Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Adam Shostack
Adam Shostack
Connect Directly
E-Mail vvv

Making the Case for a Cybersecurity Moon Shot

There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.

There's been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.

Allow me to start with a line from a speech by President Kennedy on May 25, 1961. Odds are you've heard these words:

… This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.

That's what a moon shot is: a clear, measurable milestone with reasons for doing it and challenges to overcome. And so the image to recall is not the iconic first footstep, but this:

Unlike JFK's moonshot, explained Grant Schneider, federal CISO, at the recent 9th Annual Billington Cybersecurity Summit, "there isn’t going to be an instant where we say we've achieved success in cybersecurity. We're not blasting anyone into cyberspace." Instead, Jeannette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, put forth a different vision:

Within 10 years, I'd like to see a true fundamental shift in how the Internet is operated in. I'd like to be in a place where we have move passed the "whack-a-mole" approach to cybersecurity incidents.

This is not the way to put a woman on the moon and return her safely to earth. But getting away from whack-a-mole is certainly a worthwhile goal for cybersecurity.

Defining a Moon-Shot Goal for Cybersecurity
The Apollo missions did not do everything that space exploration enthusiasts wanted. We did not establish a permanent presence outside the atmosphere, even if you count the International Space Station. (It makes no claim to being self-sustaining.) It's been 46 years since a person went to the moon. No one has been to Mars. Of the many goals expressed by the engineers and visionaries, we executed on one. 

On the other hand, we can and should define moon-shot goals for cybersecurity. My goal is to define game-changers, with objectives that are imaginable and with the criteria:

  • No single project will be more impressive or impactful.
  • No single project will be more important for our long-term ability to operate a resilient cyberspace.
  • The result thus justifies the effort and expense.

Some possibilities:

  • Payloads attached to email will not result in an attacker's code running on a computer, or the compromise of credentials needed to log in to it. (That is, phishing, either with a URL, an executable attachment, or an exploit-bearing attachment, will fail. We have many of the parts, such as execution whitelists, anti-execution mitigations, password managers, and MFA, but we rarely deploy them all in an integrated, usable package.)
  • Red teams given execution access to a standard desktop cannot move laterally without setting off alarms that are not lost because the SOC is a sea of tranquility.
  • Investigators digging into a compromise six months after it's started can enumerate 90% of the actions taken by a red team.

These goals do not solve every problem in security any more than the moon shot solved every problem on earth, or even within the exploration of space.

My success criteria could be usefully refined, but such refinement distracts from the importance of setting and reaching for a moon-shot-style goal. The goal need not be that every computer has these properties, but it would be useful to achieve them with the most-deployed desktop configuration in the federal government. We need criteria about usability. We need to stop complaining about people, and give people technologies that allow them to safely do their jobs. We need to ensure that if a red team is part of the criteria, the goal is not made meaningless by rules placed on their work.

Focusing our attention on a moon shot can be a powerful technique. There are severe and unsolved problems in our field that may be solvable with the right attention. It is worth picking one.

What other goals are worthy of the name "moon shot"?  Share your thoughts in the comments.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/26/2019 | 7:36:41 PM
Re: A network that understands hardness
Sure - how about:

Abandon the "permitted by default" network model.  Endpoints must prove to networks that they are ready to be exposed to anything beyond their immediate neighborhood.  Moderate access requires only basic proof of hygeine, while a new Internet-facing web server (or container) must demonstrate being hardened and ready before the flood gates are opened.
User Rank: Apprentice
2/26/2019 | 6:58:42 PM
Re: A network that understands hardness
I think I see where you're going -- can you rewrite it as a moonshot goal?
User Rank: Author
2/25/2019 | 8:43:26 PM
Re: A network that understands hardness
Right - there is a big distinction between general purpose endpoints and special purpose "things".  Laptops get patched regularly, and have decent internal firewalls.  That said, the market for network firewalls has not gone away - it's interesting to look at reasons why. 

Laptops are great and all, but they aren't where most of the value resides.  Data centers are fragile in one way - huge uptime pressure, and an unwillingness to patch.  IoT devices are fragile in a completely different way - they lack a decent patching infrastructure, and are generally designed to a pricepoint, not about flexible response to a changing security landscape.

My response to your moonshot question comes from a point of view that "between" still matters.  Security tech is either placed on endpoints, or between them.  The endpoint security products face challenges (too many agents, not to mention endpoints that aren't built to accomodate agents - does your fridge?).  That's why there is still a large challenge space around "between" controls.  It's the old debate - shiould the network just be dumb pipes, or should it provide intelligent services and controls?

I'm suggesting a moonshot for a network that can enforce intelligent controls *between* endpoints as the way forward.  This is a moonshot because today, endpoints do not have to play along, or follow any hygeine standards, or register what kind of object they are.  We've stacked up some ways to lock down laptops, and messed around with MDM, but what about all the things that are neither?
User Rank: Apprentice
2/25/2019 | 6:09:50 PM
Re: A network that understands hardness
Hi thanks Mike!


Is this still a problem? I was under the impression that most mainstream systems were fairly firewalled these days, but perhaps I'm thinking more of desktops and less of IoT?


User Rank: Author
2/20/2019 | 2:39:43 PM
A network that understands hardness
Nice question, Adam.  How about a project to ensure a machine directly exposed to the Internet does not immediately succumb to all the known "background radiation" out there? 

There are a range of possible implementations (proactive vs reactive hardening).  But similar to your goal of "email payloads should never be detonated", I'm thinking "maintain a living battery of tests that must pass as basic hygeine before a machine can be exposed widely".  It's not NAC - it's more like the inverse.  NAC says you can't even access a local network unless you're "clean" to a specified level.  This project flips that, to say the level of hardening required depends on breadth of exposure to others.

The moonshot aspect of this is to teach the network (where access policy is enforced) about the quality or hardness of each endpoint.  In an IoT future, this may be essential - consumer IoT is too weak to be treated like other endpoints.
User Rank: Strategist
2/19/2019 | 4:31:31 PM
Getting Microsoft to log at least as much as Sysmon and to start better protecting those logs so they cant be easily deleted, or if they can, can also be easily recovered.  I shouldnt have to install a third party app, or any app, just to get detailed logs monitoring process hashes and who started what from what program, or any of the other things that advanced logging applications log.  It is an MS operating system and it should log everything that is done on it, period.  
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
IBM Spectrum Scale 5.0.0 through and 5.1.0 could allow a local user to poison log files which could impact support and development efforts. IBM X-Force ID: 190971.
PUBLISHED: 2021-01-26
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...