“They built machines that they can’t control and buried the waste in a great big hole.” -- Sting, “We Work The Black Seam Together”
The great challenge in showing what’s wrong with Internet security has always been finding something new to complain about, rather than showing stuff that’s five to ten years old and remains unfixed. I’m talking about systemic problems like IP packet-level forgery that allows lightly invested attackers to launch attacks that have to be taken seriously by heavily invested defenders, or any of the other myriad ways that the Internet’s humble academic origins and its attendant lack of admission control are making the world’s connected economy less resilient than at any time in recorded human history.
The new great challenge in trying to sum up the most dangerous weaknesses in the world’s connected economy is that the hits just keep on coming, and every day some new headline grabbing example of lost money, lost information, or lost privacy seems to beg, “don’t be too proud of the list of high profile attacks and vulnerabilities you’ve created, because by next week, it’ll seem quite dated and naïve.” Yes, things are moving that fast.
Let’s talk about Sony Pictures Entertainment (SPE), which has all the makings of this month’s edition of the worst attack of all time (although, wait for next month’s headlines before you decide with certainty.) The FBI now reports high confidence that the attack was directly sponsored or directed by a nation-state actor, which news sits prominently alongside the FBI’s indictment earlier this year of several officers of another nation-state’s army for other attacks against commercial infrastructure in the USA. How should the commercial security industry, or the risk management industry, position itself against nation-state attacks which formerly, in a pre-Internet era, would have been the military-industrial complex’s problem?
By all published accounts, the team that invaded SPE had nearly complete access for a period of months – one does not simply exfiltrate several terabytes of data in a single day. To those who ask, “how did SPE not know this was going on?” I’ll challenge you as follows: what confidence test do you run on a daily or hourly basis that assures you with any confidence that your company’s large and heterogeneous digital infrastructure has not also been invaded?
One of the most chilling side plots of the SPE story is that one executive whose files were compromised had come to SPE with a personal laptop that still contained sensitive data (letters offering employment) from her previous job. Once that personal laptop was part of the corporate backup system, it was an easy target for SPE’s invaders. Apparently, this executive’s former employer, as well as SPE itself, should have had a much stricter Bring Your Own Device (BYOD) policy.
Economic progress involves the creation of new wealth, which in turn requires investment, which in turn requires a stable investment climate. The Internet has historically offered that kind of stability, and so has the technology industry in general. No doubt many investors and entrepreneurs are viewing the now endless-seeming wave of headline-grabbing attacks on connected infrastructure as an opportunity to develop new products and services to profit by defense, but any reader of the Full Disclosure or BugTraq mailing lists can tell you that defense technology is not an unalloyed good, since it adds logic and complexity to an already not-understood system, and puts that added logic in the most critical possible path.
Cause for hope would have to come in the form of new thinking, radically different from the thinking that brought about our current circumstances. My contribution is a company (Farsight Security) whose goal is to increase understanding of complex connected digital systems by increasing observability. My customers sometimes complain that I’m trying to sell them a shovel when what they want to buy is a hole. Now you know why I take the business risk of trying to make my customers stronger, more aware, more independent, and more autonomous. Security does not come in a box. It’s a way of thinking.