This is not a CrowdStrike Post
A more secure cyberspace will only come about if technologists impact the tech, business, and policy stacks.
A more secure cyberspace will only come about if technologists impact the tech, business, and policy stacks.
Years ago, when people starting talking about the Internet being a ‘human right’ I scoffed. I’ve been to places where people were denied human rights. The idea that not being able to get on line was oppression was hard to take seriously. Life off the network is just slower and more inconvenient. You know: the 1970s.
But that was a facile reaction to a deeper argument. The early promise of life online was a deluge of knowledge and subsequent enlightenment, not the dopamine drip it is today. In an information age and a knowledge-based economy, disconnectedness is effectively banishment to the underclass.
Computers provide wide utility to their users. That utility goes up once they’re connected to the ‘Net because they enable you to access even more computers, information and resources. More computing power, more connectivity, more better.
Right up until it isn’t.
As the events of July 19th highlight, even if you are the definition of low-tech, insecurity and error can turn your life upside down. The 80-something couple with paper boarding passes waiting in line with me at the airport couldn’t spell TikTok if you spotted them the consonants, but they were victims of a technological disaster nevertheless.
This most recent bricking of a good section of the world’s economy is just the latest event linked to errors, mistakes, and malice that have led to outages, delays, and disruptions. NotPetya, Dyn, AWS, SolarWinds, Akamai …we don’t really have the time to go through them all, but at the time they were all papered with hyperbole and we were assured that going forward, things would be different.
Aaaand here we are.
As this was being drafted, the head of the US Secret Service was becoming the ex-head of the US Secret Service because that’s what you do when you fail at the proverbial “you had one job.” The heads of every firm that ever blue-screened an economy were/are in no danger of losing their jobs. Culture is certainly a part of it, but more to the point it’s a safe bet that “security” is not a rated bullet on their evaluation form. Their respective boards demand economic results and so that’s what the CEO focuses on.
The lack of incentives to be more secure is a key factor in why, despite all the digital ink being spilt about what should happen to people and companies that trigger billions of dollars in losses and threaten the safety of millions, nothing will happen. The market doesn’t reward CrowdStrike or Carbon Black for securing more endpoints, they reward them for increasing revenue.
“Aren’t they the same thing?”
No, they are not.
“Aren’t security companies in the security business?”
Nobody is in the cybersecurity business, not even cybersecurity companies, they’re just in business.
Security is only a paramount, binary condition, in certain government and military circles. Everywhere else people have to get shit done. Things have to be “secure enough” which is something that is determined by what’s being done, the threat environment, various known risks, and so on. This, quite naturally, irritates the living daylights out of a large subset of the security community. Generally, people who don’t have to concern themselves with issues greater than those that exist within the IDE or Ghidra and who have never had their asses handed to them in a senior staff meeting where they were told in no uncertain terms to STFU and color because the big boys are making money.
As I’ve pointed out before: we learn from death. Cybersecurity becomes a true national priority for about 10 minutes when the pile of bodies grows large enough in a short enough period of time. Think 9/11. Of course enough time goes by and people forget, and people (and regulators) get lax, and all of a sudden previously very safe things become dangerous AF.
“What about CISA? What about Cyber Command? What about…?”
What about them?
Do you know what we had before Cyber Command? The JTF-CND. That was the late 90s. Were you even cybering then, bro? Before there was CISA there were “Cyber Czars.” We had so many in so short a time people can’t even remember who they were or that they existed at all. Risks Digest, ever heard of it? Only if you were introduced to security in the 1980s.
There is nothing new under the digital sun. We stopped discovering truly novel things a generation ago (maybe longer). Most of what we’ve delt with since there are just variations on a theme. Anti-virus, network monitoring, endpoint monitoring . . . they’re still things because the problems still exist. If we were doing it right, shouldn’t we have made at least one problem obsolete? In the immortal words of the unintentional OG of cybersecurity Cliff Stoll:
“The first time you do something its science. The second time you do it its engineering. The third time you do it you’re just a technician.”
You didn’t think all that training and education and all those certs would find you in an endless doom loop doing blue collar work, did you?
I wouldn’t still be doing this stuff if I didn’t think there was hope for the future, but I’m not sure most folks are going to like what I think is the cure.
It starts with broadening your horizons. If you’re a reverse engineer and you envision yourself doing that job forever that’s cool. I still don’t know what I want to be when I grow up. But understand that “security” is so much more than any one job. Everyone thinks they’re the ones who are doing real security work. Bone up on other disciplines. Crosstrain. Hang out with Legal, Finance, anyone but other security people and I guarantee you’ll come away with a much greater appreciation for the scale of the issues and why “if they just did X” is rarely the answer to any problem.
Being technical isn’t enough if you want to make an impact. I mean, doing a technical thing that has an impact can happen, it’s just rare and usually short lived. Major changes in security means understanding policy; how it’s made, how to influence those who make it. “A series of tubes” is funny because it’s imprecise, but someone had to get a guy who probably had his secretary print out emails so he could write responses in felt tip pen in the margins, to understand how bits flow and that’s what the old man groked. How is someone like that – or a Congress full of them – going to understand things at the RFC level? They’re not. Something as simple as better analogies can make a huge difference. Most solutions fall apart because there is too much abstraction between how the Internet works, and how policy is crafted.
To have an impact you need to build and work at the right level. If you’re solution doesn’t scale globally, you’re doing it wrong. If it doesn’t function at the lowest possible level of technology, you’re doing it wrong. If it is something that has to be put on after shipping, you’re doing it wrong. Keep iterating until you come up with a way to do it right, or be comfortable being “just another…”
Work in a non-technical or old-tech industry. America is on a reshoring surge. People who bend metal for a living have a complicated and varied relationship with computers and technology. For every wired CNC shop there is a shop where 10 guys who are about to get their AARP cards are rocking metal lathes old school analog style, and f’ computers. They are not going to adapt your elegant code. Hell, they’re not going to upgrade from Window 95. Fighting for budget for EDR isn’t hard, securing the analog world is hard.
We’ve always had the opportunity to work this way, but we rarely do. It’s hard, unglamorous and who wants to work that hard when there is stunt hacking and Con fame to be had? Politicians and other flavors of wonks aren’t going to produce a solution that isn’t riddled with unintended consequences and tailored to work for those who fund PACs. Cthulhu forbid “the big one” actually come and we get TSA-for-the-Internet forced upon us. No? The likelihood of someone repeating 9/11 is much closer to 0 than 1, but how was your last airport experience, eh? Is that what you want your life to be like every.time.you.log.in?