackers out! Attackers find open windows and back doors every day to get around locked doors and freely access the data as it is being used, unencrypted. The fact is that using current systems, attackers can and are finding access to be a lot easier than breaking encryption algorithms. And we are making it easier every day to get inside with virtually unprotected access to otherwise fairly secure environments by allowing email, web browsing, social networking, smartphones and tablets to freely work from inside the cybersecurity perimeter. Each of these carries it own exposure. In fact the NSA reported at the RSA Conference last year in San Francisco that there were 60 million known malware signatures and the number is growing by the minute. Yet even this does not address the full extent of our cybersecurity challenges. The very nature of ubiquitous mobile devices, interacting with other devices in an often transparent, seamless manner creates a model of cybersecurity exposure that has never existed before. The very nature of always ON connectivity that users want is in direct conflict with the need for secure computing.

The problem of cybersecurity is further compounded by infrastructure changes like cloud computing. We are moving more and more systems out of private, secure data centers to be managed by others, in what by definition, is a more open, more easily accessible environment – an Internet-based, shared infrastructure resource. The massive explosion in data volumes and sources, the change to e-commerce, the development of multiple Internets, changes in identity and trust models all add new exposure and complexity to achieving trust in our cybersecurity solutions today. To make matters even worse, the FBI reported at RSA that cybersecurity breaches on businesses were up 250% in 2010 over 2009, and the trend continues to grow rapidly. Furthermore, the FBI went on to report that most attacks today on businesses and individuals are for-profit cybercriminals and state-sponsored attacks. The model in the past was that most attacks were curiosity not criminal intent, being perpetrated by high school and college students to see how smart they were. Now with the attackers being well-organized, well-funded, highly trained experts, the attacks become truly dangerous to individuals, businesses, and even to governments!

Our government shares the concern that cybersecurity has been transformed by the change in the attacker from just a nuisance into a national threat. President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” (http://www.whitehouse.gov/cybersecurity). President Obama also wrote an article for the Wall Street Journal, entitled “Taking the Cyberattack Threat Seriously”.

Cybersecurity must become a transformational technology now before it is too late. The real challenge and therefore the transformation will come when we provide viable solutions that assume that the attackers have scaled the walls and run freely around inside the fort 24x7. While we will always work at keeping attackers out, we must accept that they do, and will continue to, find ways to let themselves in. The real challenge therefore is to transform the cybersecurity model itself to include the ability to keep the attacker from taking data with them as they leave!

© 2013 Jack B. Blount

Big Data Artificial Intelligence
Quantum Computing
Mobile Computing
Cloud Computing