Stuxnet is the Latest Wake-up Call from the The Blue Pill Stupor

I was at a reception
two weeks ago, listening intently to Maj. Gen. Suzanne M. Vautrinot, the Director of Plans and Policy for the U.S. Cyber Command, when I had an epiphany.  Gen. Vautrinot was speaking to the need for public support to fight the growing cyber threats and used the “red pill, blue pill” metaphor from “The Matrix” to describe her belief that people are choosing to ignore the problem rather than face the facts in front of them.

I nearly sprang from my chair.  I had been searching for a metaphor to explain why rational and smart people continue to ignore the evidence around them concerning IT security in general and endpoint protection specifically.  While Gen. Vautrinot used the reference in a somewhat different way, she had shown me the light.

I call the phenomenon “the blue pill stupor” – the process of ignoring the evidence around you in the hope of maintaining the status quo you choose to believe because, frankly, it is an easier path.  You simply take the blue pill, return to the reality of your making, and hope there are no consequences.

Let me tell you why you’re here. You’re here because you know something. What you know, you can’t explain. But you feel it. You felt it your entire life. That there’s something wrong with the world. You don’t know what it is, but it’s there.

Before Morpheus offers Neo the two pills, he speaks to what has drawn Neo to that moment.  Neo has the sense that there is something wrong but Neo, not knowing he is living a dream, cannot see beyond the reality created for him.  That is what makes the IT security version of the blue pill stupor so confounding – we see the evidence that the world has changed all around us.   Currently, everyone is all concerned about Stuxnet  and rightfully so – it is a scary example of what we face today.  But the Stuxnet frenzy will wane, and unless it happens directly to them, no one will really act differently.  Just think back to how gorked everyone was about “operation Aurora” and how that now feels like a distant, hazy past.  Unlike Neo, we make a conscious decision to ignore what we know and hope against hope that it will all be okay.

You take the red pill and you stay in Wonderland and I show you how deep the rabbit-hole goes.

A second character in The Matrix, Cypher, is offered the same choice by Morpheus, chooses the red pill, and later regrets his choice.  That is because the red pill knocks you completely and totally out of your existing comfort zone.  The red pill is the harder oil to swallow, because it forces us to face reality and when we do, we have to choice but to change.

The red pill requires those who have made choices in regards to protecting organizational information assets to face management and tell them that the game has changed, so the protections must change.  That it is in fact no longer possible or practical to block every piece of malware, that attention must be paid to detecting what makes it through the shields and stopping those attacks as quickly as possible.  That the reports management gets about increasing numbers of antivirus detections are a mirage, because they reflect increasing attack volume but not the falling antivirus detection rates.  They don’t show just how much is actually getting through.  The advanced persistent threat – that is a problem for NASA and the NSA, not their organization.

For their part, management takes their own blue pill.  They are not on the cover of the New York Times with a public breach.  They don’t feel any intellectual property leaking out, they don’t feel personal information about customers and employees being secretly exfiltrated, and no one in accounting is telling them they have a cash shortfall because financial transactions were interrupted or intercepted.  Yet.

IT Security and management tacitly adopt a similar position.  They speak to the large embedded antivirus vendors that tell them they have it all covered and they want to believe it because admitting to the truth means hard decisions have to be made and even harder work will have to be done.  They are quietly playing a game of risk management hoping that they can get by in the blue pill stupor and never get an attack that erodes their customer’s confidence, forfeits their leadership in intellectual property, or degrades market valuation.

But the odds grow thinner as attacks increase in complexity and volume by the day.  Unfortunately the security markets does not help matters because the large, imbedded companies are the leading distributors of blue pills and don’t want their big cash cow customers suddenly getting a red pill dose of reality and looking at new, innovative solutions.

History has not been kind to cultures that choose the blue pill route.  Normally the awakening from the stupor only comes after some form of spectacular incident.  But it does not have to be so.  Innovative solutions exist today that will make the red pill much easier to swallow if organizations are willing to reach for the red pill.  If these organizations are willing to set aside some well established predispositions they may find that they can shut off as many or more of the old protections built for a threat environment that has long since passed by as they will have to add new and innovative protections to address the current and future threats.  Change always brings some level of discomfort, but in this case the change will be less painful than anticipated and certainly worth the effort.

Remember — all I am offering is the truth, nothing more.