Welcome to the deep dive. We take critical research, pull out the key insights and bring them straight to you. Today, we're tackling something huge, really critical. We're looking at cybersecurity.
Now.
You hear about massive spending right. Global investment was over one hundred and twenty three billion dollars back in twenty twenty alone. But here's the kicker, and this is what the research we've looked at Hammer's home. Despite all that cash, we seem to be losing badly.
Yeah, it's a start picture. The sources we're drawing from, including analysis from folks like Steve King, argue pretty strongly that we're spending more and somehow getting worse results. We're operating at a quote decided disadvantage.
A decided disadvantage. So the big question for our deep dive today is why, why the disconnect? And maybe more importantly, is there a way out? What's the proposed fix?
That's exactly it and the core idea here. The real insight is that this isn't just about tech. It's not just firewalls failing. It's a systemic problem. It spans five interconnected areas. Think of them as battlefields. Economics, technology, information, education, and leadership. We're falling short across.
The board five battlefields. Okay, that really broadens the scope beyond just code and servers. So before we dig into where we're failing, let's talk about the proposed solution you mentioned. It's called zero Trust Architecture.
ZT exactly zero trust or ZT, and the idea behind it is well, it's simple in concept but really radical in practice. It basically says, forget the old idea of a secure perimeter like a castle wall around your network. Assume the attackers are already inside or they will get inside.
Okay, so if they're inside, what do you do.
You trust nothing implicitly, no device, no user, no service inside or outside, gets a free pass.
Nothing, even stuff already on my network.
Nothing. The philosophy is never trust, always verify continuously every single time something tries to access a resource. It flips the old Internet model of built in trust completely on its head.
Wow, okay, never trust, always verify. That sounds like a massive shift, and you're saying this is key to tackling those five failing battles.
Fields its position as the strategic counter Let's maybe start with the human side of things. Education and leadership, because the talent situation described is well, it's.
Alarming, alarming, how what kind of numbers that we talk about?
The numbers are just staggering. In twenty twenty one, the US apparently had something like three million unfilled cybersecurity jobs three million, three million, and that gap is growing way faster, like seven times faster than average job growth. But it's not just the numbers.
It's the type of talent too.
Precisely, while we're struggling to fill basic roles, adversaries, particularly state sponsored groups like those reportedly in North Korea, are running these intense, disciplined programs. They're training thousands of specialists, not just hackers, but cyber warriors, lawyers.
What makes some different? What kind of skills are we talking about?
We're talking highly advanced stuff zero day exploits, obviously finding flaws nobody else knows about, but also incredibly sophisticated techniques like analyzing electromagnetic radiation leaks way leakage from what from air gap systems, computers deliberately kept off the network for security. They're reportedly training people physicists and engineers to pull data from the faint electronic signals. These machines give off that.
Is mind blowing. In our education system, it's not producing people who can even defend against that.
It's the core critique in the sources. Yeah, US cybersecurity degrees. They often focus too much on let's say, administration compliance stuff you need for certifications like CISSP, which is valuable for management, sure, but it's not frontline combat training.
So we're graduating what administrators and bureaucrats.
That's the phrase used, Yes, administrators and bureaucrats, when what we desperately need is a warrior class, people trained in red teaming, offensive tactics, thinking like the enemy.
It really sounds like we're training auditors for a knife fight. And does this problem, this disconnect reach the leadership level too, the CISO.
Role, No, absolutely, the CISO, the chief information security officer is often in a really tough spot. They're trying to justify security spending to executives to the board who often don't fully grasp the technical risk, and.
They rely on models to make decisions.
Yeah, and that's part of the problem. They might use something like the Gordon Lobe model, which mathematically suggests you should only invest a certain percentage, maybe around thirty seven percent of the expected loss from a breach.
Okay, but hold on, if the math is sound, isn't the issue that the execs are just bad at predicting the actual potential loss, especially the non dollar stuff like reputation.
That's a really sharp point. And yes, the sources argue the model becomes problematic because executors consistently underestimate the true total cost of a breach. Quantifying cyber risk is hard, so they default to that lower investment figure, maybe thirty seven percent of a low ball estimate. The result crowning underfunding, and.
The CIO's job just becomes keeping the lights.
On pretty much, keep the basics running, try to stay out of the news. Don't build genuinely resili in systems because the budget isn't there, which.
Leads us straight into that second battlefield, economics and technology. And you said, the asymmetry here is stark.
Stark doesn't even cover it. It's fundamentally lopsided. Think about it. Huge companies, governments spending billions collectively on defense, and the attackers their cost is minuscule. You can apparently buy a ready to go DIDO attack kit distributed denial of service, the kind that floods a website and takes it offline for fifty dollars fifty bucks, And even the most sophisticated attack hits sold on the dark web for targeting large enterprises maybe ten thousand dollars tops ten.
Thousand dollars versus multimillion dollar security budgets. It's absurd you the listener could cause serious disruption for the price of a cheap laptop. The whole incentive structure is.
Broken, completely broken, and the criminal side is getting incredibly professionalized. Look at ransomware as a service.
Riot like a software subscription, but for crime.
Exactly like that. Groups like Darkseide, who are behind the Colonial Pipeline attack, they operate like well, like legitimate businesses. They issue press releases, they have customer support desks for their affiliates who deploy the ransomware. They even have tiered pricing ticking maybe twenty five percent commission on smaller ransoms, but dropping it to ten percent if the victim pays over five million dollars.
It's a franchise model for extortion. Okay, wow, Okay, so the economics are skewed. What about the technology battlefield? The sources mentioned technological solutionism.
Yeah, this idea that we can just buy our way out of the problem with more tools. The industry's flooded. One estimate suggests there are over thirty five hundred cybersecurity vendors out there.
Three thousand, five hundred.
How do you even choose exactly? Companies keep buying the next shiny object, another tool, another layer. But this techt sprawl isn't fixing the underlying weaknesses. In fact, the sources point to a disturbing trend. The more we spend, the more tools would deploy, the more successful breaches seem to increase.
So more tools, more complexity, more ways for things to go wrong.
We're drowning in tech but starving for a coherent strategy, and the tech itself is getting riskier.
Take five g AH faster speeds, more devices connecting. What's the specific threat there?
Speed and scale. By twenty twenty five, they predict maybe seventy five billion new devices connecting every year. Seventy five billion, okay, and five g offers this instant high speed connection fabric. So imagine malware spreading not just quickly, but potentially at the speed of light across vast networks of devices.
So an attack like WannaCry, which caused chaos a few years ago.
Could spread globally in minutes. Potentially, it shifts cyber attacks from being mostly financial or data theft problems to potentially causing real world physical damage at five G pace. Think power grids, manufacturing, transport.
It's terrifying, and it connects to another tech issue mentioned, the supply chain, particularly open source.
Yes, the software supply chain. We all rely heavily on open source code, reusable libraries, and components. Developers downloaded something like two zero point two trillion open source packages in twenty twenty one trillion. It's the foundation of modern software. But here's the problem. The most popular, most widely used projects. They're apparently three times more likely to contain known security vulnerabilities.
So the stuff everyone uses is the riskiest.
It makes the whole ecosystem a massive tempting target. Compromise one popular component and you could potentially infect thousands of applications downstream.
Okay, this is bleak. Let's move to the third battlefield information, the fog of cyber war you called it.
Yeah, large leaps of attribution, or rather the lack of reliable attribution. You get hit, but figuring out definitively who did it? Was it Russia, China, Iran, North Korea, A criminal, gang, an individual?
It's hard to pin down.
Extremely hard. The example given is the Anthem Health insurance hack, huge breach, seventy eight point eight million records stolen, massive investigation, years of work, million spent, and the conclusion only a suspicion that she was responsible, No definitive proof. That uncertainty, that information gap benefits the attackers immensely. They can deny, adapt and strike again.
And there's another angle to this information problem. Isn't there something about our own government agencies?
Yes? This is a really critical and kind of uncomfortable point raised in the sources. It concerns the tension between intelligence gathering and defense agencies like the NSA. Their job involves finding weaknesses exploits in software, including common commercial products like Microsoft Windows or Office.
Okay, standard intelligence where finding vulnerabilities, right, But.
The crucial part is historically the policy has often been not to tell the software vendor about the flaw they found.
Wait, so the NSA finds a hole, uses it for spying, but doesn't tell Microsoft to fix it.
That's the reported dynamic they keep the vulnerability secret to maintain their intelligence access. But the side effect is huge.
It means that vulnerability stays open for everyone else to find an exploit too. Yeah, adversaries, criminals exactly.
We're essentially leaving known holes in the software that runs our businesses, our banks, our infrastructure for the sake of potential intelligence gains. It's a deliberate trade off that increases systemic.
Risk that seems counterproductive to overall national security.
It highlights a major internal conflict, and it's worsened by the fact that even when threats are known, information sharing is poor. Both private companies and public agencies tend to hoard threat data, preventing a truly unified defense.
Okay, so education, leadership, economics, technology, information failures across the board. It really paints a picture of needing a fundamental strategic shift, not just more money or tools.
Which brings us back to zero trust.
Right, So, how does ZT actually counter these failures in practice? You said, never trust, always verify. What does that look like day to day?
Okay, So the first practical is defining your protect surface. Instead of trying to defend everything. You identify your app, most critical data assets, applications the crown jewels. It has to be small and management focus.
On what truly matters most. Got it? Then what?
Then? You use micro segmentation. Think of it like putting tiny secure rooms around each critical asset or application within your network. You build internal walls so.
Even if an attacker gets past the main door, they're contained in one small area. They can't just wander around the whole network.
Precisely. It stops lateral movement, which is how most major breaches spread. And the third key piece is rigorous identity management. This means continuous verification of users and devices. Strong multi factor authentication or MFA isn't a one time login thing. It's constant, and you apply really granular controls at the application layer seven, controlling exactly who can do what with which data under what conditions.
That sounds much more granular than just checking if someone has network access. You mentioned active directory earlier, calling it a trojan. How does ZT fix that?
Because systems like active directory are built on implicit trust. Once you compromise AD, you often get the keys to the entire kingdom ADMIN rights everywhere. It's powerful, but brittle. ZT dismantles that excessive trust. It assumes any identity could be compromised and requires continuous proof isolating resources. So one breach does in cascade it essentially neuters that trusted internal system's ability to grant universal access.
Okay, it makes sense conceptually, but does it actually work? Is there evidence ZT improves things?
The data reported in the sources is pretty positive.
Yeah.
Studies apparently show organizations adopting these core ZT principles see around a fifty percent improvement in preventing breaches.
Fifty percent just from those changes. Just by shrinking the attack surface, eliminating that excessive internal trust, and enforcing continuous verification, it fundamentally changes the defensive posture.
That's significant. But implementing this sounds like a huge undertaking, especially nationwide. What kind of big, national level actions do the sources recommend to actually make this shift happen.
They don't pull any punches here. The recommendations are aggressive, almost wartime footing kind of stuff LIKEWI. First, mandate zero trust for everyone every network, public and private, set a deadline, make it non.
Negotiable, a government mandate for ZT architecture.
Wow.
Second, create a National Cybersecurity Manhattan Project pour massive funding into applying AI machine learning to security, focused on rapid development and deployment, not just slow academic research. Get solutions out fast.
A Manhattan project for cyber AI. Get what else?
Third change the laws modernize cybercrime legislation to allow for more offensive defense measures. The idea is to let victims actively pursue attackers, maybe seese assets or evidence in real time during an attack. That's controversial, but.
It's proposed enabling hackback or active defense legally. That's a big one.
And the fourth mandates on cyber and insurance providers basically force insurers to require companies meet to standardize security baseline like the NIST framework before they can even get coverage.
AH using the insurance market to enforce standards. That's clever. It shifts the compliance burden exactly.
It leverages market forces to drive adoption of better security practices across the board.
So, bringing this all together, what's the main takeaway for you the listener? Where does this leave us?
Look, the core message from this material is pretty clear. We're losing this fight not because we lack money, but because our strategy, our education, our leadership, our whole approach across these five battlefields is fundamentally flawed, and zero.
Trust is offered as the framework to actually turn things around.
It's presented as the practical strategic path forward, a way to redefine the battlefield, shrink the target, and actually start pushing back effectively. But the sources end on a really sobering note. They draw this parallel to the lead up
to World War Two, where the US was underestimated. How So, the warning is that if we don't undertake a mass of coordinated national effort now like some of those proposals, maybe even a national Cybersecurity Service program for graduates, if we don't fundamentally change how we manage this risk, the potential impact on our hyper connected society could be devastating. The quote used as stark. It could plunge the US into resembling a third world country, at least as it relates to cyber.
Wow, a failure connectivity knocking us back decades.
That's the potential future painted. So the final question really left for you to consider is do we collectively have the will to make these difficult systemic changes before a catastrophe forces us to, or will we wait until it's too late