New Year’s Blog – Predicting Trends in CyberSecurity

by Norman Johnson

This blog is dedicated to Senator Daniel Ken Inouye, a true visionary for the nation and Hawaii, and by making those visions come true, made the world a better place for us all.

This is the time of year when the cyber pundits enter the 2013 lottery by making predictions for the new year, such as the next malware exploits or what will the Obama administration do in the second term (guilty - see the Obama blog) or what will the next super threat (guilty - see the mobile-botnets blog).  It’s a lottery because prediction is an almost impossible task when the system has an adversary and defender trying to outwit the other. The resulting dynamics are much like the stock market with rapid, unexpected, and unpredictable changes. Each year with so many predictions, one “expert” might win the lottery and get it right, but few pundits are successful year after year, because they are trying to predict specific events or exploits that are inherently random.   

One of the brilliant discourses on prediction is the introduction of Peter Drucker’s Age of Discontinuity, published in 1969 on the coming information age.  This book was written before the arrival of the personal computers or networked information systems. And yet, Drucker in the book accurately predicted the next four decades of the new information age and economy, and he’s still on track.

“The new emerging industries . . . embody a new economic reality: knowledge has become the central economic resource. The systematic acquisition of knowledge . . . has replaced experience . . . as the foundation for productive capacity and performance.”

In each of the three editions published about a decade apart, he noted that his predictions are on track and no changes are required. Few can do that for two  years, let alone for forty years, during a time of rapid change across all sectors of society comparable to the industrial age. His secret?  In the introduction, he argues not to predict specifics but predict trends that will be fulfilled by specifics; specifics are unpredictable, where trends are not. So while the pundits are prophesying 2013 malware (mostly mobile by the way), in this blog we’ll look at the cyber security trends that will produce the specific technologies, legislation, or programs in the next years and maybe decades.  

Following Drucker’s advice on how to look into the future, we want to identify major trends in information systems and cyber security that will shape the choices of specific technologies. To guide us in identifying these trends, we start with an analogy between cyber defense from intentional and unintentional threats and public health defense from manmade bioweapons and natural threats. Let’s start with a quick review of public health over the ages. 

In Western society prior to about 200 years ago, public health was pretty bleak. Society became physically connected by transportation or collocation, particularly in cities, and social disease was a way of life with epidemics wrecking havoc in all sectors of society. Occasionally, really big epidemics like the plague or pandemics would rattle around the world until they ran their course, killing millions.  In daily life, an individual might unexpectedly succumb to an infection or disease from a minor injury, exposure to a sick person, or even from the medical practice itself. And the best way of reducing risk, particularly during a major health scourge, was to isolate one’s self from the masses.  Elites particularly could sequester themselves to survive during major epidemics.

This bleak life of uncontrollable infections was accepted and “normal.”  Today, we’d consider it a substandard life, but only because our current norm is much better.  The shift away from common, uncontrollable disease outbreaks started about 150-200 years ago as a result of two intertwined shifts shown in the figure: 1) individuals, groups and society developed and lived better health practices, such as personal hygiene, clean sources of food and water (e.g., using water treatment), and healthier living environments (e.g., waste treatment), and 2) healthier medical practices were developed, rather than the counter-productive practices that often made an illness worse (e.g., blood letting, chemical purges or congregating for mass healings which only spread infections).  In addition, from the mid 1800s, vaccines began to reduce the susceptibility of some diseases, resulting in amazing feats such as the worldwide elimination of smallpox or the reduction of polio. These improved public health responses and practices resulted in lives that were mostly disease free on a daily basis, although there were still be an occasional unstoppable epidemic, such as the pandemic flu of 1918. 

The next stage in public health started about 50-60 years ago and continues today, shifting from a responsive to a proactive system, particularly as a result of advances in detection and response, which improved surveillance methods, faster prophylactics (e.g., vaccines) development, and better public health infrastructures.  Many of these changes occurred because the prior empirical approach to protection and response was replaced a science-based approach, particularly with a scientific understanding of the threat-host interactions which describes how bugs avoid detection during entry, how they attack the host, and how they subvert the host resources to their own purposes.  We will return to this advancement in public health in the next blog.

In reading the above description of public health, did cyber public health come to mind? Most of us currently live in the equivalent of the public health world of 200 years ago: a cyber-world of relatively constant threat of cyber disease, largely because individuals and the community do not practice basic personal “cyber-health” that would make everyone safer.  These practices include personal hygiene of updating software and patches, limiting unhealthy practices such as opening documents from suspect sources, and using prophylactic software to eliminate most infections. It also includes using responses to threats that make the problem worse, such as forwarding an infected email attachment warning the receiver of a new threat!  Furthermore, we are missing basic sanitation practices that could keep public resources “clean” from the common threats. Finally, the onus of cyber public health focuses on the individual and groups, and there are few state and federal infrastructures that aid and enforce public health. 

Some of you may take exception to the comparison of bio and cyber, arguing that cyber systems are fundamentally different from biological systems.  For example, the time scales of infection are drastically different.  Because cyber hosts and networks are rapidly increasing their processing and connection speeds, unlike human hosts and immune systems that are unchanged in the last 1000+ years, cyber threats can spread around the world in less than a second.  While true, our ability to respond has equally increased in speed so the relative timing differences between defense and threat remains similar.  Another major difference is the absence of mutating threats in the cyber world, unlike biothreats that are constantly exploring new attack vectors, independent from manmade threats. It probably is only a matter of time before this difference ceases to exist – already some cyber threats are modifying their coding to avoid detection and new threats are accidently emerging from combinations of old threats.  It won’t be long before cyber threats are self-mutating and using Darwinian selection to outwit the defender. In the next blog we’ll dig deeper into how the cyber and bio systems are more similar that most people think.

So just from the above biological and cyber public health comparison, we can predict what major trends will be over the next years and beyond.  Major changes will take place on three cyber health fronts: personal and group, federal programs, and the science of cyber health. 

Trend of increased personal and group cyber health. This will largely be a behavioral change of users and providers to make it a routine to do best practices for cyber health. Most people already know what to do, but there isn’t personal motivation or peer pressure to change unhealthy practices.  So the major trend will be a shift in attitude where the cyber citizen will practice these behaviors or be treated as being un-cyber-civilized by their peers.  Parallels are drinking and driving which in some countries is a non-existent problem, largely because it is enforced by social pressure.  One caveat to this predicted trend is that much of cyberbehavior is hidden from peers so there is less opportunity for peer pressure.  But the same was true for bio systems before we congregated in cities.  As we connect more in the cyberworld, more of our actions will be visible to our peers, if not the public. Although the shift will largely be in behavior, technologies will be developed to aid the shift to better personal and group health practices, such as software that reminds us of unhealthy practices or technologies that help us practice cyber health easier and more effectively, such as development software that is health-savvy and prevents introduction of vulnerable coding.

Trend of increased federal programs for cyber health. Just as for bio-public health, the government must develop programs and infrastructure that support cyber public health.  In addition to increased regulation and certification that we covered in the earlier blog on the likely cyber initiatives in the second Obama administration, the government will provide infrastructures that support cyber public health, in the same way that we currently have air, water, food and sewage infrastructures and regulations for bio-public health. Many conservatives are resistant to federal involvement because of the increase in government regulations and spending, but few of those same naysayers would want to turn back the clock on similar public health legislation, programs and regulations that provide safe water and food.  How this trend will be realized is a detail, but one obvious possibility is that the blocking of threats will get pushed to the distribution networks rather than at the terminus of organizations and users, which in turn means greater federal involvement in the information infrastructure. Another aspect of this trend will be the development of interdiction, anticipation, global monitoring systems, custom restrictions, treaties and forensics that promote cyber public health or limit certain threats, similar to how in other threat areas (bio-chem-nuclear) have pushed preparation and response options just before or after an attack to large federal and international programs that limit the development and long term impact of these threats, such as treaties that control and monitoring of high-risk materials or federal decontamination and recovery programs that help organizations and the public after a major disaster.

Trend of new science resources for cyber health.   The two prior trends can largely occur without advances in the understanding of cyber threats.  They require mostly applying what we already know from experience.  But just as for the final stage in bio-public health shown in the figure, the removal of certain classes of threats requires a system-level understanding of threats and their hosts.  Because this is a large area of advancement and many existing bio-resources can help in the transition, we’ll devote the entire next blog to this topic.

Hopefully the above discussion provides some optimism that better cyber health can be achieved in the future.  And how it will require a coordinated commitment to private and group cyber health with government legislation and programs. The good news is that because we have done it before, we won’t have to wait 200 years to get to the same place for cyber health that we are today for biological-chemical-nuclear threats!

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

If you want to read more about using experiences in the public health for cybersecurity, see the following references and the citations contained within them.  Next blog we will share our own perspective on maturing cyber security by using public health experiences and technologies.