Working in the early 1990s on the Air Force sponsored Distributed Intrusion Detection System (DIDS), what would eventually morph into the Air Force’s ASIM global intrusion detection sensor grid, our Air Force program manager described the expected system’s user as Sergeant Bag of Donuts.
The expected user would have little to no cyber security training. We had to build a system for mere mortals.
Indeed, over the next decade, government cyber security R&D largely had the same goal: take the human out of the loop. The system had to detect all future attacks and know how to automatically respond.
Oh, and the system had to be inexpensive too.
If we were building planes, we would be building Cessna-class airplanes. The plane had to be inexpensive, simple to use, and very forgiving because the pilot/user would have minimal training.
Nearly 25 years later it has become clear that that model has failed.
In a Wall Street Journal article this week, Symantec Develops New Attack on Cyberhacking, Symantec essentially announced it is throwing in the towel on its current strategy.
Antivirus "is dead," says Brian Dye, Symantec's senior vice president for information security. "We don't think of antivirus as a moneymaker in any way.”
So Mr. Dye is leading a reinvention effort at Symantec that reflects a broader shift in the $70 billion a year cybersecurity industry.
One new model is to develop a unit of professional cyber defenders who can can go from subtle electronic indicators to confirmed breach and then develop and execute a response plan.
FireEye recently paid $1 billion for Mandiant, a small firm led by former Air Force investigators who act like cyber-Ghostbusters after a data breach.
Symantec seeks to join the fray this week. It is creating its own response team to help hacked businesses.
This is a fundamental shift in cyber security. Cyberspace is now contested ground. The adversaries are professionals. Brian Krebs estimates the Target hackers made about $54 million. The US military recognized this shift several years ago when it created US Cyber Command. Virtually every major military has a similar organization.
In other words, no more Sergeant Bag of Donuts. No more Cessnas. We need to build cyber security tools for the equivalent of highly trained fighter pilots.
There are lots of issues here, not the least of which is how the new business model will work. As the WSJ points out:
Specialized cybersecurity services for businesses account for less than one-fifth of revenue and generate smaller profit margins. It would be impractical, if not impossible, to sell such services to individual consumers.
Still, we have crossed the Rubicon. There is no going back. We cannot just build the equivalent of Cessnas for weekend pilots. Cyberspace is now a world of professional warriors.