Winter is Coming (again but worse): Beating The Trend Lines In Critical Infrastructure Defense
Metcalfe’s Law states that the value of a network is proportional to the square of the number of systems on the network. In other words, 2 + 2 is worth more than 4 (by this logic it’s worth increased from 4 to 16). Now imagine the dark corollary to that for which there is no named law yet (maybe Curry’s Law until someone does better work here?): the vulnerability of a network is likewise non-linear. It may be a proportionality to the square, or it could be less or even more approaching an asymptote (as some have suggested when talking about the provability of security around any code base). However, you slice it, the bigger the networks get and the more that get connected, the more the potential for mayhem and havoc.
Even in the asymptotic scenario, all is not lost because security can reduce large chunks of vulnerability; and not all vulnerabilities are known all the time. This comes down to a competition between attacker and defender, to the tools they use to change the game and to the rates of innovation and degree of insight into each other’s modus operandi. In other words, it’s a domain for conflict and competition with innovation as a key differentiator in running the respective attack and defense races.
This is why we see the dive historically to firmware and hardware like legacy printers and routers, hiding in plain sight. It’s also why there was a move to Identity hijacking, living-off-the-land, fileless malware, supply chain compromises and so on. With the advent of OT, IoT and IIoT in addition to the explosion of Metcalfe “connected systems” in various clouds compute and services, we have a vastly more difficult and exponentially increasing network size for the foreseeable future. This is where Metcalfe’s Law making the siren call of hacking on offense ever more attractive and Curry’s Law providing ever more innovation opportunities collide quite spectacularly.
For those who have read so far, let’s make this more real and personal. Some industries are seeing their traditional networks and systems connecting to the Internet. Why? Because Metcalfe’s law and the promise of future increases in value as we innovate to connect-and-serve our customers, partners, employees and shareholders better. But then we have Curry’s Law creeping up behind this. And the rate of innovation now is measured in months and even in Agile sprints for the dark side.
So, this winter, we need to watch the newly connected and the newly targeted, highly valuable to us and to attacker networks: the medical supply chains and networks, the power and electrical grids (looking at you, the oil and gas sector, and the most critical of infrastructure at the base of our collective hierarchies of need: water and food supply.
This winter, we need to pay serious attention to critical infrastructure. Everyone should be thinking about the extrapolation lines, but it’s time to get serious about securing critical infrastructure. We must defend! We need the Metcalfe effect to help us advance life, support life, and save life instead of letting attackers put those very things in jeopardy. Most importantly, it’s about some bets on game changing innovation that can give us big gains in reducing the underlying weaknesses, and it’s about improving our rates of improvement in defense at a faster rate than attackers are innovating. That’s what will change the expectations of victory or defeat in cyber defense, and that is what will give us a solid base for our IT stacks now and into the future.