What’s Wrong with a Digital Geneva Convention?

Listen to post:

Listening to the calls for “vendor cooperation” and “to come together” from the RSA show last month was exciting, even invigorating, but I suspect for those in the trenches of security, something a bit more practical is necessary.  And what better place to find those practical advice than the oracle of all wisdom — mom.

See, when I and my sister were a bit older than tots, we carried on that age old tradition of sibling fights. And my mother, like all good mothers, would calm us down and encourage us to “kiss and make up.” Sound wisdom, but not for the reasons she thought.

I don’t know about you, but the mere thought of kissing my sister when I was a 10-year old was enough to drive me batty; I’m pretty sure she felt the same.  We had a far better approach to our struggles — yell, shout and bash each others brains (figuratively, of course) until the other would submit. Right? Probably not. Effective? You bet.

Geneva of a Digital Age

Sibling struggles might sound trivial compared to organizational security, but the answer to both predicaments is not all that different.  Enlightened collaboration, unfortunately, is a rarity. Usually, collaboration, whether between children or nation states, occurs when neither party can “win” and both recognize there’s more value in cooperating than fighting.

Which is why the call by Microsoft’s president Brad Smith for a digital geneva convention to protect users from nation states strikes me as noble, but Chamberlain-esque attempt to stop cyber warfare.

Smith noted in his keynote that the lack of international norms guiding nation state behavior on the Internet has led us into dangerous territory where nation states take action against civilians. The hacking of the US presidential elections is the latest example, but hardly the first. The massive hack of Sony’s PlayStation Network (PSN) in 2014 was also widely seen as a revenge attack by North Korea against Sony. In both cases, you and I were the ones left impacted .

“What we need now is a digital Geneva convention for cyberwar” said Smith. He pointed out how the  Red Cross was created in 1949 to protect civilians in times of war. “A new kind of Red Cross is  needed, one to protect civilians at time of cyber war. We should protect customers everywhere and never allow or support anyone to attack them.”

And what better place to start protecting civilians than in their home. In the subsequent keynote, Christopher Young, senior vice president and general manager of Intel Security, argued that while many focus on the cloud as the next threat vector, he saw the home as the next frontier.

It’s not just that our users increasingly work from the home. It’s also that homes house new, more powerful devices that are being used to launch attacks against us. The Mirai botnet that launched the DDOS attack DYN’s DNS, for example, used home routers, cameras and other IOT devices. The botnet still exists and is actively recruiting computers.  Helping to secure the home and its devices against botnets like Mirai, helps protect the enterprise from attack.

And lest you think DYN attack was an anomaly,  Young showed the result of a little experiment Intel ran. His CTO wanted to know the risk of new devices being recruited for a Mirai attack. So the Intel team dropped a DVR honeypot onto the Internet. Within seconds the DVR was recruited by Mirai botnet from across the globe, no less..

For years we tried to protect our devices and assets from attack, but increasingly it’s our devices and assets that are being used to attack us. Our increasing reliance on big data analytics, for example, means that we need to pay attention to small “bad” data being inserted into our decision making process. Whether it’s “fake news” in an election or skewed results in a dataset, manipulating data can undermine our decision making process.  “The devices we protected have become weapons for attacking us,” said Young, “The target is now the weapon.”

Treaties Are Not The Answer

As much as I want nation states to honor a treaty on cyber activities, I’m about as confident as the success of such an agreement as two 10-year old agreeing not to fight — until the next time. If North Korea or Iran are willing to risk war with strategic weapons test why would we think they would be any more willing to abide by an agreement to cease cyber hostilities?

Smith’s analogy to the the Fourth Geneva Convention is telling. It was inspired by the public’s horror over the crimes committed towards civilians during the Second World War. At the surface  that sounds like our situation today: we’re collectively concerned about the impact cyber warfare may everyone’s lives.

But what Smith did not mention was that the Fourth Geneva Convention only came about after we won the war and decimated our enemies. Only then could we create a new article in the Convention. By the same logic, we must once again win the war against our enemies before we can hope to rewrite the ground rules of cyber defense.

And let’s not forget that as much as we would like to focus on cyber warfare from nation states, they’re not the only source of our problems.  We can’t ignore the fact that so many of the cyber attacks we’ve faced are criminally not politically motivated.  In his keynote, David Ulevitch the founder of OpenDNS and vice president of Cisco’s Security Business Group, pointed out how the San Francisco Transit Agency was hit with ransomware attack not from from nation state but by a random commodity ransomware from an attacker only with a script. A digital geneva convention will not address these sorts of attackers.

So I applaud Smith efforts and enthusiastically encourage the information sharing and collaboration Young went onto to highlight in his keynote. But at the risk of the raining on the parade, I think we have to ask ourselves, how are small to medium enterprise (SMEs) often with limited budgets and in-house engineering expertise, how are they going to protect their users,  today?

Tactical Steps

At least part of the answer can also be found in the keynotes.  During his keynote, Dr. Zulfikar Ramzan, the chief technology officer at RSA, highlighted the importance of simplifying your security infrastructure.  “I was talking to one chief information officer who has 84 security, 84. How do you manage all of those vendors? How do you justify a return on investment for each one of those vendors? You can’t. Consolidate your vendors,” he encouraged.

Ramzan wasn’t alone in pointing out  what we already know to be the crux of so many of our security problems – networking and security complexity. Our penchant for solving networking and security challenges with best-of-breed appliances has undermined the very infrastructure we sought to improve. “Our security works in silos, “the silo problem,” as Ulevitch put it. “We have 50 security devices in our network that’s causing complexity.”

Each new appliance we add to our networks becomes one more bit of that complexity problem.  So often conversations about appliances reduces down to the capital costs. But over the longer term capital costs are (relatively) insignificant to the larger costs incurred with new appliances. In fact, even if appliances were free deploying them would not be a good idea.

Visibility becomes more fragmented; troubleshooting proportionately more difficult. As more appliances enter the fray, IT has more devices to maintain, patch, and upgrade as attack vectors evolve. Heterogeneous networks have given us buying potency, but operational impotency. We can purchase from many vendors, but in so doing we constrain IT visibility and agility.

Simplifying Networking and Security in the Cloud

Integrating security appliances is the common approach touted by large security vendors, but that only perpetuates the sizing and scalability problems inherent in appliances. The resulting architecture ends up being too expensive and unpredictable for many organizations. The more devices that NAT, the more end-to-end encrypted sessions we run, the less visibility we have into our traffic.

The answer – we at Cato  believe – is to remove the complexity from the equation. Network+Security as a Service (N+SaaS) moves all security, routing, and policy enforcement into a multi-tenant cloud service built on a global, privately-managed network backbone. Gone are the separate networks and myriad of networking and security appliances that brought complexity to the enterprise.

Instead of  a wide area network for connecting offices, a mobile Internet infrastructure for mobile user, and the Internet connections for cloud access – organizations should collapse their networks onto one, high-performance network. Rather than routers, WAN optimization appliances, firewalls and the rest of the security stack in each office, enterprises should shift their networking and security stack into in what Ulevitch called “the secret weapon” of the enterprise – the cloud.

By properly leveraging the cloud, SMEs can adapt, iterate, and fix problems far faster than  what was possible on the premises. The costs of running an advanced defense — threat intelligence, advanced security expertise, and more — become a service provider problem, amortized across many companies.

“The cloud gives us  unlimited compute, storage, analytics,” he said, “ In the past the bad guys had unlimited resources and unlimited time while we, the good guys, couldn’t match that. Today the cloud opens a new opportunity and we can use to overcome the attackers.”

With one ubiquitous networking and security cloud resource, we eliminate the complexity exploited by attackers. With networking and security integrated together in the cloud, we’ve positioned the kind automated, intelligent defense long sought after by IT.

That’s how we defend ourselves and that’s how we start to defeat the scourge of cyber warfare.