My grandfather was a simple man without a formal university education, but he had wisdom. The world has not changed in many ways since his day. Today the world is profoundly similar although new risks exist that he never imagined. He was very vocal on professing safety to his precocious grandson, who seemed hell-bent to own fast cars and motorcycles. He used to say, “if you can imagine it, you can prevent it.” That is sage advice. Non-natural disasters are not accidents; they are preventable. Consider only a few from the past 40 years, Chernobyl, Three Mile Island, Corona Virus, Boeing 737 Max, and data breaches. All were preventable.
A recent Cisco survey reported that 71 percent of Americans are worried about having their personal or financial information hacked. Sixty-seven percent of Americans are concerned about being a victim of identity theft. 1.76 billion records have been stolen or leaked in 2020 alone.
In my grandfather’s day, data was just numbers and letters. Today, data is who we are. It reveals our behavior, character, loyalties, secrets, and intentions. In the wrong hands’ data becomes a weapon, betraying its owner. Our challenge as a cybersecurity industry is to restore confidentiality, save lives, ensure privacy, and promote national prosperity. To achieve our goal, we must understand the motivations and economy of cybercriminals.
The single most massive unified threat against the United States is China. They openly acknowledge their unabated aggression to compete and win in the digital economy. From their perspective, they are not stealing our data; we are giving it to them! But China is not alone in this economy. Russia and other international cybercriminals see our data, lack of privacy, and lack of security as their source of income.
In December 2019, the New York Times used cell phone data to track President Donald Trump in Florida when he was with Japan’s Prime Minister Abe. All members of the President’s Secret Service protection and advance team are known. The critical point is, all data is essential, has value to someone, and that data needs permanent protection by its owner.
After every data breach, a panel of experts investigates and publishes their findings and recommendations. Not surprisingly, the experts find what they are looking for. The root causes are always network defense failures and failure to stop data exfiltration. Most of us casually agree with them, persisting in clinging to our bias that the defense always loses. After all, the adversarial offense has the advantage – time to prepare, time to attack, method of attack, point of assault, and stealth. The victimized defense is incapable of protecting its broad attack surface entirely 100% of the time. Advantage offense!
- 2015 – US Office of Personnel Management data breach exposed personal information of nearly 26M people, including biometrics, security clearances, and financial data.
- 2018 – US Postal Service lost 60M customer records (1/5th of the US population)!
- 2 Feb 2020 – FBI arrests Raytheon Missile Systems engineer after giving laptop with sensitive missile defense technology to China
- 10 Feb 2020 – US Department of Justice charged four Chinese military officers for the $800M Equifax hack
- Feb 2020 – 1100 open FBI investigations of China digital espionage
The good news is we have reached a tipping point, and the advantage is moving to the defense. A new data protection market segment is emerging that is focused entirely on self-protection. Less than 15 years ago, cloud computing was universally rejected as an immature and insecure computing concept for the Federal government. Today, it is the preferred secure computing solution, even for our nation’s most highly classified data. Similarly, after a decade of research, self-protecting data technology has demonstrated that data breaches can be prevented by doing more than straight encryption (i.e., denying unauthorized access). This new technology is capable of actively equipping files, messages, and physical hard drives to independently defend themselves from exploitation without any external defense. This means that the penalty to the criminal will exceed the value of the data – and they will look for softer targets.
As this technology achieves ubiquity in every application, mobile device, and web service, the soft targets will begin to disappear. The promise of this new market segment is the restoration of privacy, security, and national prosperity for all.
This new market segment promises to achieve two disruptive changes to the entire cybersecurity market. First, it will no longer matter if data is stolen because the data can protect and defend itself according to pre-programmed defensive measures. Second, the cost of data protection will be less than 1/1000th the cost of current data security approaches. CISO’s, CTO’s and CFO’s love to hear those words, but their Board of Directors and insurers are even more thrilled by their reduced risk exposure.