Speed and Scale

News about ransomware gang takedowns and ransom recoveries make for great headlines, and the way some people talk you’d think we had this ransomware thing licked. But while these are certainly “wins,” they’re not really having a noticeable impact, and if we keep going at these issues in a plodding, ad hoc, linear fashion they absolutely won’t.

Not that long ago that botnet takedowns were receiving similar levels of attention. I was lucky enough to be a part of some of these actions. Nay-sayers at the time said there was no real impact because replacements popped up so quickly. I was inclined to agree, but argued that the value of such actions would be realized once more people could do them, and do them more often.

Botnet takedowns required a lot of challenging legal legwork. If you’ve ever worked with lawyers, you know very few of them like to be at the cutting edge. In a system that places a high value on precedence, being the first at anything poses a serious risk of failure. But once that nut was cracked and a few cases got through the system, the potential to move a lot faster in more jurisdictions seemed like a real possibility.

Years later, botnet takedowns are still not a frequent occurrence, even though botnets are certainly still a thing. This is, to my mind, one of the bigger ‘shames’ in this space (“it’s a shame that…” not shameful behavior), because if we could manage to take down multiple botnets on a weekly basis vice, say, one a year, it dramatically drives up the risk factor (and potentially the cost) for would-be botnet creators. If you’re more likely to get hit by a meteor than arrested, life as a digital crime lord seems pretty attractive. As soon as prison becomes likely, suddenly it is time to consider getting a regular job.

Bad actors will always have a number of advantages over defenders and law enforcement. In some cases you’re dealing with super-empowered individuals, who can work much faster than adversaries that have to operate in an industrial-age model, be sure to address the ‘equities’ of all the ‘stakeholders’ involved, fight for budget, hunt for increasingly rare talent to do the work, etc. Especially when you’re dealing with governmental organizations, “taking down 1000 botnets” is probably not a bullet on anyone’s performance evaluation. From the organization’s point of view it is important to “measure what matters,” but from the employee’s point of view all that matters when it comes to applying effort is what is measured. These types of activities require extensive industry cooperation, and such measures are not revenue-generating. Read into that what you will.

The work that goes into both botnet and ransomware takedowns is not insignificant, and those involved deserve to be recognized and congratulated. But until actions like these become so commonplace that they cease being news, they are novelties. Unless government, defenders, and industry can devise a system of processes and incentives that make such actions practical and rewarding, such activity will eventually wane, and it will be like nothing anyone did mattered.

End Cybersecurity Awareness Month

Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why October – Cybersecurity Awareness Month – is such a bad idea.

For the 31 days of October, everyone in the world who is not involved in cybersecurity is going to be rendered deaf by the cacophony uttered by those who purport to want to improve cybersecurity. In truth, all this noise will drive people to tune out, unsubscribe, unfollow, or otherwise distance themselves from what some well-intentioned but misguided souls think is being useful.

The idea that a month of non-stop mentioning cybersecurity is going to actually improve the state of cybersecurity is like thinking you can declare “war” on poverty or drugs and come out the other side a winner. Doing more of a thing that isn’t working isn’t virtuous, its stupid. It becomes a thing you can’t not do because you’re more afraid of what people will say than the efficacy of the deed.

Come November 1st everyone will sit back to enjoy the silence and promptly forget whatever they might have heard or read. They will not remember a single vendor name or pitch or product name. They won’t forget about cybersecurity writ large, because in a day or two they’ll get notice that yet-again their personal data has been compromised via a breach at a company that … if they had just paid more attention in October…

This brings us to Drucker and the idea that people pay attention to what they’re evaluated on or against. We’ve all had jobs where on the first day you’re told company policy (don’t commit fraud, follow safety rules, don’t harass people, etc.), and every subsequent day after that you’re told what your quota or goals are. Is it a wonder then, that people do as sorts of things in violation of policy in order to maximize their reward? Every day its ‘earn, make, do’ and once a year its ‘don’t forget to be a decent human being.’ And we wonder why we have toxic workplaces and endless breaches.

What is the usual agenda for your Monday morning staff meeting? Operations update? Accounting and finance? Personnel? You talk about these things because they’re important. People know they are going to be held accountable for those issues, so they work on them. If you want to level up your cybersecurity posture you need to talk about it at least as frequently as you do everything else you care about. Treating it as something that only gets addressed occasionally, or when something bad happens, is a sure-fire way to get people to pay attention only for as long as they must.