When Mr Obama sat down with China’s President Xi Jinping in California this week, it’s a fair bet that the prickliest subject was cyber. American companies being are being ripped off by almost certainly state-backed cyber pirates but the asymmetry of the commercial battlefield makes like-for-like retaliation pointless. Meanwhile, the spoils of cyber theft keep growing—and Australia is far from immune, as last week’s exposé of IP theft from Adelaide-based Codan Limited, among other Australian targets, made clear.
In the absence of credible deterrence, Western governments have so far relied on defence. Cyber strategy for corporates is essentially bi-focal, according to the nature of the threat. On the near side is government agencies and ‘essential infrastructure’; the power generation companies and (retail) banks, without whom daily life would become swiftly awkward. For these guys, governments take a proprietorial cyber stance, mandating security processes.
On the far side is the bulk of corporate enterprise who face commercially-motivated threats. Here, governments preach a policy of self-help. They set up collaboration and reporting networks, encourage networking and briefings (the US, French and German governments do this regularly) and generally hope that with cyber security ‘best practices’, semi-official forums, reporting protocols and a regular dose of scare mongering, companies will learn take care of themselves.
By extreme good fortune, Australia’s new central new cyber agency, the Australian Cyber Security Centre (ACSC), is forming up at precisely the moment when the second part of this strategy needs rethinking. Hopefully, ACSC officials will be alive to the fact that the terrain of corporate IT is changing so fast that this self-help policy is doomed. If they don’t, then the strategy and operational mechanisms that ACSC comes up with are going to be dead before they’re decided.
The culprit is ‘the cloud‘—an abstract coverall term that in practice means buying your IT as a service. Essentially, IT as an in-house facility is being replaced by IT as an out-sourced utility. The power behind the revolution is money. It’s becoming progressively less expensive to pay external specialists to own and maintain your IT, compared to the cost and hassle of installing and running it yourself.
If anything, the cyber threat is encouraging this shift. As John Stewart, Chief Security Officer at Cisco pointed out when comparing commercial and piratical cyber skills: ‘It’s not a fair fight’. Even now, most corporate malware intrusions remain undetected for at least six months. It’s no more reasonable to expect a mid-sized commercial enterprise to defend itself against dedicated, state-backed hacking professionals, than it would be to expect an armed merchant cruiser to defend itself against one of Doenitz’s wolf packs.
From the ACSC standpoint, the cloud is an elemental problem. First because it’s moving the practice of IT security from companies to service providers, and second because this shift is occurring at multiple levels. Think of a pyramid, with server infrastructure at the bottom, operating systems in the middle and software applications at the top. Today, companies are steadily moving all or parts of that pyramid into the cloud. This means that different combinations of servers, operating systems or applications are maintained externally by cloud providers, who themselves operate on varying public and private models, depending on how far their services are commoditised.
If their server infrastructure is virtualised, which it is for all public cloud providers, then different companies will actually be sharing the same physical servers as countless other firms, though in reality these change by the hour. Networks are set on the same course. Why install a PBX for office telephony, or your own video-conferencing system, when you can run everything through integrated desktop applications (which you don’t own either)? Commercial virtual private networks are being replaced by plain services.
The difficulty with this multi-layered model of IT isn’t that the cloud providers are bad at securing customer IT and networks, with their equally multi-layered perimeters. Actually they’re extremely good at it, because that’s what they focus on. Economies of scale mean they really can afford to hire the best cyber security skills in the market, and deploy them to maximum effect.
Rather, the difficulty is that the entry points into a company’s systems, as well as the updates, the patching, the firewalling, and the malware detection capabilities, are firmly in other’s hands. And, while the concept of a total cloud corporation may be a stranger to the big end of town today, the trend is clear. Cost, capability, flexibility and even security will drive even the largest companies to heave ever bigger chunks of their IT into the cloud.
Naturally, the bad guys have cottoned on to this new, happy hunting-ground. In its 2013 M-Trends Survey (PDF), US cyber security company Mandiant noted that attackers are increasingly using outsourced service providers as a means of gaining unfettered access to large parts of companies’ IT. Just as naturally, these services companies will invest heavily in tactical cyber skills. The cyber arms race is shifting into the cloud.
So as ASCS intelligence, defence and law-enforcement officials warily circle each other this year, wondering who in the corporate world to talk to, they should track where their wards are heading. The rise of the cloud might be their saviour, because if push comes to protective shove, it gives them a (relatively) small number of counterparties, whose focus is already on cyber security, and who have the language, skills and commercial imperative to collaborate.
Their task is exceptionally taxing, because no-one knows how far states can or should go in extending cyber protection to national enterprise and trade. If history offers any analogy, they may end up creating or certifying fortified data centres and networks that resemble digital convoys. But if ACSC doesn’t see that the people they need to help are already forming up in the cloud, they’ll find themselves shouting into the wind.
Phil Radford is a freelance writer based in Sydney. He researches corporate IT infrastructure and systems in Australia and Southeast Asia on behalf of global technology companies. Image courtesy of Department of Defence.