The Price of Choosing Software Profitability Over Security
The United States’ cybersecurity posture will not improve any time soon, given flimsy software products, easy access for criminals and lack of government regulation, among other factors.
Time and time again, U.S. software companies are choosing profits over cybersecurity, said Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, or CISA, presenting the keynote Thursday at the Black Hat USA 2022 Conference, held in Las Vegas on August 9-11 and virtually.
“Basically, software remains vulnerable because the benefits of making insecure products far outweigh the downsides,” Krebs said, quoting security expert and colleague Daniel Miessler. “Once that changes, software security will improve but not a moment before.”
The rapid digital transformation of the COVID-19 era ushered in an incredible acceleration to the cloud and at the same time created more complexity to information technology systems. “What we've done is increase flexibility, elasticity, productivity, but we've also reduced things like transparency,” Krebs said. “We've also started adding on additional products on top of the infrastructure, and we had this explosion of software-as-a-service opportunities. And we're building more products that are insecure by design because of the market pressures, and then we're making it more and more complex.”
He acknowledged that ransomware was “perhaps the biggest collective falling down of government and industry.” Using ransomware, cyber marauders have figured out how to monetize misconfigured systems and extract value from weak software.
“What that is doing in the meantime is distracting our intelligence or national security community, which five years ago was focused on the highest order threats from China, Russia, Iran, North Korea…. now they have had to broaden their view of threat actors to include cyber criminals,” Krebs said. “The actors’ opportunistic target sets are much, much greater. The threat actors understand what the shifts in our businesses are; they understand that we are making things more complex, that we are relying on more software-entrusted updates…. And companies, they are either shipping products or shipping targets, and if you're hosting a service, you are the target.”
In addition to state-sponsored cyber attacks from China, Russia, Iran, and North Korea, the playing field of threat attacks has burgeoned.
“Here's the thing, literally every country on the face of this earth is looking at the digital ecosystem as a new domain, the fifth domain,” Krebs warned. “They're developing capabilities for espionage for domestic surveillance. They're also looking at capabilities for destruction and disruption. We have a threat actor set it's absolutely exploding and guess what? There are going to be splashy, new and novel events in the near future.”
These cyber attackers will continue to target software providers, managed service providers and the software supply chain because “that is where the access is; that's where the data is and the ability to work in at scale and go one to many and conduct breakouts,” he continued.
Software remains vulnerable because the benefits of making insecure products far outweigh the downsides. Once that changes, software security will improve but not a moment before.
Meanwhile, the U.S. government has struggled with balancing market interventions or implementing regulations in a capitalistic economy. “And we still see an overreliance on checklists and compliance rather than performance-based outcomes,” Krebs cautioned.
Despite some inroads, it is still difficult to work with the government regarding cybersecurity matters. “It is still difficult for a private sector organization to know who to work with. Is it the FBI or is it CISA? Is it the Department of Energy or Treasury?” he pointed out.
In addition, Krebs advised companies to elevate cybersecurity as part of their business model. “The CEO that understands cyber risk is a business risk is few and far between,” he noted. Krebs emphasized that software companies will have to make a decision as to whether or not to continue to profit from selling products or services in adversarial countries—such as Russia or China.
“Around the Russian invasion of Ukraine, organizations and businesses have to have a set of principles,” he advised. “You have to establish your values, who you are as a company, what you're out there to accomplish, how you're going to do it, what your red lines are. When Russia invaded Ukraine, we were working with a couple different companies that said, ‘look we're not impacted by sanctions, so we're good. We don't really need to worry about it.' Our take was, ‘No. You are going to have a problem if you're going to continue to support the Russian war machine. You have to make decisions now on the kind of company you are.'”
Furthermore, any company that is a core part of the fabric of the Internet, which underpins much of our economy, is impacting American national security.
“Yes, you are part of the national security community,” he said. “You may not be in the intelligence community, but your mission is oriented around national security outcomes. You have to take cybersecurity seriously. You have to have it as a boardroom issue. And this isn't just the big banks or the big technology companies. This is increasingly midmarket technology companies and software providers.”
“In the long-term things are going to get worse before they get better,” Krebs warned.