How did we build the internet and not secure it?
By David Jemmett, CEO and Founder, Cerberus Sentinel
Many people are under the impression that the internet is essentially safe and secure. We use the internet daily for email, shopping, and social interaction. We depend on it for such essentials as our medical records, finances, homes, cars, schools, and power grid. All are reliant on the endless interconnected computer networks that we call the internet. The internet is an existential mass network that touches every aspect of our lives. The truth is that the internet is not secure, not even close. The reasons for this are multi-faceted, complex, and yet in some ways very simple to understand.
We built it open
The Advanced Research Projects Agency network (ARPANET), under the auspices of the U.S. Department of Defense, was originally designed as a military network to interconnect missile silos with enormous redundancy. Initially ARPANET was created in 1969 for only military use. It was expensive to operate, so it was distributed to universities that worked on government projects. Ultimately, it was transitioned to what we now call the commercial internet.
This was unlike the network in China, which was initially built to contain all data by going through the government portal then distributed throughout the country to their population. The Chinese served as the data gate and guardians. The U.S. network was rolled out all over the world and was built to be an open and redundant architecture for anyone to communicate. It grew fast and changed the world.
The internet also was built with the altruistic purpose to share information and open borders around the world. It was meant to connect people and information digitally, the way a nation’s highways, toll roads and streets connect us physically. In fact, in the mid-1990s, it was known as the “information superhighway.”
It grew fast
Few people understood or appreciated the potential behind the early internet. With the release of the first web pages and web browsers, people were able to buy products, and email began to replace fax machines. Soon, everyone who knew or understood what it could do wanted to connect, and they did.
The thought of helping companies become secure was not a priority. Building and expanding the reach to the digital doorway of connectivity was the goal. Security was often added as an afterthought and optional, leaving many opportunities for bad actors to take advantage of an unsuspecting, naive audience. As the internet grew, many hackers went from being from being curious digital explorers to become professional criminals focused on financial or political gains.
Wall Street financed the growth
Since the mid-1990s, investors have poured trillions of dollars to expand the growth of the internet. As of February 2021, the 10 largest internet companies have a market cap of over $4.4 trillion. Companies were financed to expand the reach of the internet into all parts of the global economy and rewarded with rich valuations. The term, “build it and they will come,” became very popular. Capitalism incented the rapid expansion until the entire economy became an Internet of Things (IOT).
False perception: Little return on investment (ROI) for security
Unlike other technology budget items C-level executives are asked to make, it is challenging to calculate a ROI for cybersecurity. Since it is difficult to approve a negative spend on an intangible line item, and no amount of expense can guarantee a network’s safety, it is often all too easy to put off security spending. This complacency can lead to reduced protection, increasing the likelihood of an opportunistic attack on what cyber miscreants will see as a soft target.
When a company decides to invest in a cybersecurity solution, it may seem easier to go with a brand name or well-known product. Leaders today do not see cybersecurity as a risk, because it is an unknown or most times do not understand it. When executives finally realize it is a possible threat or they have been breached, they immediately reach for help and want a known entity to solve the problem. In reality, many of the most seasoned cyber professionals — those that can best help secure their networks — operate their own relatively small consultancy and are off their radar.
Missing: culture of security
Few outside the relatively small world of cybersecurity truly understand the real risks or are even aware of them. Many individuals and even business leaders think that they are generally safe online. Believing that by avoiding “bad” websites and not clicking on obvious phishing emails, they are relatively secure. We have faith in our institutions and IT teams and believe they will protect us. While IT professionals are experts in their field, they often lack the training and practical experience to compete against highly motivated cyber criminals. While some IT professionals are experts at building and maintaining networks, some do not think like a criminal or how someone from the outside might enter their network. They may be experts at IT, but they may not be the most qualified to protect their environments from external threats.
Unfortunately, some in IT may miss that the networks they helped design have security flaws. Further, there is an end-user population that has spent the past two decades with little to no concern about the risks of the links they may click on or files they download.
Bitcoin makes hacking profitable
The proliferation of cryptocurrencies, primarily bitcoin, has made it even easier to monetize cybercrime. Previously, hackers could easily access networks and valuable intellectual property, but most were lone wolves seeing if they could “crack a network.” Bitcoin makes it possible to transfer large amounts of wealth anonymously, attracting well-funded criminal organizations and state-sponsored cybercriminals. With the convergence of the dramatic growth of the internet, cyber thieves have seen a way to monetize industrial hacking that has created an explosion in criminal activity. According to research conducted by Cybersecurity Ventures, cybersecurity experts have predicted that cybercrime will cost the global economy $6.1 trillion annually by 2021.
Events of 2020
The global pandemic has created more awareness of the importance of cybersecurity. While it has likely been true for several years, many CEOs now realize that their company’s networks are far more important than their physical office space. The breach of SolarWinds and FireEye has increased the awareness that no single security product is going to keep a network completely secure. In fact, security products can be weaponized against their users, exploiting a false sense of security.
The Talent Gap
Despite the wake-up call of 2020, the human capital to manage these risks can be insufficient. Since 2011, there has been a near zero-unemployment rate in cybersecurity. The 2019/2020 Official Annual Cybersecurity Jobs Report. Current estimates show that there are over three million open cybersecurity positions that cannot be filled. We are just beginning to train the next generation of cyber professionals. The challenge: cyber crime is expected to grow to $10.5 trillion by 2025, which would represent the largest transfer of wealth in history.
The Path Forward
With so much risk at stake, we need to make cybersecurity a priority. We must increase awareness of the importance of securing the very fabric of our communications and network. It is incumbent upon businesses and individuals to acknowledge that attacks occur daily. Good security hygiene needs to become de rigueur.
A cyber attack in the digital world can be just as catastrophic as Pearl Harbor. This is reality, and it’s a real concern. Some believe the SolarWinds attack was just such a disaster. Regardless, it was well planned and orchestrated, but we may have not seen the full impact and damage yet done.
We can and must rise to the challenge of securing the network we have entrusted with our most valuable assets. More importantly, people must be empowered with information and tools to keep themselves safe. We must create a culture of security.
About the Author
David Jemmett is the CEO and Founder of Cerberus Sentinel (OTC: CISO), an industry leader in Managed Cybersecurity and Compliance (MCCP) services with its exclusive MCCP+ managed cybersecurity and compliance services plus culture offering. The company seeks to expand by acquiring world-class cybersecurity talent and utilizes the latest technology to create innovative solutions that protect the most demanding businesses and government organizations against continuing and emerging security threats.
As an industry innovator, Jemmett has more than 20 years of executive management and technology experience with telecommunications, managed services, and consulting services. He has specialized expertise in healthcare, HIPAA, and governmental regulations, and he has been intimately involved in designing, building, re-vamping, and/or managing networks and data centers worldwide.
Jemmett has spoken before both the U.S. Congress and Senate Subcommittees on Telecommunications and Internet Security, and he has shared his expertise on broadband networking technologies as guest speaker on CBS, CNN, MSNBC, and CSPAN.