By: Wedge Greene, Trevor Hayes

Planners today are well acquainted with a positive feedback system. When coupled to a formal game scenario, one side’s advancing move becomes the baseline for the alternate players counter and then advance.  An arms race is a classic example. Cybersecurity is a classic arms race, but with many more opponents. Today’s cybersecurity game is far more complex than was the two player nuclear arms race. This cyber-arms race can become as deadly as any other when we consider that we are protecting computer-controlled infrastructure from serious disruption and failure.

Network Health

Before we began to see cybersecurity as a problem in multiplayer game dynamics, we originally found it helpful to use human health and sickness as an extended metaphor for cybersecurity. In the early days of computers, everything was healthy. Things were often broken, but seldom sick. Then someone thought of deliberate malware, and created a virus. Our first anti-virus remedies were like prescription medicines. Swallow a pill to cure the ailment. When computers were only loosely connected, separation barriers slowed distribution of a virus and allowed time for human-designed responses.

As humans learned more about diseases we invented ways of preventing illness, including immunization. Similarly, as networks became universally interconnected, viruses were designed with dispersion mechanisms and became more prevalent. We developed and installed anti-virus apps before the viruses got into the system. That is the IT equivalent of immunization. If every networked device was immunized, known malware would have nowhere to grow.

But humans aren’t immunized against everything, and sometimes we get sick. How do we know we’re sick? Well, generally we keep track of some measurable key indicators and watch out for departures from the normal operating range. We raise a flag when we depart too far from the expected norm. Labs are ordered. Then, as suggested by the doctor, we take the appropriate medicine. When we find a new disease, we find a way to fix it, open a production line, and begin to disperse the solution to the market.

We have now reached a similar stage in malware prevention. An unidentified bug gives the network an ache. A monitoring application will identify the symptoms and flag them as out-of-normal behavior. It will probably send a human a sample, another human puts together an antidote. The anti-malware app is updated for everyone.

The company Darktrace does a nice job of extending this biology metaphor in its marketing. They extend it into the mechanisms the body evolved to future proof itself against evolving virus and bacterial attacks. But here, Darkface and other new cybersecurity firms take a technical leap from the old health metaphor. They correctly identify that the problem is becoming so complex that old pattern recognition and coded rules approaches, what we called policy-management, will fail in the evolving threat landscape.

The Situational Threat

Networks, their tributary endpoints and the security vulnerabilities they encounter are much more dynamic than in the past. The various people and groups that conceive, develop and deploy malware - the “bad guys” for sake of brevity. But note that offensive cyber warfare participants could include your side's good guys too. These bad guys have access to the same technologies and tools as the rest of us, and clearly know how to use it. Often these are the same tools and technologies that we use to build and operate our networks and computer systems. The pace of evolution of malware is accelerating and we now have malware that can hide itself and confuse anti-malware measures much more than before.