There is little doubt that Asia is one of the up and coming hotbeds of cyber security awareness. Major attacks are seen in the news more regularly, consumers are asking questions about the security of their apps, and regulation is soon to take effect in the core regional markets.
But the question remains
Well, the answer is simple: Asian security awareness is several years behind the curve – though the usage of cyber security tools, ie. a VPN service, have increased significantly. To fully understand what such a statement suggests, a bit of explanation is required on how security awareness evolves within a community.
Stories from the American wild west and Wells Fargo’s first foray into the “new frontier” are the perfect setting for describing this phenomenon.
When settlers first moved west, they uprooted their families, their belonging and everything they knew. This uprooting included their valuables, currency, and other items they may use for barter. Naturally, when they settled in an area, the community would eventually erect a bank or central storehouse as a place to facilitate trade.
The walls of this storehouse become the perimeter in this story with the doors to the rickety wooden building acting as surrogate firewalls. Sometimes the entryways are guarded by “dudes with guns, ” and these sentries act as an unmonitored Intrusion Prevention System (IPS) system.
We all know how the rest of the story goes; Jesse James rounds up his posse and brings an overwhelming force to storm the doors to the bank and steals all the money. The vulnerability here is a predictable defensive force; all Jesse James needs to do is execute the exploit by bringing more “dudes with guns” than the bank has as protection.
It is a similar problem in cybersecurity; an adversary finds a vulnerability on an open port, they craft an exploit for the network application, and it isn’t too long before the data is stolen. They can even use the same exploit on several victims before a solution is discovered.
After the banks are robbed, the community reacts with outrage. This is when the transition to Phase 2 begins where all efforts are spent on identifying and catching the bad guys.
In cybersecurity. The main finding by the community at the end of Phase 1 is that predictable perimeter defenses and the lack of effective response capabilities led to getting attacked repeatedly.
Now that Perimeter Defense has been established as an ineffective preventive security strategy, the community starts to build new organizations, tools, and processes for identifying bad guys. The Wild West’s answer to Jesse James and similar criminal outfits was the Pinkerton National Detective Agency. Their job was to find out everything they could about Jesse James, catch him, and thereby prevent bank robberies by letting other bad guys know that they will be caught.
We all saw how this worked out too; Pinkerton was an exorbitantly expensive detective agency (sound familiar?), and after Jesse James was caught, bank robberies continued.
In fact, it romanticized the profession and influenced a century of movies, novels, and other fictional works. Such a high degree of publicity normally results in a marked increase in similar crimes, regardless of the industry.
The net effect of this type of attribution campaign is that it becomes “cool” to conduct this type of activity. Attribution as a Deterrent is another ineffective prevention strategy, and the community knows it. Deterrents work to some degree but often have an adverse effect during this phase of security evolution. Attribution as the primary focus of a security strategy is very expensive, and no matter what you try, bad guys are still going to steal your money.
This phase is when things really start getting interesting.
Communication channels are established between organizations across multiple sectors. Processes are created for mitigating risk and the community shifts towards response-based security strategies.
Modern banks are a great example. There are certainly thick walls, security glass and security guards that act as preventive measures, but bank robberies still occur. When you examine the placement and purpose of security countermeasures in a bank’s branch location, it starts to become clear that they are maximizing the response capability rather than the attempting to prevent robberies altogether (because that’s not possible).
Thick walls funnel would-be robbers through specific entryways, cameras are mostly pointed inward, the tellers have emergency buttons they can press, and the bank hires off-duty police officers and specially trained security staff to act as guards.
Walls are walls, if you must have them they might as well be thick. But bad guys can still back tow-trucks through them, so they aren’t as effective at preventing crime as some may believe. The purpose of the cameras is to record the activity for later review and to enable investigation (response). The tellers’ emergency buttons are linked to police dispatch centers so local authorities can send train personnel to subdue the bad guys (response). The off-duty police and trained security guards are more useful as trained observers because they can provide credible witness statements which are substantial evidence for both criminal prosecution and insurance claims (also response).
None of these countermeasures are going to prevent all bank robberies. However, combined and over a long enough period, enough evidence can be collected to begin predictive analytics. The community learns which blueprints limit the number of robberies and how much it will cost if a bank does get robbed. This data is shared with law enforcement to lock up bad guys, it’s shared with other banks to help them with their security strategies, and most importantly it facilitates insurance.
The last phase and the hardest to achieve as a community is monetization. It normally requires a high degree of coordination between, governments, industry, and community to work effectively.
A large amount of data needs to be collected, and the correct predictive modeling needs to be found. Once this happens and insurance can affordably and predictably assume the risks of an attack, security maturity has been achieved.
One of the challenging factors of cybersecurity is the suddenness with which the domain came into existence and how quickly it continues to develop.
Cybersecurity technology evolves in a similar fashion as we saw with the disparate growth rates in offensive war fighting technology vs defensive technology between the Revolutionary war and the Cold War.
We saw offensive weapons evolve from muskets to nuclear weapons, but the net result of defensive technology was putting roofs over our castles. There was obviously a lot of work put into building intelligence capabilities and improving militaries and this was because preventive strategies don’t work, responsive ones do. It’s easy to take a hornet’s nest out of a tree, but nobody likes doing it because of the fierce retaliation.
The US, as a whole, is somewhere in the middle of Phase 3 of cybersecurity.
We can predict or prevent some attacks but not others, and we don’t have enough data yet to make cybersecurity a viable line of business for the insurance carriers. Industries, such as the Payment Card Industry (PCI), are getting close to Phase 4. Other industries, such as Power companies are at the very earlier stages of responses-based security strategies using defense-in-depth.
Outside of the security domain, Asia is divided into two types of markets; mature markets and emerging markets.
Mature markets in Asia are mostly in some part of Phase 1 with some that are just starting to implement perimeter security and others that are attempting to set up regional information sharing. Emerging markets often operate as largely cash-based societies and the types of cybersecurity problems they solve is unique to their region, they are pre-Phase 1.
Singapore is the sole outlier and may be one of the first countries to fully realize Phase 4.
Like the settlers that moved to the Western Frontier of the US, custom tools and ramshackle solutions are the norms. It is very common to see legacy hardware, complex out of date applications, and even uncommon operating system kernels. What is less common is robust network infrastructure, skilled and capable staff, and even standard devices such as USBs.
This makes it difficult, but not impossible, to provide technical solutions to these countries, and while you can provide solutions, the ones used in mature markets won’t usually work. Most of the time the customers in this type of market that are ready are the governments, banking institutions, and other foreign partners doing business alongside you.
These discrepancies often make it difficult, but not impossible, to provide comprehensive technical solutions to these countries. Solutions that would normally work in mature, western markets, do not normally work here. The common exception to this trend is industries such as banking, government and companies with foreign partners.
It is possible that some countries may make leaps in security awareness and skip Phase 1 or Phase 2 of the evolutionary cycle. This is due to how quickly information and technical solutions can be shared and deployed. For example, an emerging market can simply adapt existing regulation developed elsewhere without having to do a complete analysis and go through the whole creative process itself.
Asian countries can often move quickly through Phases 1 and 2, even skipping them completely. This can be accomplished by using technologies and lessons from more developed countries to implement solutions quicker and cheaper, as they do not have to worry about developing and testing these solutions. For example, an emerging market can simply adapt existing regulation developed elsewhere without having to do a complete analysis and go through the whole creative process itself.
As a whole, Asia is catching up with modern markets. Knowledge, skill and technology is starting to flow into the region and combined with a more educated and aware populations, I expect to see rapid progression through the different phases of security.