One thing that the recent Presidential campaigns and debates has accomplished, is to intensify the spotlight on the cyber security issue. While neither candidate receives strong report cards on their understanding of this issue, at least they seem to know that it is an issue. So when Donald Trump calls for “crippling attack cyberwar capabilities“, we can assume that he probably really doesn’t understand the notion of collateral damage, escalation, etc., that might result from any “Shoot-out at the Cyber Corral.”
Numerous opinion pieces and articles regarding the cyber security threat to national security, appeared around the time of the disastrous OPM breach, and have picked up ever since then. In the opinion piece, “Opinion: After DNC hack, US must better prepare for information warfare“, Congressman Jim Langevin, who does understand what’s going on, says,
“But I’m afraid that our understanding of the threats in cyberspace is not keeping pace with the rapid advances in technology and the avenues of attack they enable. The DNC email leak, for instance, bears all the hallmarks of an information warfare operation, timed as it was to coincide with announcement of the Democratic vice presidential pick and the commencement of the convention.”
Threat to the Election Process?
Indeed, the popular opinion is that Russia has crossed a line in trying to influence the elections and democratic process, and this article reports;
“Top US officials have suggested Russian hackers are meddling in the US electoral process. Defense Secretary Ash Carter warned the Kremlin not to interfere with Western “democratic processes” earlier this month, and said the US “will not ignore” attempts to undermine American security.”
So there is some sabre rattling taking place at the moment as the election approaches. Note the article, “The West Must Respond to Russia´s Increasing Cyber Aggression” which informs that,
“The Russian government has stepped up its state-sponsored cyber attacks because it perceives that there is no significant “price to pay” for such activities. This trend will continue as long as the West doesn’t push back.”
“The Russian cyber threat is more severe than we had previously assessed.”
The opinion piece, “Why Cyber War is Dangerous for Democracies ” tells us;
” … while it is important that democracies not spy on their citizens, it is as important that democracies have ways to defend themselves and their citizens from the dangerous cyber world that is emerging.”
” … increasingly fierce barrage of cyber attacks originating from non-democracies against the governments of democratic nations and their private firms, scientific centers, foundations, and civil-society organizations is a new form of asymmetry for which democratic countries lack effective answers.”
Indeed, since most of the emphasis, energy and resource expenditure has been directed towards counter-terrorism efforts over the last decade, there is some growing realization that governments and enterprises have not adequately prepared to protect themselves against the malicious cyber actions of foreign nation states, or their agents. (The same would apply to cyber criminals). Much, or nearly all, critical infrastructure is fairly vulnerable, and governments are lagging terribly at defensive execution.
How bad is it?
In the article, “Former Director Of NSA And CIA Says US Cybersecurity Policy MIA” Gen Michael Hayden say,
“The OPM breach was the failure of the feds to protect the data of so many millions of Americans, he said. “This is not shame on China. This is shame on us.”
“We have not decided what we would allow government to do to keep us safe. We’ve not even laid the groundwork for defending against such attacks, he said.”
Are governments or enterprises ready for, “The cyber jihad” talked about here;
” … the janitor could load malware onto a USB device and plug it into a computer to allow them to remotely hack into the network.”
” That is the kind of insider threat that we are going to be facing,” said Scott. “That is what they are seeing as the next step — an army of insider threats in the West.”
Nice! We’re doing so well detecting the insider threat now! This malicious, targeted insider threat, was termed subversion by Roger Schell who said years ago that this would be a greater threat than malware. He called for high assurance multi-level secure systems. (More from him below.) Reference monitor capability is definitely going to be needed.
A major problem is that policy actions and political posturing are probably not going to be enough. The piece, “National Cybersecurity: We Need a Fortress, Not a Sandcastle“ lays it all on the line.
“But let’s be absolutely clear on one thing — neither of these new bills will make our companies or our country substantially more secure. Why not? Because neither of them addresses the root cause of the problem. Our cybersecurity defenses built on the old status quo of simple, software-based security are built on sand. It’s time for our leaders to lay a new foundation. It is time to abandon the pretense that software and passwords alone are keeping us safe. We need a fortress, not a sandcastle.
“We need cybersecurity legislation that recognizes the fact that the industry standard IT security solutions that we’ve come to know and rely on are being hacked and bypassed so easily that we’re negligent if we don’t take notice and act to change them.
The opinion piece, “The Cold War is over. The Cyber War has begun“, tells readers;
“The Defense Department’s cyber strategy, published last year, argues that the United States should deter malicious attacks by a combination of three approaches: “response . . . in a manner and in a place of our choosing”; “denial” of attack opportunities by stronger defense; and “resilience,” by creating redundant systems that can survive attack.”
There are increasing calls for response to incidents, whether from Chinese espionage (APT) or foreign adversaries accessing sensitive political information. As vendors of high level defensive technology, Trustifier is interested in promoting the last two approaches, the denial and resilience options, which are quite lacking at the moment. It’s because failing at those leaves the worrying first option – response, which includes anything up to retribution by kinetic attack, and who knows what the worst case outcomes might actually be?
Why are there not more calls for greater cyber defensive capabilities? If foreign adversaries and cyber criminals can’t hack your networks and tamper with systems and devices in an unauthorized manner, what are they going to do? Complain?
A little historical perspective
It’s not like denial and resilience are new concepts. Some very smart people predicted the need for, and called for work to be done is this area decades ago. The following interview, an “Oral history interview with Roger R. Schell” is long, but provides a fascinating historical perspective. Roger Schell is basically known as the father of the Orange Book (TCSEC), a robust security standard from the early ’80s. Here are some excerpts that provide some interesting views.
” … the Black Forest Group said you know, we can’t do what we did in this other area because there’s just too much money in the computer security business; people that don’t want this problem solved.”
“But at the end of the day, they concluded that the vested interests against high assurance just made it impractical; they were not going to fight that battle; they had other things to do; that they could not overcome the vested interests against high assurance.”
“I don’t know if you saw that quote out of IBM labs, and he quoted one of the 1973-era papers in which I said as long as we continue to penetrate and patch, it’s just going to keep getting worse; and we trust things that are untrustworthy. And he said that a decade ago. And it’s still true, unfortunately.”
“… if you said, I require verifiable protection in order to be part of the critical infrastructure, that would make a difference; would make a tremendous difference. Would not be significantly more expensive; simply not significantly more expensive than what they’re proposing to do; might even be cheaper. It certainly would not be a major expense. And yet it absolutely gets no consideration at all.”
“… a researcher, applying some of the things we’ve talked about; was told by his VP to shut up and sit down because every time a customer had a solution, had a problem, if it was treated as a computer services problem, they’d make hundreds of thousands or millions of dollars, for each organization. If they gave, in this case it’s a question of a multi-level secure client, then I could access anything; if they delivered that, that service contract would essentially not be needed because they would’ve solved much of the problem.”
We’re seeing calls to ramp up cyber security budgets, training budgets, educational programs for users, executives, and Boards of Directors, for the creation of new standards, new compliance regulations and frameworks, greater penalties for non-compliance, or even to organize “Manhattan project for cyber security” scale projects as people start to hit the panic buttons. At least there is some visible urgency starting to appear, even if it is years late. But do any of these things address the root cause of insecurity, the source of the problem, in the first place? In this insightful post by Samuel Liles of Perdue he discusses whether such an approach would work.
“Though we can secure systems to some point we are almost always talking about a security absent some failure in the system. There is nothing really secure. This is a huge problem that breaks most peoples “common sense” way of thinking about security. Simply put, the way we do things will never be secure and we should stop trying to fix things the way we know doesn’t work.”
“Remember there is way more money in continuing the problem instead of fixing it.“
We know that the cyber security industry is growing rapidly as investment by government and enterprises is increasing. Yet, we’re not seeing better outcomes? Does more of what`s failing increase security? It appears that some seem to think so. Without addressing the root cause of insecurity, the new tech adds layers of complexity, integration problems, and attack surface. The software coding quality and security thrust is doing good work that is attempting to prevent the addition of more attack surface by educating coders. But without trustworthy execution environments, code must be nearly perfect. I don’t think we’re there yet.
With all of that, I usually have to ask …,
is national security a natural byproduct of making money…?
The economics of infosec helps one realize that profit taking has been a perverse incentive to addressing the root cause of insecurity and low assurance.
Do these bite marks make my butt look big?
So it seems that the notion of actually fixing the root problem of cyber security was rejected or ignored at various levels, – a few decades ago. It might have been folks who somehow benefited from the status quo, lizard brained people who didn’t want to deal with hard problems, people in charge lacking vision, or leadership skills, or even certain parties in government who purportedly want to keep us all vulnerable, to retain the capability to spy on adversaries. It was likely some combination of the above, and more, but whatever the reason, doesn’t it seem that the result of inaction is now biting us right on our collective butts?
Could governments have used it’s buying power to force the issue of proper information security standards 20 years ago? You would think so. A lot of work could have been done in the last 20 years if the will to do it had been there. Now the critical infrastructure is under siege, APT are raking up trade secrets and intellectual property, other foreign nation states are up to no good and all kinds of businesses are being victimized by cyber crime attacks and ransomware. Anything connected to the internet is probably hackable, including millions of IoT devices now being harvested to attack others.
If a good swath of SMBs go under from cyber attacks, you don’t think the economy will feel an impact? Isn’t that included in national security too? It’s not just about the Fortune 500 and government. Everyone’s being targeted.
The What-If Question?
What would cyber security protection look like today if decades ago, the powers-that-be, had heeded the warnings of some very smart people and actually set out to fix the actual problem?
If what we have today, is having to dodge bullets, which seem to be coming at us faster and in greater number, would having trustworthy and inherently secure systems be like being able to stop bullets?
If you think that going forward it’s going to be business as usual, I hope you are as good at dodging bullets as Neo here is.
So which would you prefer? Dodging bullets, or stopping bullets?
The NIST 800-160 standard has recently called for better systems security engineering and design for trustworthy systems in order to be able to defend all business, personal and government interests, and to prevent unauthorized tampering with embedded and computerized devices. This is part of the “verifiable protection” that Roger Schell called for, and which is now needed, more than ever. There is some confusion between trusted computing and trustworthy computing as the terms are often used interchangeably.
“The National Security Agency (NSA) defines a trusted system or component as one “whose failure can break the security policy”, and a trustworthy system or component as one ‘that will not fail’ ”
How do trustworthy systems translate into defender advantage? They deliver trustworthy execution environments that disconnect threats from exploitable vulnerabilities. They deliver protection without patching, – inherent system security. This is what all things from enterprise nodes to embedded IoT devices requires, the ability to prevent unauthorized tampering with system controls and operational rules regarding user privilege and data access.
Stopping bullets has never been so easy!
KSE by Trustifier is a security sub-system that delivers trustworthy computing defensive capability to COTS systems, and includes the labelled, multi-level security (MLS) that Roger Schell prescribed to protect against subversion. The previous barriers to adoption of high security and high assurance, – complexity and administrative overhead have been greatly reduced. The use of algebraic modelling and formal methods delivers that needed “verifiable protection“!
Even better news, is Trustifier’s TUX AI and NLP interface will be used to automate and orchestrate both security operations and continuous compliance solutions. This means several problems will be addressed: the existing low levels of system security/assurance are greatly improved; the shortage of affordable cyber expertise to help SMBs as well as the enterprise is reduced; the cost of defending is lowered and the bar is raised for attackers.
Added: Economics of infosec
Perverse incentives such as (profit taking) lead to insecurity
Is thinking economic incentives can compensate for markets for lemons and broken infosec models that just can’t work, ever, a special kind of niavity? You judge.