Among the many lessons to be drawn from the events of the last year--the SolarWinds breach, the ever-expanding ransomware epidemic, continued supply chain attacks--is the need for more resilient systems, from commodity IoT devices up through the most complex enterprise and critical infrastructure networks. Given the range of extant threats, resilience has become one of the more important properties any connected system can have,
But resilience isn’t just something that engineers can add to a system, it’s the result of thoughtful design that considers the threats the system may face. That requires careful consideration and knowledge of the threat landscape, which is constantly shifting and evolving as attackers respond to improvements in defenses. But for defenders to regain some of the momentum that’s ebbed away of late, resilient software and hardware will be vital, but so will a resilient ecosystem that doesn’t rely on a small number of dominant devices or applications to survive.
“If we’re going to think about resilience, we need to think about more decentralization,” Carmela Troncoso, an assistant professor at EPFL in Switzerland said during the cryptographers’ panel at the RSA Conference Monday.
While most enterprises have apps from any number of different suppliers, there are a relatively small number of vendors that control a large fraction of the market in their respective segments. Those choke points are highly valuable targets for adversaries who are interested in finding their way into not just one network, but dozens or hundreds of them in one go. The SolarWinds intrusion showed clearly how effective and devastating this tactic can be, and other supply-chain attacks that followed have driven the point home even further.
“Cryptographers are actually pretty terrible at designing resilient systems."
“The SolarWinds hack was a very useful reminder to us all. The average IT shop has dozens or hundreds of suppliers, but there are just a few big ones. SolarWinds is a mature company that has become something of a monopoly in its market,” said Ross Anderson, professor of security engineering at Cambridge University and Edinburgh University.
“What happens if something like Signal breaks or is broken by a government? We don’t know. If we had a catastrophic failure of PKI, it wouldn't be the end of the world, but it would be an interesting year or two while everything is upgraded.”
The adversary that compromised SolarWinds understood that the company’s Orion platform is deployed in tens of thousands of enterprises, so compromising a build server and inserting a backdoor into an update had ripple effects far beyond the damage to SolarWinds the company. Federal agencies, large enterprises, and other technology vendors were affected, and not in trivial ways. The recovery process is still ongoing, six months after the attack was initially discovered, and the incident has helped galvanize the White House into taking action on software security and supply chain security.
"Software security is an area of particular concern. Coding securely takes work, but we can take pride in that work. We all know these practices aren't used everywhere," Anne Neuberger, deupty assistant to the president and deputy National Security Advisor for cyber and emerging technology, said Tuesday during her keynote at RSA Conference.
Today there’s no way to gauge that. We don’t have insight into what software is developed securely and what’s not. We're unable to factor them into our buying decuisions. The level of visibility we need is built on the trust we need and that’s based on the consequences if a system fails.
The idea of resilience also applies to the security components of the software that underpins the global network, and cryptosystems could use some attention in that area, as well.
“Cryptographers are actually pretty terrible at designing resilient systems. We have ideas for it, but the idea of rekeying and reauthenticating everyone in the case of a secret is not one we’ve looked at very much. The systems we’ve designed tend to be pretty brittle,” said Ron Rivest, a professor at the Massachusetts Institute of Technology and one of the designers of the RSA cryptosystem.