> Begin forwarded message: > > From: Mark > > Opinion: Huge cyberattack shows it’s time to fix our failing cybersecurity > infrastructure > We live in an age of asymmetric cyber warfare where even small teams of > attackers have an advantage over large and well-funded defenders. > > Patrick Walsh > 2:55 AM MST on Jan 16, 2021 > https://coloradosun.com/2021/01/16/cybersecurity-opinion/ > <https://coloradosun.com/2021/01/16/cybersecurity-opinion/> > > The recent cyberattacks on the U.S. government and select companies that > security agencies say is “likely Russian in origin” should be ringing alarm > bells across the capital and across the nation. By compromising a software > vendor and manipulating their updates, hackers infiltrated the sensitive > networks of many of our institutions. > > Now I fear we’ll repeat our past mistakes by focusing all of our attention on > how the attackers got in rather than focusing on what they were able to do > once they got there. > > The number of ways to get through the perimeter defenses is large. In a > system as large as the U.S. government, there are an incalculable number of > ways that an attacker could potentially get in. That’s because of the > complexity of these systems and the amount of software and people involved. > > > Patrick Walsh > Inevitably some of that software will have bugs and some of those bugs will > be exploitable by hackers. And some of those people may be compromised as > well. > > The real problem here isn’t the security issue of the day, it’s the mindset > we bring to the problem. We’re thinking about our cyber defense using > outdated castle-wall analogies. We imagine we can keep the attackers outside > the wall and keep our sensitive belongings safe inside it. > > What if instead of imagining impregnable walls we instead assume the enemy is > already within? > > In this instance and almost every major hack that makes the news, we learn > that the delay in detection was on the order of months. Given the likelihood > of an undetected breach, the question we need to ask ourselves is this: How > do we protect our data if our networks are already compromised? > > To me, the answer is clear: We must secure the data using modern encryption > techniques. Our focus must be to make it so the breach of a running machine > doesn’t equate to the compromise of the data on that machine. > > READ: Colorado Sun opinion columnists. > > For most systems, it’s the confidential data we’re trying to protect. Sure > there are other concerns, such as the integrity of critical infrastructure > like power plants to consider as well. > > In all of these cases, strong cryptography that ties to identity and links > with provable access controls is the best answer available today. > > I’ve spent years thinking about how we should retool our approach to > cybersecurity. I’ve concluded that the only way to do this effectively and > comprehensively is to start with the building of our software and systems. > But this creates a problem because most of what we do today is tethered to a > world of legacy software and systems that can’t easily be rebuilt. > > I co-founded a company that is focused on solving this problem by giving > software developers the tools they need to build modern applications with > data security at their heart. By making it easier to build software this way, > we hope to bend the industry towards a future where attackers don’t have such > an overwhelming advantage over defenders. > > But what if we could bring this sort of change about more quickly? At the > current pace, it will be decades before our critical infrastructure is > retooled with a secure base that protects the data. We’re fighting > institutional lethargy, entrenched patterns for building software systems, > and the lack of forcing functions that would make the needed changes a > priority. > > This impacts all of us. When major engines of our government are breached or > when large corporations cough up data, it’s more often than not, our data. > The data of citizens and consumers. And it happens over and over and over > again. > > Our lawmakers could force the change, but they meet this news with shrugs of > the shoulders. For many of them, this is well outside of their core > competency and so they hope the free market will solve its own problems. But > the market is not meaningfully penalized for losing data nor rewarded for > protecting it. > > As with everything else that matters from energy to agriculture, the free > market must be nudged to create the proper economic incentives for the good > of society. > > We need a combination of incentives starting with penalties in the form of > more meaningful liability when people’s personal data is compromised as is > now the case under California’s Consumer Privacy Act. > > We need to reward companies that build data-protection-first systems by, for > example, giving those systems preference in procurement processes where a > contract for software that considers two systems with similar functionality > goes to the system with the stronger data controls. > > And we need to allocate funds to reshape or replace legacy software with > modern, secure by design systems so these old systems don’t continue to hold > back the change we need. > > We live in an age of asymmetric cyber warfare where even small and dedicated > teams of attackers have an advantage over large and well-funded defenders. > It’s time to reshape the landscape. And we need our politicians to help lead > this change. > > Patrick Walsh of Boulder, a veteran tech executive, is CEO of data-security > company IronCore Labs. >
_______________________________________________ Infowarrior mailing list Infowarrior@attrition.org https://attrition.org/mailman/listinfo/infowarrior