The start of every new year brings with it a promise to ourselves to follow a new path. This is an effort to avoid mistakes we know will lead to unsatisfactory outcomes. Sadly, cybersecurity suffers from the same problems we face in other aspects of our lives: the ease with which we adhere to poor decision-making or lapse into behaviors that we know are not good for us.
While it is true that the market for cybersecurity products and services has been growing, the problems are the same, the impacts are worse, and while we make progress in discrete areas, at a meta level we’ve effectively been standing still.
SANS publishes Top 25 Software Errors and the Open Web Application Security Project (OWASP) publishes its Top 10 vulnerabilities list; the nature of the problems noted in both lists has remained disturbingly consistent over time. The Common Vulnerabilities and Exposures (CVE) list cannot keep up with the demand for its alphanumeric designators. In other words: there are so many problems we cannot keep track of them.
How we got here
Allow me to dissuade you of the notion that any problem we are dealing with in cyber security today is new:
- In 1976 a book called Computer Capers documented this then-new and scary problem of computer crime. It addressed system vulnerabilities, theft of intellectual property and money, and insider threats.
- In the mid-1980s The Cuckoo’s Egg was a detailed account of how a telephone billing discrepancy led to the discovery of Soviet intelligence using German hackers to exploit U.S. government and affiliated computer systems.
- In 1998 series of attacks on DOD computers were detected. The prevailing theory at the time was a preemptive move on the part of the Iraqi government. Ultimately three teenagers with no political-military motivations were identified as the perpetrators.
- In 2007 over 45 million credit and debit card details were lost in a data breach at TJX companies. At the time it was the largest loss of such data. The biggest breach before that? 40 million records in 2005 at CardSystems Solutions.
Documenting the total number of computer security incidents that have occurred in just the U.S. would fill several volumes. I have given you some prominent examples to show that the same problems go back decades. Yet in 2011 the then-Deputy Commander of U.S. Cyber Command complained about the “…real dearth of doctrine and policy in the world of cyberspace.” This came as a surprise to those of us who contributed to policy-making because it seemed to ignore things like:
- 1998: Joint Doctrine for Information Operations
- 2003: National Strategy to Secure Cyberspace
- 2006: National Infrastructure Protection Plan
This is a very modest sample of just the unclassified governmental documents that address these issues. It does not include classified documents, dozens of other reports and studies from other governmental organizations as well as non-governmental ones. That is not a dearth but a deluge.
From the first PCCIP report to the National Strategy to Secure Cyberspace to the CNCI and everything in between, everyone who has studied these issues has come to the same conclusions about what is required to address them. Because security activities are not coordinated or mandatory, to paraphrase science fiction author William Gibson: the knowledge required to improve cyber security is known, it is just not evenly distributed.
- Not a day goes by without yet-another story in the media of how vulnerabilities in computer systems are exploited for at the expense of the legitimate system owner; stories that are indistinguishable from those captured in Computer Capers, a book that is forty years old.
- 30 years ago, Dr. Stoll related in The Cuckoo’s Egg of how he tried to get both domestic and international law enforcement agencies, intelligence agencies, and private industry to work together to catch the Hanover Hackers. Anyone who works a computer crime case today finds themselves fighting those same battles.
- Exploiting vulnerabilities in widely-used code was a new thing when the Morris Worm ran roughshod over the Internet in the 80s, yet things like Heartbleed and Shellshock are treated like something novel.
Pundits talk about the hack-of-the-month as a “wake up call” when in fact after every incident we push the snooze button and pull the covers over our heads. Any lessons we might have learned are quickly forgotten or ignored, and the process of wheel-reinvention begins anew.
Breaking the cycle
Forward progress requires action. Action that will have an impact at scale. What actions to take should be informed by the hard fought lessons learned, and recognition that how we’ve been doing things hasn’t been sufficient.
- Study and appreciate our history. Security was being done before the Internet was a thing. If names like Parker and Neumann are unknown to you, you’ve not gone nearly far back enough.
- Focus on gaining ground, not scoring points. Like football, this is a business of inches. Make enough small gains and you’ll be surprised where you end up; try to be Doug Flutie every day and you’re going to be sorely disappointed.
- Aim for the center mass. Your solution for some edge-case may earn you nerd street cred, but it is not going to improve the situation for the 99%. The things that make a real difference are usually the most unglamorous and mundane.
- Give some thought to design and usability. The people who need the most help when it comes to security will not use the command line. Elegant code that doesn’t get used is not a solution, it’s a hobby.
We can listen to and learn from the echoes of history, or we can keep doing what we’ve been doing and wonder why nothing changes. I don’t know that I’ll ever retire a security problem, but I’d like to retire knowing I contributed to forward progress.
/* First published at CSO Online Modern Warfare Blog */