A Broken Industry - 'Changing the narrative of the 'war on cybercrime'
The world is at war; But not in the way most people think. While traditional conflicts rage all over the world from Syria and Yemen to Ukraine, the murkier war against cybercrime rages all around us.
This is a war where every corporate network, personal device or piece of software code is a potential battleground, and the casualties are not measured (primarily at least) in deaths, but in the associated cost to the end-user and the economic systems in which they work. It is a war where the enemy combatants are not armies, paramilitary or (necessarily) terrorist groups; they lurk in the shadows, and while their aims may be political, the monetary impact is where their campaigns are most keenly felt. A widely quoted and statistic spells this out in terrifyingly plain English: cybercrime is likely to cost the world $10.5 Trillion annually by 2025.
And yet, amidst this rising tide of cybercriminal activity, the defensive cybersecurity market continues to grow: MarketsandMarkets claims that in monetary terms this is estimated to be worth $173.5 billion in 2022, and is poised to reach $266.2 billion by 2027, growing at a rate of 8.9% from 2022 to 2027. Tens of thousands of cybersecurity companies across the world offer a variety of solutions, some aiming at solving specific problems, and some (incorrectly) claiming to fix everything about your security tech stack. And all the while, data continues to be stolen, and cyberattacks continue to grow year-on-year.
What this cyber-industrial complex represents is a comprehensive failure to win the war on cybercrime, while the organisations who are overseeing this failure continue to make record profits.
A parallel failure
This failure of the war-on-cybercrime invites comparisons to another total failure to complete a basic mission: The global war on illegal narcotics. Since the 1970s, governments around the world have spent trillions of dollars following the United States’ lead in fighting a ‘war on drugs’ in order to stem the flow of illegal narcotics into Western nations from the large drug-producing regions of the Middle East and South America.
In the United States alone, this 50 year policy has cost over a Trillion dollars, and has achieved approximately none of its aims: Despite the fact that governments globally are spending more money on drug enforcement than ever, drug use in the UK and Europe and US continues to climb, once again, with production, smuggling and purity of illegal drugs in South American countries all rising to match this demand. In other words, the policies on which countless dollars have been spent have failed, just as our policies and technological responses to cybercrime have resolutely failed.
While this is a bold comparison, it is not an unreasonable one. While the human cost of illegal drugs - and the policies surrounding them - are more obviously deadly than cybercrime, the effects in our own industry are a lot more insidious.
Economic instability, a pipeline (and a revenue stream) for further criminal activity and a plethora of lost data - one of our most valuable assets in a digital world - are all at risk due to our failed war on cybercrime.
One thing is sure, however: The current failures we are discussing are both leaving a vast criminal market unchecked. To give an indication of just how vast in the case of cybercrime, consider this; The highest estimate for the annual revenue of the profits associated with the Sinaloa Cartel is $39 billion. That means that by 2025 - to refer back to our $10 Trillion number - cybercrime will be worth over 200 times more to the perpetrators than the profits of the largest Mexican drug cartel.
A radical rethink
If we have any hope of turning the tide in the war on cybercrime, a radical rethink of security strategy is needed at every level: individual, organisational and nation-state level. This involves myriad approaches including training and changes in the structures of organisations in order to provide security teams with a greater standing within a business or organisational hierarchy.
However, more than this, a crucial step forward which our industry can take is to work smarter with what we have. Over 90% of the cyberattacks which we see come from threats which are already known, and have been mapped out by threat intelligence providers. This means that security teams are failing to use the data at their disposal to prevent cybercrime, in all likelihood because they do not have the capabilities to adequately analyse, understand and action all of the alerts which they receive - and in a time frame which does not allow the attackers to bypass their efforts.
One such way to ensure that this particular issue is resolved is to work with organisations who can help to aggregate and understand this threat intelligence: Deploy trusted analysts and experts who can work with internal security teams to identify, understand and remediate the known threats at speed, before they become a security incident.
While this is a major point which needs fixing, it is however still only one part of the puzzle: The entire approach to cybersecurity needs to change. While technological solutions can make a huge difference, for the kind of tectonic shift necessary to rebalance cybersecurity in our favour, a cultural change is necessary.