C.R.E.A.M. IoT Edition

I didn’t get to see the discussion between Justine Bone and Chris Wysopal about the former’s approach to monetizing vulnerabilities. If you’re not familiar with the approach, or the “Muddy Waters” episode, take a minute to brush up, I’ll wait….

OK, so if you’re in one computer security sub-community the first words out of your mouth are probably something along the lines of: “what a bunch of money-grubbing parasites.” If you knew anyone associated with this event you’ve probably stop talking to them. You’d certainly start talking shit about them. This is supposed to be about security, not profiteering.

If you’re in a different sub-community you’re probably thinking something along the lines of, “what a bunch of money-grubbing parasites,” only for different reasons. You’re not naive enough to think that a giant company will drop everything to fix the buffer overflow you discovered last week. Even if they did, because it’s a couple of lines in a couple of million lines of code, a fix isn’t necessarily imminent. Publicity linked to responsible disclosure is a more passive way of telling the world: “We are open for business” because it’s about security, but it’s also about paying the mortgage.

If you’re in yet another sub-community you’re probably wondering why you didn’t think of it yourself, and are fingering your Rolodex to find a firm to team up with. Not because mortgages or yachts don’t pay for themselves, but because you realize that the only way to get some companies to give a shit is to hit them where it hurts: in the wallet.

The idea that vulnerability disclosure, in any of its flavors, is having a sufficiently powerful impact on computer security is not zero, but its not registering on a scale that matters. Bug bounty programs are all the rage, and they have great utility, but it will take time before the global pwns/minute ratio changes in any meaningful fashion.

Arguing about the utility of your preferred disclosure policy misses the most significant point about vulnerabilities: the people who created them don’t care unless it costs them money. For publicly traded companies, pwnage does impact the stock price: for maybe a fiscal quarter. Just about every company that’s suffered an epic breach sees their stock price at or higher than it was pre-breach just a year later. Shorting a company’s stock before dropping the mic on one vulnerability is a novelty: it’s a material event if you can do it fiscal quarter after fiscal quarter.

We can go round and round about what’s going to drive improvements in computer security writ large, but when you boil it down it’s really only about one of and/or two things: money and bodies. This particular approach to monetizing vulnerabilities tackles both.

We will begin to see significant improvements in computer security when a sufficient number of people die in a sufficiently short period of time due to computer security issues. At a minimum we’ll see legislative action, which will be designed to drive improvements. Do you know how many people had to die before seatbelts in cars became mandatory? You don’t want to know.

When the cost of making insecure devices exceeds the profits they generate, we’ll see improvements. At a minimum we’ll see bug bounty programs, which is one piece of the puzzle of making actually, or at least reasonably secure devices. Do you know how hard it is to write secure code? You don’t want to know.

If you’re someone with a vulnerable medical device implanted in them you’re probably thinking something along the lines of, “who the **** do you think you are, telling people how to kill me?” Yeah, there is that. But as has been pointed out in numerous interviews, who is more wrong: the person who points out the vulnerability (without PoC) or the company that knowingly let’s people walk around with potentially fatally flawed devices in their bodies? Maybe two wrongs don’t make a right, but as is so often the case in security, you have to choose between the least terrible option.

Cyber Responsibility: The Trickle-Down Effect

There was a time when cyber security was the sole responsibility of IT, but those days are long gone. Today’s executives know better than to presume themselves and their enterprises immune from a cyberattack, which is why staying safe online requires more than an old “do as I say” mentality. A pair of Cisco leaders, CEO John Chambers and SVP and Chief Security and Trust Officer John N. Stewart place the responsibility squarely on the leadership’s shoulders. “The CEO must make it clear that security is not just an IT problem—it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.” (CIO)

Toujours en Avant. I just made this very same argument recently to a room full of CxOs and board members, to varying levels of agreement. You’re never going to convince someone who has had the ‘lead from the front’ mantra drilled into his psyche that there is any other approach, but then in business circles not everyone at echelons-above feels the same way. Regardless of your leadership style remember one thing: people will focus on whatever they are rated on or compensated for. If cyber security is not something that impacts their personal bottom line, they won’t do it regardless of what you say or do.

Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.