Saturday, June 20, 2015

The Cumulative Effect of Victory in Cyberwarfare


I have to first start by stating that cyberwarfare is one of those terms that tends to evoke mixed emotions from those who see or hear the word.  There are those who roll their eyes and accuse anyone who mentions it of fear-mongering, insanity, and everything short of bad breath and body odor (and perhaps there are some accused of those as well).  Others pause and listen, and still others (and a growing number at that) shake their heads and say "Yup, it is real."

The recent exposure of the hack of the US OPM records serves as a clear indication to some (if not most) that, whatever you want to call it, there exists at least one person or organization out there brazen enough to take a shot at our Federal Government and walk out with whatever he, she, or they deem interesting (in this case many millions of Federal employee sensitive records).  This was announced while the US was still reeling from the IRS records hack announced a few weeks earlier, which was announced a few weeks after we learned of a cyber attack on the White House, and, as many of my cybersecurity oriented colleagues like to point out to me, there are a few more peppered in between.

You can call this whatever you want, but I am going to go with Cyberwarfare.

So what concerns be about warfare in general is that if you are not on the side of victorious party, you are indeed a victim, and are forced to react in a situation where the victor has gained enough intelligence and purchase to send you reeling into a temporary abyss of confusion.  A determined warrior uses this moment to mount his next attack, provided he feels confident enough in his abilities to succeed.  A good way to come to this determination is to start with smaller attacks, and determine how successful they are over time.  A really clever way to prevail in the next battle is to ease up a bit, hoping that the target lets their guards down a bit, and then come in for the next big kill.  If that proves successful, it is a good time to turn up the heat and take full control.

That, dear reader, is what I fear we are now facing in the US, and perhaps the rest of the free world.  I have been working in security research for many years now, and I do not see anything that resembles progress commensurate with the mounting threats.  I have had the pleasure of spending many days visiting multiple factions of our Federal government tasked with addressing cybersecurity (as in the term is in their job title) who are completely dumbfounded when I show them vulnerability data (not theory, actual data) about products they are using in government facilities.  I am rather stunned to discover that the vast majority of our nation's cybersecurity government task force is unaware of the fact that we have a National Vulnerability Database that contains over 70,000 entries as of 2015, and had to change the numbering system from the 4 digit format in 2013 to allow for more than 9,999 entries per year.   

Moreover when I point out to government officials that these known vulnerabilities are not only accumulating in the products they use in their networks at an alarming rate, but are also being delivered in the software they are receiving that accompanies the brand new shrink-wrapped systems they are currently deploying, their mouths hang open in disbelief.  When I explain that the current system we have in place simply does not require any product manufacturer to assume any liability for security issues in the products they market EVEN IF THEY KNOWINGLY MARKET THEM WITH KNOWN VULNERABILTIES they simply do not believe me, until I ask the room full of lawyers I am addressing if they can cite a single case where a networking equipment or software manufacturer has ever been held liable for a cyber attack that occurred due to an unpatched cyber vulnerability.

This, dear reader, is basics.  Cyber researchers know this.  After decades of attempting to address these issues, we still live in a world where our government lacks basic awareness at the highest levels, and are still convinced that software companies are going to voluntarily agree to pick up the slack just because an executive order tells them to "pretty please" do so.

In the meantime, the attacks continue to come in, and the victories are becoming bigger, and more frequent.  The victim is steadily becoming demoralized, and the victor has all the tools he needs to keep bringing home the wins.  Moreover, he is far more aware of the vulnerability landscape than the victim is, and the victim remains apathetically confident that volunteerism and collaboration will somehow prevail.

Let me know how that works out.


1 comment:

Dan Perrin said...

Victory in cyber warfare encourages more attacks

Victory in cyber warfare does not discourage attacks.