Comments about the State of the Union

From the present annals of recent history, we have a law on the books.

§ 1030 Federal Computer Hacking – Under 18 U.S.C. § 1030, federal computer hacking charges can be filed as either a misdemeanor or felony offense. The decision will normally depend on the circumstances of the case, primary motivation of the conduct, and the level of harm it caused.

Yet we imagine a different world, where there are calm business transactions and no stolen data or identities. We are optimistic for seeing this future, defending our critical infrastructure. As the Equifax, Anthem, Marriot and Office of Personnel Management breaches demonstrated was if there is a computer in your business or at home, you are a cybersecurity target.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a study.

Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization

Of the myriad lessons spanning 16k words, the lessons demonstrate one glaring lesson: the organization’s staff require continuous training, support and resources to implement secure software configurations and detect malicious activity. Simply, the staff requires continuous training. An excerpt of this report is below:

  • The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.

  • The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.

  • The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.

Yet we believe in the ability to easily and quickly discern between fake and fact which is often troublesome nowadays with the variety of media, social media and the constant stream of data that we’re all drowning in. As Thorstein Veblen once wrote – “a trained incapacity of experts.” It’s the advanced degrees and the issues we see in society with higher education facilitating more problems than creating viable long term solutions.

We need to allow a computer to take care of itself. The potential threat looming on the horizon from adversary actions is already present. What’s looming is an after shadow of the adversary actions in your system.

We then see notice of this the following week from CISA.

Enhanced Visibility and Hardening Guidance for Communications Infrastructure

The closing plea here is security by design with the authoring agencies urging software manufacturers to incorporate secure by design principles into their software development lifecycle to strengthen the security posture of their customers. We see this time and time again, an intrusion of stolen data, stolen identity and stolen artifacts that span upwards of five generations.

We have so much code written in java and equivalent that are prone to exploitation. We have even more code written in C and C++. We have COBOL and FORTRAN still in use, because it is a fairly basic language, it just works. Similar to C and C++, it’s difficult to make it work without holes in software though it is possible. We have foundations of experts that are proficient to understand the subject matter and audit appropriately. But, secure by design is still an after-thought. We invoke auditors when it’s nearly a finished product, not at the beginning.

Otherwise stated, security by design is rare.

It’s much like the 1930s outside if you know what to read and where to listen in the changing world we have in 2024.