Hunter S. Thompson opened his classic political book Fear and Loathing on the Campaign Trail ‘72 with the question, “Is this trip necessary?” Fifty years later, these words were in my head as I landed in San Francisco for RSA 2022. Like Thompson, who reluctantly relocated to a Washington DC riven by crime and toxic political hatreds, I arrived in San Francisco to find a city, and an industry, in chaos.
Shoplifting has effectively been decriminalized in San Francisco. Brazen smash and grab thieves routinely ransack stores in broad daylight and face no accountability. Thousands of people live on the streets, with hundreds dying from overdoses every year. The day I got there, the outraged citizens had voted to eject their permissive District Attorney, so things may change. In the meantime, the disorder outside the Moscone Center mirrored the discussions taking place inside the building. Cyber criminals are wreaking havoc worldwide but are certain to suffer no consequences.
Was my trip to RSA 2022 necessary? Despite high expectations, I found the show to be a reasoned, if frustrating cacophony—full of smart, well-intentioned people offering partial solutions to a (maybe) crisis that, I think it’s fair to say, few of us truly understand.
The Supply Chain
Solar Winds and Log4J, two of the most serious supply chain attacks in history, loomed over RSA 2022. The message I heard from the experts at the conference was, essentially, “It’s really bad, but we don’t have a lot of good options for dealing with it.” This was not encouraging.
It’s not that people aren’t trying. GM is admirably advancing its Cyber Readiness Institute, which has helped over 30 million small businesses become better prepared for supply chain attacks. It’s not clear if they will succeed, however. Their main focus seems to be on training small business leaders to more aware of cyber risk with free content. This will not do much for serious supply chain attacks, which is a cause for concern because smaller firms can serve as unwilling attack pathways into their larger business partners.
I spoke with Patrick Orzechowski, VP & Distinguished Engineer at Deepwatch, the MXDR provider, about mitigating supply chain risk. It is possible, in his view, but success requires being able to conduct deep, sophisticated analysis of operational data such as DNS records. “The attacker has to use your network,” he explained. “So, if you are looking carefully, you’ll spot him or her.” This is easier said than done, as Orzechowski further noted. DNS over HTTPS is encrypted, so security analysts are effectively blind to traffic that could reveal a supply chain attack. “You have to look closely at the endpoint if you want to spot suspicious traffic,” he added. This sort of capability is far from common, of course.
At the “Threat Lab Lunch” with Obsidian, NetSPI, Mend (formerly WhiteSource) and Gigamon, the consensus was also that traffic analysis was the key to detecting supply chain attacks. The issue here is that while these firms all offer well-respected solutions, their implementation is where they are either going to succeed or fail. As the executives at the lunch acknowledged, if your organization is not staffed and culturally tuned for supply chain mitigation, you won’t get the full benefits of Obsidian, NetSPI and the others.
The vague but deadly serious threat of nation state actors contributed to the cacophony at RSA 2022. This is not a new topic, but presenters offered some new perspectives. For example, Niloofar Razi Howe of Energy Impact Partners delivered a compelling firehose of data on the changing state of warfare.
While listening to someone speedread a white paper from the lectern is not ideal, Razi Howe’s presentation did highlight some fascinating insights, especially on the risky subjectivity of private actors, such as criminal gangs and corporations, taking actions with geopolitical consequences. Like, if a private citizen hacker disrupts a corporate-owned satellite used by the military, is that an act of war? How should governments react?
Her presentation sub-title says it all: “Entanglement: Our Hyperconnected Ecosystem.” If you left the session feeling more confused and alarmed than before, she succeeded in landing her main message, which seemed to be, “This is not easy. There are few practical answers.”
I talked to Dylan Owen, Associate Director of Raytheon’s Cyber Protection Services. He deals with nation state threats every day. In his view, one of the biggest challenges in parsing the seriousness of nation state activity in cyberspace has to do with determining intent. While it is always possible that a nation state is planning to do something truly bad, like poison a reservoir, most of the time they are basically lurking.
“We have to figure out if a state actor is simply trying to gain access to a network so they will be able to break in at a later date, or if they are on a truly malicious mission in real time,” he said. “Or, are they simply gathering intelligence for a low-voltage use like wanting to gain advantage at a G-7 meeting?” The issue is response. As Owen explained, response resources are always limited, so his team has to be choosey about which incidents they escalate.
Who Will Fix This?
Will anyone be able to fix these problems? I’m less sanguine about this than I used to be. The presenters at the Threat Lab Lunch were concerned that prevailing standards and SecOps culture were deficient and out of date. Combined with the sector’s chronic labor shortage, the outlook is not good.
As Arabella Hallawell, CMO of Mend, pointed out, only 10 to 20% of software vulnerabilities get fixed. “We’ve been doing the same things for 20 years,” she said. “We need better standards.” In her view, the crisis over Log4J erupted in part because people didn’t know how to find or fix the vulnerability even after they were notified about its existence. When the next Log4J hits, developers and SecOps will likely be similarly unprepared.
Cybersecurity challenges are, in essence, people and organizational challenges. There are not enough people. Organizations are not good at adapting. Government policies lag the identification of risks by years, and even after policies are defined, they are often never implemented. Rinse and repeat.
Does It Even Matter?
The big question for me at RSA 2022, however, was does this even need fixing? If anything, RSA 2022 telegraphed the idea that cyberattacks don’t matter. They’re bad. They create disruption and financial loss, but they then almost always get remediated, and life goes on.
Breaches don’t mean anything, beyond a few headlines that everyone forgets in a few weeks. Public companies that get hacked face an immediate crisis and an uncomfortable outlay of funds to fix the problem, but attacks almost never affect stock prices over the long term.
Half of the Fortune 100 has suffered a serious cyberattack in the last 10 years. Have these attacks affected their share prices? It doesn’t seem to be the case: the Barclays Fortune 100 Index (^BFC) is up over 36% since 2018. A share of Maersk, the international shipping company devastated by Notpetya in 2017, is up 52% since that time.
Corporate reputations don’t suffer nearly as much from breaches as anyone in the cybersecurity industry thinks. Home Depot, which had a breach of 56 million customer records in 2014, has seen its revenue grow from $78 billion that year to over $150 billion in 2021. It seems a cyberattack is just another disaster to get through.
Catastrophic attacks, the Dr. Evil scenarios dreamt up by alarmists (including myself, at various times), seem less probable than we might have once imagined. The Ukraine war appears to be bearing out this conclusion. While it’s far from over, the conflict has not witnessed massive power outages or the cyber destruction of critical infrastructure. As naysayers to the doom and gloom crowd have long been naysaying, massively disruptive attacks are extremely difficult to execute. They require the successful simultaneous hacking of multiple systems, so their likelihood is low.
If this is true, that breaches don’t matter and the society-ending attacks aren’t coming, then why are we spending over $200 billion a year on cybersecurity? Why are tens of thousands of cybersecurity professionals coming to RSA every year to hyperventilate about all these big dangers if A) the risks aren’t actually so bad, and B) what we’re doing isn’t helping all that much, anyway?
These are questions to ponder. Perhaps I’m jaded. Maybe this trip wasn’t necessary. The conference did present some reasons to be hopeful, though. The presenters at the Threat Lab Lunch expressed the view that cybersecurity and IT cultures are evolving and adapting to be more productive and aligned with risks. The industry has no shortage of brilliant, innovative people who are being generously funded to solve the most pressing cybersecurity problems. The work will surely continue. We’ll have to wait until RSA 2023 to see if we’ve made any progress.
Photo by Pixabay: https://www.pexels.com/photo/blur-bright-business-codes-207580/