What organizations can learn from the world’s top spy agencies to thwart cyber threats
Intelligence and security agencies have sought to safeguard their computers and networks with new tactics aimed at keeping their secrets, well, secret. Commercial organizations could benefit themselves by learning more about what agencies have accomplished. Companies, after all, stand to lose business when compromised integrity and availability results in ill-intended financial transactions, the theft of customers’ personal data, abandoned purchase opportunities, the switch of an automated manufacturing plant’s operations from “on” to “off,” etc.
In addition, legislation such as the EU’s General Data Protection Regulation (GDPR) has increased the stakes for the defense of data. What enterprises once viewed as a luxury is now a necessity.
Thus, corporate leaders should seek to have conversations with their intelligence agency counterparts about best mitigation practices moving forward. But this seldom happens, often because of the guarded nature of the latter’s profession. If these discussions occurred more frequently, however, the private sector would discover more about emerging strategies that are gaining traction due to their proven success:
Isolation. This sets up users in an isolated environment in which they can browse potentially risky data sources, emails and websites. If malware compromises the environment, the damage is minimized because the isolation ensures that the malware will have no access to sensitive systems or data outside of the isolated area, and that the user’s actual endpoint remains secure.
Security testing. It is widely believed that intelligence and security agencies isolate their most sensitive systems using an “air gap” – ensuring that systems are not physically or electrically connected to riskier systems like the Internet. That used to be true, but it’s an approach that’s unsustainable in today’s hyperconnected world. These days, sensitive systems are connected, even to the Internet. So how is isolation preserved?
The answer is that when connecting sensitive systems, system owners set stringent security criteria and commission in-depth security testing to determine whether the technologies used for the connection will meet those criteria. Very, very few commercial products are able to successfully pass such security testing – not surprising, since the industry is geared to sell to commercial customers who do not engage in it.
Of course, nation states have levels of resources for security testing that are not realistic for any given commercial buyer. But if buyers were to band together – even just within a single sector – to require this type of testing as part of their technology buying decisions, they could deploy security systems that were actually secure, rather than security systems that sound good in the marketing literature but won’t actually stand up to tomorrow’s sophisticated cyber attacks.
Hardsec. Of course, building technology that can pass such security testing is not a simple feat, especially when relying on software. We have benefitted for decades with the amazing flexibility of software running on a CPU. But this same flexibility had led to complex systems in which simple bugs can lead to vulnerabilities with limitless impact. The very power that allows us to “do amazing things” with software merely by giving it instructions is also the power that allows attackers to substitute their instructions and sabotage a computing platform.
Originating from the U.K. government security community about a decade ago as an alternative architecture, hardsec uses hardware to tackle the growing challenge of cybersecurity as opposed to the usual software and monitoring-based approach. Instead of CPUs, it deploys “Field Programmable Gate Array” (FPGA) integrated circuits which can only be programmed using specific physical FPGA pins. This enables IT teams to restrict – by physical hardware design and implementation – who can reprogram the FPGA to those who have access to a well-protected privileged management environment. Attackers are kept from doing so because they cannot physically transmit data to the pins.
In contrast to complex and flexible software-based tools that give cyber adversaries abundant opportunities to exploit, hardware is comparatively simplistic and narrow. Unlike software, it does not eagerly respond to commands. It is “too stubborn to hack” because it is all about doing what it was originally told to do, and nothing else.
Through the ages, intelligence and security communities have protected their information well. The human-enforced stewardship of what was “secret” and what was “top secret” worked for the most part because, if the adversaries wanted it, they had to physically get to it.
Yet, fast-forward to the digital age, and we find that our foes have much greater means and latitude to get to the data they target. It is, indeed, a different era – one which requires a different response. Our businesses may not have “secrets” in the way of intelligence and national security agencies. But by isolating sensitive IT environments and only connecting them using systems (such as those using hardsec) that pass stringent security testing, we can successfully counter any “new moves” that our foes have in mind, and keep our systems and our data secure not just against today’s attacks, but against tomorrow’s as well.