Fighting Diversity With Diversity

How do you fight diversity with diversity? To answer that question, we need to understand the diversity we are fighting.

  • Flying Kitten
  • Fox Kitten
  • Wizard Spider
  • Stone Panda
  • Mustang Panda (Not related to Mustang Sally)

What do those have in common? These are all names of some APT (Advanced persistent threat) groups. You can check MITRE ATT&CK for the names of many other threat actors and their modus operandi.

Rocket Kitten (not related to the Elton John song Rocket Man), also known as AJAX Security Team, is believed to be from Iran and targets the US defense industry, as well as users of Iranian anti-censorship technologies.

The Honeybee ATP group attacks humanitarian aid organizations, mostly in Asia, but is also seen in Canada. Attribution is not provided.

Stone Panda attacks critical infrastructure globally. Mustang Panda, from China, is fond of government and non-governmental entities in several countries. Targets include non-profit, religious, and other organizations. Ransomware is Wizard Spider’s weapon of choice.

I could go on and on, but you can get that from the source: MITRE ATT&CK. The origins, targets, and methods of attack employed by these threat actors, most being nation state sponsored, are quite diverse. Some like to use PDFs, others, for example, the Equation Group, uses remote access tools, and even exploits that can overwrite the firmware of hard drives.

So how do we fight diversity with diversity? For starters, we have multiple private and public organizations taking the battle to the attackers. Many anti-malware vendors track threat actors and collaborate with law enforcement. The same is true for security organizations that provide forensics when a company has been breached. Aside from law enforcement organizations in different countries participating in the fight, international law enforcement organizations such as Interpol are also in the thick of the battle.

All of the diverse private and public organizations have formed working groups, and personal relationships to correlate diverse sources and types of information. International collaboration between international law enforcement agencies was extremely slow to get off the ground, however great strides have been made over the years. Private sector security companies from around the world have been successfully collaborating for many years, but at some point, the information must go to law enforcement, and the lack of international collaboration between law enforcement agencies significantly hampered efforts to combat these threat actors. Thankfully there have been great strides made on that front. But that isn’t where the diversity of information sharing ends. Increasingly private companies are sharing information about cyberattacks against them with governmental security organizations. Are you getting the picture?

Ha! I bet you thought I was going to talk about ethnic and gender diversity. I am. Insufficient societal diversity hampers our ability to fight the attackers. For all of the efforts of private and public sector cybersecurity organizations, it is a lack of diversity that is inflicting serious harm to our efforts to battle cybercrime. Why? I’ll tell you why (bet you didn’t see that coming).

According to ISC2, the global shortage of cybersecurity professionals numbers close to three million, with almost 500,000 of the shortage coming from the United States alone. This is a huge problem. According to Statista, there are expected to be 19.8 million students enrolled in private and public colleges in the US in 2022. Of this number we have a need for 3% of these students to choose a career in cybersecurity. Considering that some students will drop out of college, the challenge is greater than the numbers reveal. A myriad of career choices will thin an already shallow pool of potential cybersecurity professionals coming out of college as well. Face it, without chemical engineers making stuff like Red Bull, 87% of computer programmers would leave the field. We need chemical engineers.

The good news is that companies are increasingly reaching out to students to attempt to interest them in cybersecurity careers. So, what does this mean to soon-to-be graduates interested in cybersecurity careers over the next several years?

Let’s all say it in unison. Supply and demand! E.g., due to the shortage of talent, cybersecurity companies are going to be paying high wages, even to newly graduated computer science engineers. But by and large, the booming cybersecurity industry can afford the wages. One real diversity problem is how it affects cybersecurity professionals who are new to the industry. How does it affect you if you are one such emerging talent?

Let me put it this way… As most eloquently described in an episode of Big Bang theory, you are attached to another object by an incline plane wrapped helically around an axis. Why? You get a great job with great pay in the field of cybersecurity. Despite the challenges, it’s a great career choice. But here is your problem. In a few years you may be climbing the career ladder and be promoted into a managerial role. Uh oh. You can’t go this alone; you need great talent to make you successful as a manager, but getting that talent is extremely difficult. Guess what? Your performance reviews are not just based upon your job performance, but also on as well as you can attract talent, and that means you need to help steer people toward careers in cybersecurity. When it comes time to get a job, the people you motivated will remember you. You put yourself in a position to have the first opportunity to hire them. Companies doing outreach to high school and college students aren’t enough. You need to get out there and encourage these students to choose a career in cybersecurity, or you will be in a world of hurt. Specifically, you should be deliberately reaching out to young women and minorities. I’m not saying to ignore white males, but there are subconscious factors that sabotage great intents. You need to make sure your efforts are inclusive. In other words.

There aren’t enough white males to fill the open positions.

The deficit of diversity is an insidious problem that is primarily caused by people who are oblivious to unintended biases. Do you think I’m not talking about you? Me? Most of society, inclusive of race and gender? Surprise yourself by taking Harvard University’s Project Implicit test. While Project Implicit focuses on biases toward black people, the same types of subconscious biases are manifest in attitudes toward women, and toward other minorities. The biases are socially pervasive and are completely race and gender inclusive.

There is a moral obligation to be inclusive, and that should be the only reason for inclusivity but from a morally agnostic pragmatic perspective, the shortage of women and minorities in the field means that we are wasting a tremendous amount of high-quality brainpower; and that is a threat to national security. It’s a threat to society too, but this is a cybersecurity blog; you’ll have to do your own sociology homework.

If we want to fight the diversity of the attackers, we defenders better get better at our own diversity. We cannot fight enemies as effectively as we should be able to with a critical shortage of defenders.

An article in CSO Online titled “10 organizations that promote diversity in infosec” provides some great resources to share. Please do!

Randy Abrams
Senior Security Analyst
SecureIQLab