The Red Queen theory of Internet security


I sometimes think to myself about how little progress has been made in Internet security in general since I first started working in it 10 1/2 years ago.

To be sure,  lots of things have come out:

  • Email authentication techniques
  • Multi-factor authentication for logging into email accounts, social media accounts, etc.
  • TLS for transmitting data securely
  • Anti-malware products
  • Extended Validation SSL certificates
  • Plus the tons of things I haven’t mentioned

We are so much further ahead now than we were back then that it makes me smile when I look over the list of technologies that have made us safer.

image

But what is even more mind boggling is the scope of the data breaches and cyber security breakdowns that still occur today despite all of this technology:

  • DDOS attacks are still a thing
  • Botnets and crimeware-as-a-service still exists and is getting better
  • Target and Home Depot suffered hacks that leaked millions of records and plenty of fraudulent charges racked up
  • Sony was hacked and suffered huge data loss

The question in my mind is that if security technology has gotten better then why does the impact of a security failure keep getting worse? Shouldn’t it be getting more and more contained?

In Stephen Pinker’s book The Better Angels of our Nature, he observes that in spite of all the headlines that lead us to believe the contrary, humanity has been getting steadily less violent over time. There are a variety of reasons for this, but basically, society is changing for the better so we can learn from the things we did wrong and more importantly, also from the things we are doing right that have led to this drop in violence.

But cybersecurity is not displaying this same trend. If anything, my job has gotten more and more difficult as time passes. The problem is getting worse.

Disclaimer: This may simply be the availability heuristic. I am close to the data and therefore I think things are getting worse because I hear about it all the time because of the industry I am in, when in reality things are getting better. I tend to doubt that, but then again, of course I would – my brain won’t let me see things any other way.

So why are things getting worse?

I have a theory. I call it “The Red Queen Theory of Cybersecurity” [1] or its CNAME “The Red Queen Theory of Internet Security”. It’s a term I am borrowing from evolutionary theory [2] and it comes out of Lewis Caroll’s sequel to Alice in Wonderland, Through the Looking Glass.

image

In Looking Glass land, the Red Queen explains to Alice the nature of the land. At the top of a hill, the Red queen begins to run, and Alice begins to chase after her. Alice is confused by the fact that even though they are running, they are staying in exactly the same place. Alice asked the queen why this is and the Red Queen remarks, “Now here, you see, it takes all the running you can do to keep in the same place.”

In evolutionary terms, this hypothesis proposes that species must constantly evolve and adapt not to gain a reproductive advantage over other members of the same species, but also to survive when faced with simultaneously other opposing organisms in a changing environment. So, as you evolve, so do parasites that are feeding on and weakening your body. You react to these parasites and evolve defenses. The parasites start dying off and evolve to continue to feed. You have to counter-evolve against this counter-evolution to fight off the parasites invading your body. And so forth.

Neither you nor the parasites are gaining any sort of competitive advantage. You are evolving just to prevent dying off, and so are the parasites. Your competitive advantage is not that you can reproduce faster than your peers, but that you can reproduce at all without being killed off by others who need your body to survive. You haven’t made any progress at all, just like that guy who kept rolling that rock up the hill only to see is slide down again. [3]

image

It’s worse than a Hobbesian trap (that is, an arms race). In an arms race, you build up your defenses because you think your opponent may strike you, and they believe the same thing, so you always leapfrog each other. But in the Red Queen theory, you build up your defenses because your opponent is striking you!

For all of our sophisticated immunities, we haven’t made much progress. We are only running faster and faster just to stay in the same place.

And this is the exact same problem we face in cyber security. The reason data breaches and security problems are getting worse and worse is precisely because security technology has gotten better over time.

Companies have valuable products and information to sell, which they turn into a product and make money. Cyber criminals break into computer systems and deposit malware for the money, or for the lulz, or for hacktivism reasons, or for nation-state theft of secrets (which is the same thing as for the money). Security companies provide protection for this to close off those vulnerabilities.

But it doesn’t stop there; cyber criminals understand their current methods are blocked so they look for other ways into the system. Security companies react and block those methods, too. Cyber criminals react and look for still other ways, more complicated than the previous ones, and security companies block those, too. The criminals react by hooking together multiple chains of weak points because they are more difficult to detect; eventually they do get detected but the cycle continues.

Each attack becomes more and more sophisticated, and the technology to stop it becomes more and more sophisticated but look at the end state:

Companies have valuable products and information to sell which they turn into a product and make money. Cyber criminals try to break in to steal it.

We are back at the same place we started but have been running faster and faster (more complicated and expensive security software) just to stay in the same place – keeping criminals out, while criminals are in the same place too – on the outside trying to get in.

And that’s my Red Queen Theory of Internet Security (or Red Queen Theory of Cyber Security):

Organizations must constantly adapt and upgrade their security processes not to gain a commercial advantage over other members of the same industry, but also to survive when faced with simultaneously other opposing cyber criminals, who are similarly upgrading in a changing Internet environment.

Or to put it simply, in the world of security, you have to run faster and faster just to stay in the same place.

image

 



[1] Technically, this is a hypothesis.

 

[2] I copy/pasted a little bit from Wikipedia.

[3] I know his name is Sisyphus.

Comments (3)

  1. Uwe Manuel Rasmussen says:

    Terry, Great post! Other than the arms race, I also think that we are much more vulnerable today to internet crime as we are moving to cloud computing. Indeed, through technology we have been able to make advances in some areas allowing us to keep on top of things (such as the spam filtering 🙂 . However, a big change for users is that they now rely on internet accessible storage for ever larger quantities of data, including sensitive data. This means that when we have a data breach, it is all the more spectacular. It is a little like a plane crash. It causes many deaths in one single accident. When we have a data breach for online services, there is a risk that literally millions of people will lose sensitive data. This was not the case in the early internet days and provides a real incentive to criminals.

  2. Paul K-S says:

    Terry, you've got me thinking, again. I'll bookmark your blog and share it with my team. Looking forward to reading more.

  3. Carol says:

    I'd love to download your podcasts and listen to them while driving, but a search on iTunes comes up with Sarah Zink only. What am I doing wrong?

Skip to main content