Risk: Are complex cyber systems more or less risky?

After studying cyber risks to several systems, both complex and simple, two counterintuitive conclusions were pointed out to me.  You might be surprised--I certainly was.

Complex systems are safer--with one big exception.  The more complex IT systems are usually safer to an outside attack, primarily because designing the right exploitation that takes advantage of all the target's vulnerabilities is practically impossible.  Too many unknowns to make it work right.  In addition the people who design and use complex tools are generally smarter when it comes to these threats and build in protections.  One big exception (which I discussed in earlier post):  the human factor.  If your competitor has inside help then defeating complex systems is generally easier.  As a rule complex systems have more vulnerabilities which can be seen from the inside and as opposed to the outside.  A mole is particularly dangerous in this situation.

Simpler systems are more dangerous.  Less sophisticated systems are generally more vulnerable because the designers and users usually don't understand the threat environment.  This is an area of particular concern in emerging markets where IT may not be acentral a point in certain industries, at least when compared to more developed economies.  Keep this in mind if you work in these areas.  Know your threats when working with various systems.

War and business

With the growth of the state in modern times the overlap between the public and private sectors continues to worsen (from my point of view).  I have noticed this in my recent cybersecurity work, and two points worth mentioning.

Technology overlap.  Security agencies and the private sector frequently use the same companies and technologies for their respective missions.  Given the need that governments believe they have for state of the art technologies it was inevitable that they would take a keener interest in various technology companies.  Add this to the size of various governments (anyone have a bigger customer than the Pentagon?) and it should not surprise any of us that these agencies can call the shots in many large companies, affecting the products and services provided to the rest of us.  The change is subtle but can be seen.  Keep up on what governments are doing to see where these sectors which affect you are heading.

Interest overlap.  With the above point in mind a logical extension would be an aligning of missions for both security agencies and private sector technology companies.  Specifically, governments forcing companies to cooperate with them in their missions while conversely lending their capabilities to national interest companies.  Given the history of government support to companies in Europe, for example, should any of this surprise us?  Again, stay up on set of trends so as to not be blindsided by another somewhere important.

Choke Points

As I continue my projects on cybersecurity and cyberwar I keep coming across potential vulnerabilities throughout different organizations.  In an earlier post I discussed the human vulnerabilities to technical systems.  Today I look at unplanned technical choke points.  These are technological challenges that a system cannot foresee and therefore cannot process.  An example is searching data that changes.  It easy enough to look through text data for information (on market trends, for example) but what about voice and visual?  A couple of security points on this.

Pressure to fix it can leave you vulnerable.  If your company faces one of these problems then you will be under tremendous pressure to resolve it.  After all, if someone wants to study video for potential marketing information they want it now, perhaps because they believe their competitors are on to something.  This can lead to shortcuts which could leave you vulnerable to exploitation by those very same competitors.  Don't lower security procedures and remember that everyone faces the same choke points, even if the timing is different.

Don't lose focus.  Engineers don't like unplanned surprises like these choke points and non-technical managers tend to expect engineers to solve every problem.  Remember that these challenges are not core business competencies and will be dealt with.  In a couple of situations I have seen managers get overly concerned by frustrated engineers;  the analogy would be watching your doctor get confused with a medical procedure.  Not being medical experts we would be scared!  Don't be overly frightened by these situations.

Cyberwar: A scary word for a scary world

I have started a new project working on cyber threats for a variety of clients with potentially sensitive exposures via the internet.  This should be an interesting project as several fascinating points have already jumped out at me.

Everything can be at risk.  This sounds like stating the obvious, but not in the way you might think.  We all know about hacking and viruses.  What is not clear are the different ways your IT structure connects to the internet for updates and information.  For example, some software you may run may collect data from places not connected to the internet yet funnel it out during normal operations.  This is not an IT class; my point is don't be overly confident with what you know about your system and its vulnerabilities.  These systems are not static.

The great equalizer.  The internet allows smaller organizations to take down larger ones by acting as a force multiplier.  Large and expensive servers (or other devices) are not needed to bring down complex systems.  Your threats need not be similar organizations with similar resources, but may in fact be quite smaller and less sophisticated.

It ain't easy.   Hollywood aside, mounting a cyber attack is not easy and can rarely be mounted without human assistance.  The inside man, facilitating the technical attack, is clearly vital.  As such looking for potentially exploitable employees could be the key to avoiding these attacks.