Offensive Cyber Security Changes the Industry
Matthew Rosenquist is Advisory Board Member at Brandeis University
The rise in offensive cyber security will cause major shifts in traditional threat and protection strategies. The shift is happening now, as the markets grow, threats increase, players change, and we all are being affected. Profound effects are pushing fundamental changes to the engine, which drives the industry. Understanding the transformation holds great value to those who are prepared to take timely advantage of correct insights.
The evolutionary road of security has been full of twists, turns, bumps and a good deal of chaos. Although predicting how the cyber security industry and market will transform is terribly difficult, its engine is based on principles which can be understood at a macro level, even if the resulting micro-events are highly unpredictable.
Technology in many cases, defines the playing field while the behaviors, motivations, and weaknesses of people represent the opportunities for advancement and positioning. These concepts apply equally with attackers as well as defenders. Greed, power, notoriety, loyalty, and revenge are common motivators for attackers. Defenders strive to maintain confidentiality, integrity, and availability in the most cost effective and unobtrusive manner possible. Technology is the environment where the conflicts takes place. Both technology and people tend to follow tracks of influence based upon profound changes, which can be seen as inflection points. Weaving these aspects together we can see how shifts to offensive security are a tipping point, initiating a domino effect resulting in a greatly different landscape than what we see today.
Offensive Security
For a long time the game was simple. Attackers worked to find ways to exploit networks, systems, software, and people to achieve goals aligned to their motivations. Defenders worked to close vulnerabilities, interdict attacker’s exploits, and keep their environments safe and running smoothly. They focused on looking inward to the electronic ecosystem under their supervision to build the best defenses possible within their allowable means. With the continuous development and adoption of technology, this has become a rapidly evolving competition of attackers finding new ways to cause harm and defenders continuously shoring up the fortifications. The rise in connectivity of everything to the Internet, smartphone proliferation, embracing of cloud computing, growth of application development, BYOD, and others great technology advances have all had a profound effect on security by opening new avenues to attackers and forcing defenders to cover more aspects. Balancing the equation, at a price, have always been the security technology and service companies, experts in keeping pace with defensive technology to thwart attackers’ maneuvers. They are experts in protection and offer products and services, which customers need, but would be hopeless to understand and incapable of delivering themselves.
The attackers also use tools and software suites to keep pace and maintain the competitive first-mover advantage. Although they collaborate to develop such malicious tools to undermine security, they are forced to operate under the mainstream radar. Security firms traditionally never developed offensive capabilities, as it would have been seen as unscrupulous and in contravention to their primary alignment. They reserved themselves exclusively to work on defensive capabilities. Individuals or businesses pursuing hardware and software research for attacking networks, assets, and systems, historically ran the risk of being labeled as ‘hackers’, branded with a long lasting stigma of being untrustworthy, and ostracized by the security community and customers.
Offensive security is changing the rules of the game and turning the social and economic models upside down. The result will ultimately be a far more dangerous and complex computing environment for the entire world. Offensive security is driven by military doctrine: ‘take the fight to the enemy’ and ‘control the battlefield’. Such capabilities may operate in a number of valuable ways, including conducting reconnaissance and surveillance, intercepting communications, denying resources and access, compromising systems, undermining integrity, disabling or destroying assets, and manipulating, impeding, or demoralizing an opponent, all in the name of security. Smartly, the business world has largely steered away from investing in companies who wanted to develop such wares, as doing harm to others is normally not good for business. But investors have been found for such technology and it is becoming a growth market. More importantly, the scandalous reputation is lifting, fostering significant changes.
Starting in 2011, major governments around the world realized with everything being connected to the Internet, from nuclear sites, stock markets, telecommunications, intelligence agencies, critical infrastructure, general commerce, and military systems, the potential conflicts of the future would not be limited to high explosive weapons, troops with boots, air superiority, orbiting satellites, and floating armadas. The US officially declared ‘Cyber’ as the 5th warfare domain, after land, sea, air, and space. They also formally announced for the first time, the open investment, adoption, and support for offensive cyber technologies to be included into the defense infrastructure. The defense apparatus of many governments have been heavily recruiting at hacker events and conventions to find talent they could leverage. The message to the security vendors was also publically made clear, it is okay to openly invest and dabble in the dark arts if doing so for proper customers. Many nations, some of which were already quietly seeking assets, openly followed suit. Overnight, the stigma disappeared, ‘offense’ became politically valuable, and a new race began.
The Long View
This seemingly simple change in direction is causing an irreversible shift, disrupting the delicate balance which exists in cyber-security. The governments, businesses, and individuals who rely on modern computers will be affected either directly or indirectly by greater risks. Key suppliers and security service providers will adapt and some will rise to seize new opportunities. A confluence of factors will contribute to create more sophisticated attacks and malware at a faster pace. Greater impacts will be seen and felt in software development and hardware architecture. Keeping pace will prove difficult and more impacts and losses will result. Security will experience an increased demand and coupled with other elements will cause the overall cost of security to rise until a new equilibrium is reached.
The Domino Effect
We are at the beginning of a cascading sequence, which will come to fruition over the next few years. Let’s break down the cause and effect cycles. The sustained acceleration and advancement of offensive technology, employed by one party to the detriment of another, will occur due to a number of social, economic, and behavioral changes.
1. Offensive is Reputable
With the endorsement from governments the stigma is being wiped clean. Historically, economic incentives aligned against legitimate players in security and defense industries desiring to explore offensive technology. The removal of penalties will unlock the shackles from these groups to conduct research and development of viable capabilities. Not all companies will take this path, but economic forces will shift direction and allow emerging market needs to be fulfilled.
Society’s opinions have begun the evolution from a perspective of irresponsibility to an outlook of legitimacy. With governments needing technology to defend their cyber borders, check aggression, safeguard citizen prosperity, and protect their political interests, the world is coming to realize a level of tenuous necessity for offensive technologies. Without fanfare, ‘offensive’ is rapidly becoming reputable. The respectability will pave the way for the emergence of legitimate new markets, which will ultimately be supported by academia, businesses, governments, and talented individuals.
2. Unlocking the Money
The lure of new business opportunities draws attention and investment like moths to a flame. Governments were the first to allocate significant budgetary spending. Logically, they initially approached longstanding and trusted defense contractors to fill the need. Unfortunately, the defense industry lacked the expertise and talent. Moreover, they had little in the way of working products or a R&D pipeline to show timely competiveness. A radical, perhaps desperate, path was taken. Governments reached out directly to the hacker community, searching and collecting for what already existed in the shadows. A naturally untrusting group, one which had been very suspicious of authority types, now found governments to be open advocates, willing to buy technology, and fund research. Nowadays, it is commonplace to find government representatives and recruiters at hacking conferences and events, some of which are now hosted by different branches of the world’s defense apparatus.
At the same time, defense companies witnessed a dramatic shrinking of conventional weapons budgets, supplanted by a meteoric rise in cyber spends, both defensive and offensive in nature. Recognizing the business threat, they began adapting to the situation by discretely investing in the retooling of their operations to expand into digital technologies with the intent of securing future cyber contracts.
With the potential of profit and lucrative deals, discovery of vulnerabilities, exploits, and other malware has quickly transition from what was once intellectual research projects to revenue opportunities. Recently, it was reported the US government alone spent $25 million purchasing code vulnerabilities. The reality is, they are not alone. Covertly, other governments are also likely committing tremendous resources to maneuver an advantage or insure they are not at a disadvantage.
Technology vendors previously enjoyed a fair chance that flaws discovered in their products would be brought to their attention first, in good faith. Many companies even offered nominal incentives and rewards. But this practice cannot compete in scale with the deep pockets of highly motivated buyers looking to upscale their offensive capabilities. In short, both the black and white-hat communities now have a legitimate path to profit for their skills and innovation. We can expect far less vulnerabilities gifted to vendors and more to show up in the marketplace.
This will have a number of effects on the vulnerability, exploit, and attack code markets. First, the seedy black markets will become more public and operate as legitimate brokers. Potential buyers will find stronger competition and higher prices as a result. Secondly, economic incentives will fuel an increase in the numbers of vulnerabilities being discovered for both hardware and software. At the same time, the number of actual weaknesses which are published will visibility decrease. Exploits are most valuable when they remain secret, except for those who want to use them. The markets will be in the open, but the vulnerabilities will be secretive, exclusive to the buyers.
An interesting unintended consequence will result. The market for vulnerabilities, exploits, and working malware will gain a foundation of legitimacy and rise from the shadows. If they can be sold or leased openly, it will no longer be ‘malware’, it will become Intellectual Property. In a twisted way, the investment in vulnerability research, testing, and validation will need legal protection. Laws will be reinterpreted, likely allowing the creation of offensive technology or at the very least non-intrusive research, but still illegal for the public to use such capabilities to the detriment of others. A fine line to be sure, but a line all the same allowing for research and profit.
These markets will not be limited to software. The accelerating trend of looking deeper into the system stack, past applications and operating system software, into firmware and hardware will influence exploit research and resulting offensive products. Although progressively more difficult, the farther down the stack an attacker can compromise, the greater the potential for control, power, and persistency. This is a differentiating trade-off which many elite specialists may use to distinguish themselves from the rest of the pack and command the highest prices.
What eventually follows will be purpose built hardware. Software is flexible, dynamic, and easy to create, but hardware based technologies typically provides advantages to performance and reliability in the form of consistency and robustness. Hardware is also the domain of defense industries. I suspect the synthesis of offensive hardware and software will be their competitive play on the markets.
Technology industries have shown where software initially succeeds, services are soon to follow. Services for denial of service, cracking, intelligence gathering, and other specialty offerings are emerging. In most respects such activities are and will continue to be considered illegal. But it is a likely speculation such services would also be leveraged by governments which are unable to field organic capabilities and instead look to outsource. Motivations for persecution may vary greatly from nation to nation, with national boundaries playing a role in the legality and availability of such fringe offerings.
Business opportunities will flourish and markets will grow in a significant way. It is just a matter of time before some enterprising finance analyst begins tracking the cyber-offensive market cap. The flow of money fuels the offensive market and unlocks the potential for innovation, advancement, and further competition. Economically, these factors will insure the building of momentum until saturation of market demand occurs and stabilization can follow.
3. Jobs are Created
Technology development requires people. The upswing in offensive security technologies will create demand in many different roles, including offensive, defensive, administrative, and support functions. With money flowing, organizations across the landscape will look seek out needed talent. The desired skills and experience are specialized and rare. The limited supply of experts and increasing demand across a number of industries, drives the need for more aggressive recruiting. With the stigma removed, candidate recruitment becomes very open in nature. Expect more job postings, sans the term ‘hacker’, to emerge. The label ‘hacker’, with its negative connotations, will likely evolve and align with the new and respected roles. I am partial to derivatives of “offensive cyber software engineer” or “cyber analyst/operative”, both which have professional undertones to them. High paying jobs will reinforce the desires of others who see the opportunities. Competition for the elite talent will be cutthroat and not see relief until a larger waive of new talent enters the workforce. Those, who at one time, hid their talent and capabilities will now flaunt and shine in the marketplace.
Groups looking to develop offensive capabilities require people with specific skills. Engineers, technologists, behaviorists, managers, strategists, testers, tinkerers and hackers are all required to develop new tools. Developing offensive technology is similar to defensive, just an altered perspective with opposite goals and different limiting parameters. In fact, although not publicized, many of the best security tools started at hacking tools and vice versa. In many ways it is the manner in which technology is used, which defines its classification.
Government and international agencies have taken the initiative in this space by directly recruiting the fringe community and increasing spending on cyber operations, technology, and intelligence budgets. CIA & NSA spending increased by more than 50% each since 2004. Following quickly has been the defense contracting industry, seeking to protect service relationships for their primary customers, by filling their ranks and expanding to create new solutions and services which satiate future needs.
A key component of many activities for both sides is a dependency on the timely identification of new vulnerabilities. Weaknesses create opportunities for novel and unexpected methods of attack. More researchers, reverse-engineers, and analysts will be needed to look for such avenues in all types of technology, which could be exploited. Hardware, operating systems, applications, protocols, business processes, data structures, and behaviors of people are targets of scrutiny. These positions may reside within product companies, academia, offensive groups, and independent organizations or individuals seeking to capitalize on the emerging and lucrative vulnerability markets.
With the increase of pressure to exploit devices, software, users, infrastructure, services, and other technology, mainstream providers will also respond with more focus on quality design, testing, and updates to hedge against their products being exploited. More effort and personnel will be assigned to insure secure architecture, engineering, deployment, and sustaining support competencies. Additionally, large vendors will also establish detection and response capabilities to quickly recognize when one of their products is compromised and to rapidly respond to re-establish security for their customers. Many large corporations, who already have something in this space either internally or outsourced, will add additional resources to keep pace.
Traditional security firms must cope with the flood and pace of new vulnerabilities, exploits, and novel attacks. More emphasis will be placed on scanning for weaknesses in customer’s environments, closing holes, and protecting against new incursions. More sophisticated attacks and malware requires equally complex analysis to understand and interdict. Developers are needed to create new features, scalability, and extensibility across software, hardware, and services. Positions will open to deliver the changes and increase the pace of response and prevention.
With limited security experts currently in the field, higher education establishments are jockeying for leadership to fill the future needs by quickly expanding their curriculum to include offensive skills. Qualified instructors, preferably with real experience, are needed in order to sharpen the minds of the next generation.
Across the growing industry ecosystem, a variety of new jobs will emerge to focus talent on advancing offensive technologies or in the efforts to protect against them. Specialized talent, capabilities, tools, and experience will emerge as highly valuable and sought after assets. The elite will have many opportunities to choose from and the overall currently available resource pool will be insufficient to meet demand. This will drive increases to compensation. More talent will fill the channel and with them, increasing the collective brainpower to advance offensive and defensive security innovation, pushing the cycle forward.
4. Talent Pool Grows
The talent pool will grow. The group of experts in the offensive world has always been relatively small. With lucrative offers capturing this echelon, the already shallow pool is quickly running dry. The free market will respond quickly to fill the void. With the stigma removed, the field opens to white hat and general technology professionals. Money fueling new jobs attracts attention and interest from prospective entrants. Academic institutions will seize the opportunity to formally train and certify the next generation of workers. Consultation and outsourcing firms as well as in-house training will expand current skillset reach of employees. The job outlook will highlight the long term opportunities for upcoming professionals to attain positions in the potentially lucrative field of cyber security. Over time, more experts in a vast variety of direct and supporting functions will fill the ranks in support of the changes being driven by offensive security.
This pinch can be felt today by organizations struggling to establish a new security operations or validations team, but finding talent to be very costly or simply not existent. Over time it will get worse before it improves. What is necessary is a fresh new group of aspiring candidates with skills, ideas, and some experience to be coupled with veteran leaders to align and focus such teams to dive-in and reach new heights.
The academic institutions, seeing the future, will have their turn to contribute and benefit. Universities are expanding what is currently taught for defensive disciplines and begin to build a steady stream of educated workers to fulfill the latest needs. With respectable employment opportunities opening, universities and trade schools will begin teaching the dark arts and invest in independent research to prepare their graduates. New credential programs will emerge as proof of formal education. Additionally, technical certifications, ranking, internships, and other measurement structures will help classify disciplines, identify areas of expertise, and stratify the tiers of competency.
Working groups, social sites, competitions, knowledge fairs, and information sharing portals will spawn with little fear of backlash or government intervention. These will increase the available base knowledge and help uplift the minimum average depth of skills. Students who were hesitant or secretive in their research activities will now be free to showcase their talents without risk to their reputation. ‘White hat’ hackers, those using their skills to identify weaknesses so they may be shored up, will take the next logical step and leverage those same talents to earn a lawful dollar in selling the tools they have built to compromise environments or teaching others their techniques.
Many organizations with established pools of deep technical or behavioral security competencies will look to grow the desired skills through employee development. Specific in-house or external training can increase talent in cost effective ways, by grooming the current workforce. Consultancy, outsourcing firms and even shady cyber-mercenaries will also be on the path to have elite trained workers to build reputation and brand.
Headhunters and placement agencies will organize to maximize talent logistics and establish an elite class to drive salaries and commissions higher. Expect to see rankings publicized for the average pay of an ‘offensive cyber engineer’. High paying jobs will reinforce the desires of others who see the opportunities and continue to feed the cycle.
Supply will eventually rise to meet demand and the void of qualified workers will be filled on a global scale. Supporting functions such as education, consultants, job placement, and social sharing will help establish and maintain a strong channel for future generations of the world’s cyber workforce.
5. More Serious Threats Emerge
The combination of talent, research, funding, and legitimacy will create a tidal wave of new offensive capabilities. Complementary defensive structures will also rise symbiotically, but in most cases will be a reactive response to attacks. The influx of motivated engineering and ideas will up-level the technical sophistication and quality. This will expand what attacks can accomplish, speed to targets, overall destructive power, increases to pervasiveness and survivability, and expanding the innovative ways to reach and affect devices, data, and people around the world. It will be more difficult to protect against and recover once effected.
Many of the professional offensive technologies will be held in reserve with the intent to use selectively for specific purposes. But some technology, ideas, innovation, devices, and code will escape from the protected zoo. It may be duplicated, stolen, lost, accidentally released, or even intentionally used, but information has a way of getting free. Use of these offensive weapons, by nation states or independent hackers, will likely inflict collateral damage beyond what we have seen thus far. The best and most effective ideas will be captured, analyzed, and eventually reverse-engineered to determine the best defense or for malicious reuse by others. Many will be sold or repackaged to anyone providing the right economic incentives. Code and method sharing will spawn many variants and some tailored attacks for specific and broad targets. In the hands of organized criminals and thieves, these new technologies will close the gap between them and their targets, at a scale and speed never seen before.
Professional businesses, traditionally specializing in defensive technologies, will rush to meet the new threats and some will expand to compete in offensive markets. This is an easy modification on their core IP, tools, and expertise. With the stigma gone, the full force of talent will come to bear on the technologies and techniques, pushing forward what is possible offensively.
Researchers and hackers will increase their work with greater virulence. With a lack of adequate safe testing environments, the Internet will be leveraged, to the detriment of the average computer users. Reverse engineering will rise dramatically. Those who lack specific skills to build offensive technology will instead reverse engineer the plethora of newly available code, to be reused and combined into new concoctions. The malware community has always been exceedingly good at sharing, reuse, and automation.
It is inevitable the sheer volume, diversity, and aggressiveness of attacks will rise. The prerequisites will be there, like stacks of barrels filled with black powder just waiting for a spark. Attacks and resulting losses will be more catastrophic until the defenders can successfully adapt to the new cadence and complexity.
6. Greater Overall Risks for the Industry
The result will be a greater overall risk for everyone. More vulnerabilities will be discovered and exploited. Malware will get more sophisticated, faster. More complex attacks will occur with greater impact and potential lethality. It will be more difficult to detect and respond to greater stealth capabilities, fueling an uncomfortable sense of paranoia.
Research and attacks will broaden in scope, including people, processes, data, software and hardware. Personal computers, servers, phones, networks, supply chains, operating systems, social sites, medical appliances, vehicles, etc. will be targeted even more than they are today. Essentially, every computer and the services they provide, will be at greater risk by the onslaught of upcoming offensive technology.
Some of the effects will be passive, such as reconnaissance, monitoring, communication interception, user identification, and people tracking. Other outcomes will be the copying, theft, and alteration of data, including counterfeiting and impersonation. The risks of financial theft, a longtime favorite of criminals, will rise fast. Most cyber advancements in the past 10 years were quickly repurposed by cyber thieves for their objectives. The same pattern will hold true. More harmful outcomes will include the destruction of data, broadly used services, and physical systems. Such could lead to catastrophes which take human lives. Everything from cars, nuclear power stations, traffic lights, medical systems, flight controls, chemical facilities, and drug manufacturing are becoming more dependent and controlled by computers. We have already witnessed critical infrastructure come under attack, such as the power grid, hydroelectric stations, military drones, automobiles, and airplanes. But those are just scratching the surface. Offensive technology could go much deeper and with greater effect to purposefully do great harm to individuals and geographic areas.
Advanced weapons could also be used to discriminate their targets by class or attribute, regardless of where they are. Governments may work diligently to reduce the collateral damage when using cyber weapons, by targeting very specific hostile targets and bypass innocent civilians. But more radical sects may intentionally target specifics of race, religion, country of origin, political party, or financial status as determining factors for attacks. The intelligence of advanced offensive technologies will give the ability to be more focused and potentially more terrorizing.
With vulnerabilities being identified faster and resulting attacks more numerous and complex, the financial result is the cost of security will increase. The pace of research and exploits will reduce the effective lifespan of security controls being deployed. Operating costs of security infrastructures will rise as they attempt to scale to the increased pace of work. Defenses will need to be updated faster with new types of protections. All at a cost. The expense to technology providers will increase as more emphasis is given to product development testing and validation. Lastly, the collateral damage may impact anyone or a compute system which they rely upon. This can cause outages, delays, opportunity and ancillary costs, lost customers and business, and frustration. The stresses will compound. The risks of many types of losses will go up, as a cost of the adoption and evolution of our high-technology world and the growth of offensive cyber capabilities.
Conclusion
Governments, businesses, and everyday people will feel the impact. As in the past, losses will drive in an infusion of resources to protect computing systems and services. The normal cadence and effectiveness of security technology currently being developed will be insufficient to meet the new waves of malware, both in quantity and in sophistication. Controls will be undermined faster and suffer a shorter life expectancy, forcing the necessity for quicker development and better resiliency. Demand for security will rise sharply, adding economic incentives to the turbulent mix. Security organizations will need to adapt to the more hostile threat landscape. Overall, the cost of security will increase for everyone.
We are witness to a defining moment. History will look back on this period of time as the beginning of the “cyber arms race“. Unlike the cold-war race, this will potentially involve and impact every computing device and user on the planet. It will not be limited to governments, but bleed out across the entire electronic landscape.
The move to unleash the genie of offensive cyber research and the resulting cascade effect is not catastrophic, from a holistic perspective. Arguably, it was an eventuality and therefore just a matter of time. It is just a change in an already highly dynamic system. The markets will adapt, as will the players. This will temporarily upset the balance through a chain reaction, but the security ecosystem is complex and self-correcting. It will eventually find a new equilibrium. We will ultimately end up with a compute environment much different than what we see today and will redefine the standards for security. In the interim, opportunities on all sides will become evident during the upheaval. Those with initiative and correct foresight into the future of cyber security will have the greatest advantage.
Matthew Rosenquist: http://linkd.in/1KLpusG