While technologies play a pervasive role in information security, they can’t and won’t fix a shortage of practitioners.

Technological Fetishization and the Infosec “Skills Shortage”

The overstated role of technology in information security is probably best exemplified by the current phase of hype around blockchain technologies. While a distributed and open ledger promised by blockchain does have some promise in improving the integrity and transparency of some record keeping systems, the costs associated with the use of this technology (computationally, energy use) and other social drawbacks makes implementation in what seem like useful applications (elections, financial transactions) unfathomable. The costs of running a blockchain would be both cost-prohibitive and socially unfathomable for how it would impact privacy in most use cases.

The absence of a clear-cut use case scenario has not stopped private interests and governments from touting their investment in these technologies to emphasize their interest in security and integrity. These kinds of investments far outstrip the educational investments made by governments and private organizations in providing security education for their citizens and employees.

To be clear, when I say a security education, I mean training a potential or existing practitioner in information security skills, not to provide digital literacy skills in the form of information security awareness. Don’t get me wrong: security awareness is important! But even if people aren’t clicking on phishing e-mails and using complex passwords there is still a lot of risk out there for information security practitioners to address.

The failure to invest in security education is likely why Canada and the rest of the world is entering into a significant ““cough”*” cyber-skills shortage, as it is frequently described. It would be more accurate to say that this shortage exists becuase

At present there is something like a 0.06% unemployment rate amongst information security professionals and it is projected that between 2017 and 2021 Canada will need to fill 8,000 infosec related roles - globally this number will probably look more like 3.5 million (this comparison is not unimportant). Looking at those same projections for how Canada’s infosec workforce has grown over time, it seems Canada will only be able to fill 3,200 of those roles. While achieving less than half isn’t helpful, it’s important to remember that global deficiet - information security work will reward a premium to skilled practitioners. So while many countries can’t offer the same social safety net or Justin Trudeau - they can offer high salaries and private healthare, diminishing returns for those projected 3,200 new workers.

Will AI Fix the Skills Shortage?

It is presumed by many governments and organizations that new and innovative technologies will address this skills shortage. That technology like blockchain or AI will arrive fully-formed and start shoring up gaps in the defenses of strategic and economic interests. But this belief and its anticipation deeply betrays any understanding of how technologies work in information security and what role they play.

Look no further than 2-factor authentication (2FA) as a case where even a good technology can still fall down on its face. While the implementation of 2FA through phones has been largely concurrent with excitement arond blockchain technologies, it is an example of a practical tool that has not been subject to the same hype. 2FA has been succesful in providing some better security features for users than those without, but it is at best an incremental improvement. To bypass 2FA criminals have utilized a different vulnerability, attacking telecommuniucations providers to fraudelently obtain access to phone numbers for accounts protected by 2FA.

In this example 2FA didn’t fail, our telecommunications companies failed. Their failure significantly diminishes the efficacy and security gains of 2FA. Comparably, AI and blockchain technologies are nowhere near as practical or applied as 2FA. But even if (and that is a huge IF) AI or blockchain were implemented practically, how would we know that the systems they rely upon won’t fail utterly, leaving individuals, governments and businesses completely exposed? Who would pick up the pieces?

In information security marketing companies like Cylance tout that its machine learning technologies protect against malware and “even those types of malware that are unknown and never-before-seen, such as in the case of zero-days.” To suggest that a machine learning system could detect zero days is an incredibly brave thing to say in the infosec community. Not because it’s a deeply held conviction, but because such a bold claim opens the speaker up to ridicule for their overconfidence.

While I was at BSides Las Vegas this year, news broke that the software used by Cylance’s machine learning platform could be easily tricked into ignoring even the most common garden malware if it had been disguised in a fairly trivial manner. The vulnerability isn’t a small bug in Cylance’s software, but a fundamental problem in the way machine learning can be abused. The system it relies upon.

The idea that there are vulnerabilities in security software, their gaps and failures isn’t a new or novel concept. At a practitioner level the information security industry has many approaches to this problem. Ultimately, new technologies act as force-multiplier, but they aren’t a replacement for people on the ground maintaing the security of the systems they are entrusted with. At a recent Usenix Security Summity, haroon meer

Something I hope to explore in my thesis is how the technologies that are touted as a pancea are ultimately by practitioner knowledge and expertise on a daily basis. The work that prevents a systemic risk from becoming a systematic failure.

Links

[1] https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-cyber-talent-campaign-report-pov-aoda-en.PDF [2] https://www.herjavecgroup.com/wp-content/uploads/2018/11/HG-and-CV-Cybersecurity-Jobs-Report-2018.pdf [3] https://www.bloomberg.com/opinion/articles/2019-05-03/blockchain-hype-missed-the-mark-and-not-by-a-little [4] https://medium.com/@kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdech