Cybersecurity Is Broken

Back in my aerospace days I worked on an obscure secure operating system, which, unfortunately, was built for the PDP-11 just as the PDP-11 neared end of life. This was when NSA was getting interested in computer security. NSA tried applying the same criteria to computer security they applied to safes and filing cabinets for classified documents. A red team tried to break in. If they succeeded, the vendor got a list of the problems found, and one more chance for an evaluation. On the second time around, if a break in succeeded, the product was rejected.<p>Vendors screamed. Loudly. Loudly enough that the evaluation process was moved out of NSA and weakened. It was outsourced to approved commercial labs, and the vendor could keep trying over and over until they passed the test, or wore down the red team. Standards were weakened. There were vendor demand that the highest security levels (including verification down to the hardware level) not even be listed, because they made vendors look bad.<p>A few systems did pass the NSA tests, but they were obscure and mostly from minor vendors. Honeywell and Prime managed to get systems approved. (It was, for a long time, a joke that the Pentagon&#x27;s MULTICS system had the budgets of all three services, isolated well enough that they couldn&#x27;t see each other&#x27;s budget, but the office of the Secretary of Defense could see all of them.)<p>What really killed this was that in 1980, DoD was the dominant buyer of computers, and by 1990, the industry was way beyond that.

&gt; You see, cybersecurity is broken because of the lack of consequences. It&#x27;s really that simple.<p>To put a slightly more explicit phrasing around the blog&#x27;s message: Consequences fall on <i>the wrong people</i>. The ones <i>screwing up chasing profit</i> are not the ones feeling the pain.<p>The damage falls on the innocent people the companies were trying to use as resources.<p>This can be broadly classed as an economic externality, much like how a company can make money dumping poison into the lake but the people who suffer are the ones who drink from it.

The ideal data protection law would prevent most of the data from being collected in the first place. Cybersecurity, on the other hand, is about protecting what you have collected anyway. So, maybe cybersecurity is broken, but fixing privacy is a great first step.

This is a great summary of the economic problems perpetuating lax cybersecurity and the real political reasons we continue to suffer. The answer is clear, and there is precedent in other similar fields: we need data protection laws with teeth.

&gt; Why the fuck do you need my home address just so I can copy and paste some GIFs? Because you want to sell this data to data brokers, and you know there will be absolutely no negative consequences if you mishandle this data<p>One might argue that selling or giving away (or even internally abusing) customer data is every bit as bad having it stolen. As far as I’m concerned, selling my address <i>is</i> a data breach and should be treated as such.<p>(Obviously, as the article notes, data breaches aren’t really taken seriously.)

It&#x27;d be interesting if you basically made it illegal to both process and store user-data. If you want to process a user&#x27;s information you need to go through that user&#x27;s storage API and then you need to persist your data back through that API. Since everything is co-located in the cloud I don&#x27;t think latency would be a huge deal. Users would get a choice of storage vendors - total visibility into who and what is doing the reading&#x2F;writing and can delete&#x2F;revoke access at any time.

it doesn’t help all governments sponsor and partake in the 0-day trade which undermines efforts of their citizens private sector blue teams. In addition to paying ethical hackers sometimes 1-2% of what they pay 0-day brokers for the same vulnerability.<p>It’s definitely broken, and as long as the same entities demanding “improved cybersecurity” from its citizens also continue to undermine their efforts nothing will change.<p>It’s to wrapped up in the military industrial complex, no one’s trying to fix and stop wars when there’s money to be made.

&gt; ransomware attacks that are only profitable because some people just decided that an inefficient distributed database was worth some money<p>What database tech is this referring to? I’m guessing bitcoin, but the phrasing wasn’t clear to me that it meant the payment method rather than an easily exploitable target database everyone was choosing.

If you can&#x27;t run a program by telling your computer what you want to run, and what resources you trust it with, and know that it will respect those choices, you&#x27;re never going to have Cybersecurity.<p>This is a solved problem for other domains where you have resources you want to safely utilize a portion of.... wallets for cash, circuit breakers for electricity, etc.<p>We don&#x27;t need legislation, or banning of &quot;C&quot; to chase the latest hemline of Rust.<p>Long ago we collectively decided that MULTICS was too complex, and we really didn&#x27;t need all that security. At the time, it was reasonable, but now... not so much.<p>We keep reinventing it, then deciding our ersatz version of capabilities is too slow, and make it faster, easier, etc... until it&#x27;s broken security wise, and repeat again, and again.

Here ya go <a href="https:&#x2F;&#x2F;www.csoonline.com&#x2F;article&#x2F;567531&#x2F;the-biggest-data-breach-fines-penalties-and-settlements-so-far.html" rel="nofollow">https:&#x2F;&#x2F;www.csoonline.com&#x2F;article&#x2F;567531&#x2F;the-biggest-data-br...</a><p>It takes time.

&quot;Cybersecurity is broken because of the lack of consequences.&quot;<p>If I may after few decades in - add in or change for competence.<p>Most often my team and I test apps that have been verified by multiple parties and we still find juicy stuff. Not always, but most often.<p>Here&#x27;s the kicker - most important ones aren&#x27;t about the tech, but the business part of it (validations, processes, flow and so on).<p>If I could make a very generic recommendation for most - check the logic and business first then make sure the tech is decent.<p>In business - make sure you include people and management.

Partially correct. Cybersecurity is broken because there are no consequences, but cybersecurity is not broken because there is no money in it. Large corporations spend literal mountains of money on cybersecurity, but cybersecurity is broken, so that money is basically wasted. Literally go ask any CISO or cybersecurity director at any Fortune 500 company: &quot;How much would it cost to hire hackers to compromise our the systems of our company with billions of dollars of revenue and take down operations?&quot; Keep asking that until they give you a literal monetary number. I have never heard a number over 1 M$ by anybody who knows anything. None of the big 4 banks, who literally spend hundreds of millions to billions of dollars, gave a number over 100 k$. If they give you a number over 1 M$, ask if you can make a open prize at Defcon so they can prove it, they will be shaking in their little boots.<p>Cybersecurity technology is, as a rule, useless. And it is also worthless since there have been no meaningful consequences to date. Large companies pay huge piles of moneys so the CEO and Board of Directors can say they spent a lot of money so they, personally, have plausible deniability when their systems get breached. Then the lack of actual business consequences kicks in and everybody is happy after the PR blip passes over. Optics are, in fact, more important than security for large companies which is why heavy spenders look so broken. It does not need to actually work, it just needs to look good to outsiders so they do not get a phantom PR hit (it is a phantom from their perspective since there are no actual business consequences, there may be other consequences but that is outside of their evaluation criteria).<p>The only actually meaningful and cost-effective &quot;preventative&quot; measure is doing the bare minimum of standard IT practices (i.e. keep things up to date, keep backups, etc.) to prevent amateurs from crippling your systems. Against professionals, no commercial IT solution works, so you are better off just purchasing cybersecurity insurance. You should only waste money on the standard cybersecurity garbage if you need to slough off liability. In every other way it is just plain useless; it provides no meaningful increase in security and costs a ton to boot. This is why small companies look so broken, nothing works and they do not need the optics, so there is little point in spending money on things that do not work.<p>With the recent wave of mature, professional cybercriminals we are finally starting to see a little bit of a shift. The 18 year old hackers who thought 100 $ was a lot of money are now in their 30s running professional extortion companies. They are starting to ask for serious money and the consequences are starting to materialize. Unfortunately, we have an entire industry of snake oil and the rest of the economy is not ready for the consequences. It is already hitting the cybersecurity insurance companies who are rapidly going underwater because policies are backwards looking. The cyberattack industry is growing like 300% per year, so the premiums from 5 years ago, which assumed a expected value 243x lower, make no sense today, and the premiums today make no sense next year. Incidentally, this is why you should purchase as much long-term cybersecurity insurance as you can, it is massively underpriced given current trends (e.g. Maersk got a real steal with their 1 G$ payout which is probably more than the total premiums paid to all cybersecurity insurance companies put together over their entire existence at that time).<p>The problem is not money. It is working solutions. Money helps make working solutions as long as it goes to people making working solutions. But, so far, optics have been preferred over security due to the lack of consequences.<p>If we want working solutions, then we need systems verified to protect against the now commonplace attacks by professional attackers at the 10 M$+ range. As a first-order estimate, that is a team of 20 full-time for a year. That is the <i>minimum</i> bar. For large nationals or multinationals, you probably need to be in the 100 M$ to 1G$ range, 60 full-time for 3 years or 600 full-time for 3 years. Only then are we reasonably safe against sophisticated financially-motivated attackers.

I think this is the wrong way to think about personal data. You&#x27;re better off just living your life like everything is hacked and out there and take precautions to deal with that.<p>Otherwise you place your destiny in the hands of others. And your also expecting a 100% success rate against data being stolen. We&#x27;re only human, eventually someone will screw up no matter how much punishment there is.

Nope . It’s broken because all policy is normalised into box ticking and insurance.

cybersecurity can mean many things.<p>a noun, a verb, a quality, attribute, or function.<p>In general, I don&#x27;t see the noun, verb, or function as broken (despite being new(immature) fields relatively) but I definitely see the quality, or attribute as broken because it is subject to the whims of profit and doesn&#x27;t have many of the guard rails of more mature industries.<p>The Body of Knowledge is not firmly established therefore there are huge asymmetries between developers, offensive and defensive practicioners, and resourcing&#x2F;tooling plays a gigantic part of this.

It&#x27;s time to introduce PE licensing for the title of &quot;software engineer&quot;. Like civil engineers, software engineers should be personally, civilly and criminally liable for the systems they sign off on. Reserve other titles, likE &quot;software developer&quot;, for those who work under the engineer and do not assume liability.<p>Other measures, like data protection laws, will still be necessary. But introducing certification and liability like an actual profession would be a good start.<p>This will greatly diminish startup culture. Fine. I&#x27;d rather have a few responsible companies out there playing by the rules than a thousand wildcats for whom rules are an inconvenience.

&gt; You do what the payment card industry has been doing for decades<p>What? Mandate a bunch of paper-thin worthless rules that tie up security &amp; engineering teams and don’t actually add measurable security improvements?<p>I’d be very interested in seeing the data that shows PCI-DSS has had any impact. I spent a previous life breaking into PCI compliant companies, and it didn’t offer the tiniest speed bump.<p>This is a horrible recommendation.

There is no black and white “this will fix it” in cybersecurity. It is a continual arms race. Arguing “X will stop cybercrime” is so naive it hurts.

<i>&quot;When literally nothing happens when some stupid service gets popped and loses your data they had no business collecting in the first place, this kind of thing will happen over and over and over again.&quot;</i><p>Money quote, and he&#x27;s right. In Europe, the GDPR helps stop random data collection, but there is still no penalty for getting hacked and losing customer data. There should be, and in egregious cases upper management should be personally liable for civil suits by affected people.

If you want to see a functioning dysfunction of cyber security, lookup nei 08-09.

it&#x27;s a profession for negotiating machine based contracts instead of legal ones now. like legal services and compliance it creates its own demand and demands infinite management. its essentially a branch of law.

Fixing cybersecurity with laws is the same as fixing drug trafficking with laws

&gt; <i>You see, cybersecurity is broken because of the lack of consequences. It&#x27;s really that simple. When literally nothing happens when some stupid service gets popped and loses your data they had no business collecting in the first place, this kind of thing will happen over and over and over again. Why the fuck do you need my home address just so I can copy and paste some GIFs? Because you want to sell this data to data brokers, and you know there will be absolutely no negative consequences if you mishandle this data, fucking over the people who keep your business afloat. So, companies big and small fuck things up and we need to clean up the mess and face the consequences. Sounds about right.</i><p>10 years from now: AI somehow knows every single tiny detail about your life and can accurately predict any decision before you even made it. How could it have come to this? Clearly, it&#x27;s just the fundamental superiority of AI compared to the human intellect. It&#x27;s just the inevitable march towards the singularity. There is nothing we could have done to prevent this...

Complaining about privacy and data brokers then ... discuss this on our Discord!<p>¯\_(ツ)_&#x2F;¯<p>I guess now, finally, with the introduction of advertising they have a recognisable form of income. Meaning they <i>might</i> be less likely to profit off data.

Author appears broken, as well.

&quot;Memory unsafe languages&quot; is maybe one percent of one percent of the problem.<p>As always, nobody actually gives a damn about &quot;security&quot; and uses it as a pretext to push something unrelated. (In this case, Current Year&#x27;s stupid fad programming language.)