Better Cybersecurity Defense? Try Surprising AdversariesBritish Cybersecurity Official Shares Advice for Defenders at Black Hat Europe
"How do we surprise our adversaries?"
So asked cybersecurity veteran Ollie Whitehouse in an opening keynote speech Wednesday at the Black Hat Europe conference in London, which is devoted to identifying more scalable and resilient cyber defense strategies in what remains "an asymmetric world."
Cyberspace is asymmetric because attackers are unconstrained by any moral, ethical or legal checks, said Whitehouse, who spent 27 years in the private sector and, after finding it unfulfilling, now serves as CTO for the National Cyber Security Center, which is part of Britain's GCHQ intelligence agency.
"I thought about what would make me sleep at night, and that was to get the true national picture on cybersecurity," Whitehouse said of his career change.
He said the imperative for defenders is to "build evidenced resilience," to prepare for the threats of today and also tomorrow, and to find better ways of imposing material costs on adversaries.
"One way you can create a bad day at the office for someone is to do something totally unexpected," which can drive them to "pause, rethink and reconsider," he said. As an example, he cited Google's DeepMind artificial intelligence program playing Go against some of the best players in the world and winning by using opening moves no human ever previously used, because their competitive benefit might have appeared to be slight.
Defense is harder than offense due to a multitude of challenges, including a surfeit of legacy technology, weak incident response capabilities, poor operational technology controls, phishing's continuing efficacy for attackers, and a world in which some of the most critical systems run on code maintained by nonprofit foundations and hobbyists, Whitehouse said.
To improve the state of cyber defense, he called on practitioners to develop features that organizations need to better protect themselves - and to collaborate with the likes of the NCSC. Organizations should always be doing "the pre-mortems," Whitehouse said, adding that "we are in a situation where we can shape the outcome but it will take all of us.
Looming deadlines are set to test governments' and organizations' cybersecurity preparation and capabilities, said Jeff Moss, the founder and creator of the Black Hat and Def Con conferences.
Speaking Wednesday, Moss told conference attendees that two specific years give him concern.
The first is 2024, when the frequency of misinformation and disinformation campaigns looks set to surge as many countries around the world - not least the United States - hold major elections.
Seven years after Russia attempted to influence the 2016 U.S. presidential election, a show of hands from the audience proved that the attendees agreed with Moss about the problem being worse than ever. Other countries have joined the fray - including China, India and Iran, which has been attempting to turn the Israel-Hamas war to its advantage. Many of these campaigns target a very "human problem," which is Western societies' free speech protections and the preference of governments and businesses to not regulate these areas, Moss said.
He said the second year to beware of is 2027, the date by which Western intelligence believes Chinese President Xi Jinping has told the People's Liberation Army to be ready and capable of conquering Taiwan, although whether that is achievable isn't clear.
If it does happen, many experts believe that to maximize their chance of success and minimize losses, "the Chinese would employ a sort of 'everywhere, everything, all at once' strategy - mass disruption on as many networks as possible all at once - supply chains and social media," Moss said. "The idea is to cause a disorientation or a panic amongst the population," lasting long enough to facilitate rapid advances by the PLA.
China's apparent intention to invade Taiwan in a specified time frame should drive all organizations to review their cybersecurity posture and incident response plans and to drive more rapid evolution in public/private partnerships, said Moss, who serves on advisory boards for both the U.S. Cybersecurity and Infrastructure Security Agency and Britain's NCSC.
"We're optimized for one problem at a time," he said. "We aren't built for everything, everywhere, all at once, and I believe that will be chaos."
Solving that challenge could have massive upsides, including not just improving the state of incident response but, on the geopolitical front, deterring Beijing from pursuing "an everywhere-all-at-once style of attack," he said.