The cyber drug war – Why prohibition is failing

When I look at the current state of cybersecurity, it seems obvious that something is seriously broken. According to a recent Juniper Research report, global cybersecurity spend will reach nearly $135 billion in 2022, up from an estimated $93 billion this year. You would hope that all this added investment would help tip the balance in favour of the good guys, but instead we just see cybercrime continue to soar – Juniper predicts data breaches will cost global business a total of $8 trillion in fines, lost business and remediation costs over the next five years. It’s not surprising that 60% of CIOs surveyed feel they are losing the battle against cybercrime.   

We see a similar tale playing out when looking at the war on drugs. In America alone, taxpayers are paying more than $6,000 per second towards law enforcement, prevention and treatment, and resources dedicated to fighting drug trafficking. Despite this, the international comparators report released by the Home Office concluded there is no evidence, from any country, that the level of drug law enforcement has a discernible effect on the prevalence of drug use.  

This all begs the question: are we doomed to fail? 

We need to stop criminalising users 

In both our cyber and drug wars, the ‘user’ plays a big role as a last line of defence. The drug industry would fail to thrive if people would obey the law and follow the prohibition line. The same is true of cybercrime. Despite efforts to prohibit and control user behaviour, to educate on the dangers, and to enforce better behaviour through punishment, people will still find a way of bypassing security – if they can gain a short-term benefit, the seemingly distant risk of causing a data breach (or even arrest in the case of drugs) will factor pretty low on their priority list. They will take the risk, as no one ever thinks it will be them that gets caught out. In fact, 85% of CIOs say that people are the weakest link in security, ignoring or forgetting the education, policies and procedures enterprises have put in place to prevent risky behaviour. 

In trying to solve the ‘human’ problem, companies have deployed arsenals of security tools designed to detect bad guys and monitor users. But all of this security can become a burden on the user. People feel like they are being watched and hampered, in what is essentially an unwinnable fight. If you are connected to the internet you will always be at risk. For some roles you need to be able to open attachments from people you do not know – take HR for instance. The system is unworkable. Yet the whole discourse around cybercrime is very victim-blaming, calling users stupid and accusing them of putting the company at risk. Much like our drug war criminalises users, so do our cyber policies.    

Isolation isn’t always a bad thing 

Ultimately, it is not fair to burden users with the responsibility of keeping cybercriminals at bay. One of the reasons ransomware, phishing and malware are so successful is that it is a fact of life that we all make mistakes. Once we accept that as a fact of life, we can start to look at different ways to approach the problem: an end to prohibition. 

A sad reality of drug prohibition is that in the real-world, we cannot put people in protective bubbles safe from harm. If they want to do something, they will. Yet in the online world we can, by using micro-virtualisation. By taking a virtualisation-based approach to security you can create safe zones where people can download malware and click on ransomware without fear that it will infect the PC nor the rest of the network. The malware is contained. As long as they aren’t purposefully hurting anyone – i.e. they are not an insider threat trying to steal data – then you can leave employees to click and download to their hearts’ content. By creating disposable, single-use mini-virtual machines for each and every document, web page or email attachment a user interacts with, any malware or ransomware that resides there cannot spread: it is contained. 

Creating an army of informants – turning victims into snitches 

Yet containment alone will not solve the big picture problem. While micro-virtualisation may prevent any threats from spreading from endpoints where it is used, there is a need to protect the wider IT society as well. This is where intelligence gathering comes to the forefront.   

One of the reasons drug prohibition fails is that law enforcement simply can’t detect and monitor every single person who might be taking part in the distribution of drugs. There are just too many possibilities and leads to follow. Attempts to do so, with ‘stop and search’, are time-consuming and often futile, as dealers can just get an understanding of how the police operate and change tactics to get around them. This is why you need better intelligence.   

Because micro-virtualisation allows malware and ransomware to execute, security teams get a lot more data on its behaviour. This intelligence can then be shared and used to strengthen defences for all. It can also help forensics teams, and the police, to start to track where threats are coming from so that we can start to bring the criminals to account.   

By decriminalising user behaviour and creating safe bubbles, we can gather intelligence that nobody else can get to – in essence, we create an army of informant machines that can provide police with the vital pieces of the puzzle that can lead them up the food chain. 

End prohibition now 

Only by accepting that our experiment with cyber-prohibition is failing and a new approach is needed can we start to change the tide. There’s a long road ahead, but it starts with accepting that technology needs to adapt to human behaviour and not the other way round. Businesses need to stop the insanity of repeating the same thing and expecting different results; end user prohibition today!   

Fraser Kyne, EMEA CTO at Bromium

Image Credit: igor.stevanovic / Shutterstock