When engaged in a fight, it's natural to ask yourself whether you are winning or losing. However, in the context of cybersecurity, this question might not make sense, because it presupposes that the state of winning exists.
Maintaining the Equilibrium
Every day, new people and transactions appear online, making the digital world more attractive to criminals. Miscreants fund malicious software and attack operations, so they can achieve financial, political and other objectives. Security practitioners respond to evolving online threats; the attackers adjust their tactics, the defenders tweak their approaches, attackers regroup, and so on and so forth.
Defenders sometimes feel that the attackers are innovating at a pace that's outpacing our ability to defend sensitive data and computer infrastructure. Such observations tend to be based on emotions and subjective observations and often lead to questions about which party is winning the fight. Defining our objectives in terms of winning or losing might not be practical.
The Eternal and Vicious Cycle
My perspective on the dynamics between cyber attackers and defenders aligns with the ecological metaphor that Lamont Wood described in an article Malware: War Without End. He referred to it as "an eternal cycle between prey and predator, and the goal is not victory but equilibrium." It's unlikely that this cycle will end and that either party will "win."
When I spoke with Lamont, I suggested that attackers work to bypass our defenses and the defenders respond as part of the cycle. If attackers get in too easily, they are spending too much on their efforts. If we are blocking 100% of the attacks, we are probably spending too much on defense.
The digital ecosystem as a whole continues to thrive, because it benefits its legitimate users and criminals that act as parasites within the system. However, individual participants in this ecosystem could find themselves at a disadvantage and suffer losses. Being complacent is risky for a given party, because it must constantly apply energy to maintain the equilibrium.
If our goal is to "win" the fight against cyber criminals, we don't stand a chance, in part because there will always be more threats to combat. It might be more useful to define our objectives in terms of maintaining an equilibrium between the defenders and the attackers. This way, we can help our organizations excel in the contaminated world of the Internet.