It's Time To Champion Security As A Service

Sony was hacked. It’s all over the news and people are throwing around words that alternatively label it CyberWarfare; CyberTerrorism or CyberEspionage. Yesterday morning I heard that President Obama pronounced it was none of these. Instead, he’s decided it was CyberVandalism.

While I normally don’t quibble about words (I’m an engineer, not an English major), this is one instance when I think it’s important to debate the difference: calling this sort of state-sponsored action a form of vandalism significantly downplays the seriousness of this activity. Indeed, according to Webster’s Unabridged Dictionary of the English Language (2001), vandalism “is deliberately mischievous or malicious destruction or damage of property.” Given the reports, it’s apparent that the Sony hack involves much more than property damage: it involves theft and threats against theaters and moviegoers. Certainly, such activities transcend vandalism.

Significantly, the Sony hack also seems to coincide with a cyber attack on a South Korean nuclear power plant. This hack resulted in the online posting of details about some of its systems and employees. One would be hard-pressed to define the hack of this South Korean nuclear power plant as mere vandalism; with theft of material relating to cooling systems and employees, it’s certainly espionage. Furthermore, depending on the hacker’s motivation and ultimate use of the stolen information, the action could easily extend to terrorism.

Since at least some media outlets are attributing both hacks to the government of North Korea, it’s important to recognize harsh realpolitik realities. Namely: (i.) some countries use espionage to advance their national interests; (ii.) some countries define national interests in ways that include commercial and economic matters as well as defense and security; (iii.) the interests of other nation-states do not always align with those of the United States; (iv.) not all nation states play by rules that the United States deems fair; (v.) the cyber vector is a low risk, convenient way to stealthily advance national interests.

Last evening, news reports began surfacing that N. Korea’s connectivity to the Internet had degraded to the point that the country was offline. While I’d like to think that this is retaliatory, that either the US or S. Korea have decided to create a cyber blockade of N. Korea in response to their poor behavior, the reality is it’s also entirely possible that it’s a group of activist hackers who have taken it upon themselves to launch a distributed-denial-of-service (DDoS) attack on the country. And this is the frightening part about the Internet—it’s relatively easy to launch attacks that have monumental consequences.

In the end, I guess it doesn’t much matter what you call these hacks. What matters is what we do about it.

I believe it’s time to champion a new approach to security, one that does not rely on concepts that have already been compromised but relies instead on innovative approaches that shift the game and render existing hacking tools obsolete. Rather than define security as a cost, something to be borne grudgingly, we must define security as a service. We must define security as a service that improves the way businesses communicate; a service that guards companies’ most important secrets and protects employees, customers, and shareholders. A service that protects against invasion by nation states; a service that protects against hacking vandals. Security defined as a service would be worth its weight in gold. This is the security I believe businesses seek.

Robert W. Twitchell, Jr., inventor of Dispersive Virtualized Networking, is President and CEO of Dispersive Technologies.

(Posted also on Robert W. Twitchell, Jr.'s Wired Innovation Insights blog.)