Perhaps the best thing that the Internet has to offer is the thing that it was built to provide: interconnectedness. People around the world can collaborate, share knowledge and experiences, and access resources at any time. That may also be the worst thing it has to offer. Any and everything that can be connected to the network has been, and the interdependencies that situation brings with it are raising a new set of threats and weaknesses that defenders are having a hard time grappling with.
The string of supply chain attacks against companies such as SolarWinds, Kaseya, Colonial Pipeline, and others in the last 18 months have brought the issue of interdependence into the light, but it’s one that network operators, security teams, and developers have been dealing with for decades. Every piece of modern software relies on dozens of other libraries and other apps, and a bug in one of them can have ripple effects that go on for months or years.
“As a former CISO, one of the problems that I ran into frequently was trying to identify all of the technologies in my organization and what other technologies those technologies rely on, and so on,” Window Snyder, CEO of Thistle Technologies, said during a panel at the Aspen Cyber Summit Wednesday.
“We have widespread interdependencies as an industry.”
Those interdependencies have been exposed as a weak spot for the companies that produce hardware and software, as well as the organizations that consume those products and services. And the problem grows larger each day, as more specialized devices are connected to the Internet, and cars, appliances, and furniture are stuffed with computers, many of which have little in the way of security controls or safeguards built in. The past 20 years have seen a major shift in the way that software makers treat security, with the rise of software development lifecycle programs, the adoption of secure coding practices, and a better understanding of how software breaks. But that has not necessarily trickled down to the IoT ecosystem, where the emphasis is generally on speed to market and ease-of-use rather than security and reliability.
“We’re moving into a place where it’s not about turf or territory or tribalism. It’s about cooperation."
That ocean of IoT devices represents a prime opportunity for attackers looking for soft spots on networks, especially given that many of those devices may never receive security updates or patches for known flaws.
“Now you have the device space and it’s growing in complexity, and you try to reduce complexity in these devices so you try to pare them down to just the critical functions. A lot of them don’t have privilege separation or any security controls. You end up with a device that has all of the opportunities that a general purpose device has that’s sitting on the network and you didn’t do any of the security work on them that we’ve been doing for the last twenty years,” Snyder said.
“How do we get to the point where these devices have the same capabilities? It’s a challenge and a huge opportunity for the attackers. That’s the huge hairy monster under the bed for me.”
The fragile nature of the global network is nothing new, and it’s something that private and government security specialists have been aware of and defending against for decades. But neither the government nor the private sector can handle the task of addressing the systemic flaws and weaknesses of the network on its own. Collaboration is a must on that front.
“We’re moving into a place where it’s not about turf or territory or tribalism. It’s about cooperation. It’s pretty clear that what we need to do is leverage the talents across the federal government and the private sector,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency.
“System risk is inherently a multi-stakeholder problem where you can’t manage it by yourself. It’s not up to one organization and it requires a lot of cooperation to tackle this type of problem It’s a fundamentally adversarial problem,” said Jonathan Welburn, operational researcher at RAND Corportation.