Winning the cyber endgame and the ultimate vulnerability
Information security has developed from being a dataroom topic, into a strategic boardroom topic. Security leaders should understand these changes and adjust their behaviour accordingly. The urgency of this is growing because of the increasing IT intensity of our societies and misuse of IT weaknesses by nation states. I want to thank Petra Oldengarm of Cyberveilig Nederland and prof. dr. Bibi van den Berg (Leiden University) for the inspiring conversations, feedback and help in writing this blog.
Cyberspace as 5th domain of war
The geopolitical situation in the last two years, has amplified the cyber threat landscape. It is clear that geopolitical tension, conflicts and wars translate into cyberattacks aimed at using disruption of societies and economies as an offensive weapon. Next to land, air, sea and space, cyberspace has become the 5th domain of war.
Earlier, I wrote the blog “Cyberspace: a new buffer zone and the rise of the CISO politicus”. In this blog I discussed the impact of geopolitical conflict on the way cyberspace should be secured and governed. In particular, I argued that security leaders should include the following factors in their decision making calculus:
- geopolitical motivations of threat actors,
- awareness that private parties can become target of choice, for example because they are the enforcement point of offensive or defensive manoeuvres of state actors,
- the weaponisation of cyberspace itself and its protocols.
This is still true. Security leaders should do these things to manage the current threat. In this blog I delve deeper into the root cause of cyber threat to argue that the real vulnerability is not in the software, but in the way we produce and consume software.
It is clear that the defense of cyberspace is vulnerable and weak. It is important to realise that the offensive moves we now see in cyberspace did not cause this weakness. The current geopolitical conflict did not weaken cyberspace or destroy cyber defenses. The aggressor simply takes advantage of existing weak spots in our infrastructures.
Clearly, once in conflict, defenders must make sure to counter attacks, but at the same time it is important to fix the root cause of conflict to avoid future wars. This is in particular urgent now as the weaknesses in our digital infrastructures are not only relevant in geopolitical conflict, but also in upholding values like safety, privacy, liberty and freedom in our societies in general.
Defending against attacks
When in conflict, defenders need a strong information position to make security decisions and plan defensive moves or counter attacks. Threat-intelligence sharing is a common practice in the information security community. At this moment, we see many initiatives that strengthen information sharing between private and public parties (like the dutch CISO Circle of Trust, new and upcoming regulations in Europe etc). Also, people start to realise that the ecosystem of parties and companies surrounding your organisation, is part of the attack surface and your defense is depending on the strength of that ecosystem. This is why we now see higher attention for third party risk management and value chain risks. All these activities make sense and are necessary. But they are not sufficient, as they only address fixing exploits of existing weaknesses.
Fixing problems
Next to defending, security leaders should also fix problems before they are exploited. This mostly involves patching vulnerabilities in software before they are misused. There is now a whole infrastructure that facilitates hunting for vulnerabilities, sharing the information and providing patches for mitigating the risks. Good examples are the Melissa initiative, LDS (“landelijk dekkend stelsel”) of the dutch government and DIVD (Dutch Institute for Vulnerability Disclosure). Another example is the good practice of redteaming, both by own initiative, or via regulation (like NIS2 and DORA) or via supervision (like TIBER and EU TIBER). All these activities make sense and are necessary. This strategy is indeed more pro-active than “defending against attacks”, but it is not good enough and it will not win the race. The real problem is that all these vulnerabilities are out there, and more are produced every day at an increasing pace.
Removing the ultimate vulnerability
Where are all these vulnerabilities coming from? Why is the software, the very fabric that builds our digital societies, of such low quality? Instead of improving our ability to remove vulnerabilities, we should try to become better at not introducing vulnerabilities in the first place.
This is not easy. Creating secure software is difficult, costly and time consuming. The increasing demand for software results in software development methodologies that are optimised for speed, productivity and time to market, but not for quality.
Building a software development pipeline that includes security-by-design, takes time. And new methodologies are introduced often, which basically means security professionals have to start all over, because these methodologies never include security from the start. We are repeating the same mistakes again and again, driven by economical and market forces.
The lack of qualified IT and security skills adds to the problem. The adoption of new methodologies that increase productivity by lowly qualified software engineers, results in more and more low quality software being build and put in production. The problem is growing.
The security of the resulting low-quality software is left to the ability of the end-user to timely patch or respond to cyber incidents.
The security of low-quality software is left to the ability of the end-user to timely patch.
This is not a scalable model and it is basically unfair. The problems of this weakness in our digital world have become existential and life threatening as more and more critical functions in our society depend on software. And geopolitical aggressors and others are targeting this weak spot.
We need to rethink how we distribute responsibilities across the IT development value chain. Software producers should have skin in the game and carry liability for selling secure products. The Cyber Resiliency Act (CRA) of the EU is a good starting point. But for executives to be able to act on that liability, a strong and qualified IT and security workforce is required. And a system of rules, regulations and processes should be created to ensure all players in the value chain both assume their responsibilities and have means to do so. For example, most software producers do not even know their customers or users, so have no way of warning their end-users directly of issues found. In the software industry, there is no duty-of-care or know-your-customer like in the financial industry.
We need to invest in our IT and security workforce, make security a minimal requirement for software to be sold or to be used. And maybe lessons can be learned from how the financial sector is being regulated in order to protect society at large.
Winning the endgame
To win the cyber race, we must improve our defense against attacks. And we must improve our ability to fix problems. This means that we must continue to do what we are trying to do: share information, share incidents and learnings, improve our ability to timely discover weaknesses. Everything we do is necessary. But it is not enough. Without removing the ultimate vulnerability, we will not win the endgame and we will not create a sustainable secure future.
The ultimate vulnerability is not in the software itself. It is in the software production process and that process is being hacked all the time.
The ultimate vulnerability is in the software creation process, and it is being hacked all the time.
To fix this problem, we need to find a new balance of cost of software and quality of software. The free market is not solving this and it requires action by governments to implement the right incentives in the value and supply chains, for example via regulation, to set minimal standards for any software being sold and minimal requirements for software consumers.
It requires a new balance between autonomy of software developers to make their own choices, and mandates for security professionals that need to step up and create systems that limit that solution space to secure solutions only.
It requires everyone in the IT value chain to be aware of that chain: consumers should be able to rely on a security bill of material (SBOM) and producers should know their end-users and put in place mechanisms to protect them. And there are probably many other patches necessary.
And of course, we need to increase the level of personal risk for threat actors by increasing the activities and effectiveness of law enforcement.
Building a digital world that is sustainably secure is hard. Can we do it? To paraphrase Pipi Langkous: we have never done it before, so I think we can.
Indeed, being an optimist is the survival strategy of any CISO.