Arriving in the scorching, 110-degree heat of the Nevada desert last week, throngs of cybersecurity folk descended on Mandalay Bay’s convention centre, located on the Vegas Strip, for Black Hat – one of the largest and most notorious conferences in the industry.
Perhaps because of its name – black hat is the term used for a computer hacker who violates the law for nefarious purposes – the conference still evokes suspicion from the locals in this burgeoning desert metropolis.
Going through security at Harry Reid, a passport official asked whether I was a hacker. I later watched a payment dispute play out between a taxi driver and a passenger. The car’s electronic payment system kept rejecting the passenger’s credit card: “Well what do you expect? The hackers are in town!” decried the passenger, by way of explanation.
And then there are the claims that Black Hat is one of the most hostile networks in the world. That, unless you switch your phone on airplane mode and use pen and paper, there’s a high chance you may get spammed by phishing emails – or worse. This may or may not be an exaggeration, but people may well test out exploits at an event like this, and security experts always advise on exercising caution.
But in truth the event – founded by ethical hacker and US Homeland Security advisor Jeff Moss over 25 years ago – is really all about keeping the bad guys out. While it grew out of Def Con (which takes place at the end of the same week and focuses more on the technical side of hacking) Black Hat aims to give enterprise engineers and software developers, CISOs and IT folk privileged insight into the minds and motivations of their hacker adversaries.
This year, Jen Easterly, director of Cybersecurity and Infrastructure Security Agency (CISA) set the tone during Black Hat’s opening keynote, which focussed on security around the US elections as well as the recent CrowdStrike outage.
In March this year CISA called out China’s attempts to interfere with its electoral system, although Easterly assured that election infrastructure “has never been more secure” and that the community of election stakeholders has “never been stronger.”
What makes the US election system arguably resilient to attacks is partly its siloed structure: Each city, county and state administers an election differently and, following Russian interference in the 2016 elections, work has been done to secure the electoral system (now designated as ‘critical infrastructure’) and support local state officials.
Nonetheless, Easterly recognised that it was vital not to get complacent and that threat actors continued to be “entrepreneurial”. One recent tactic she highlighted was Russian adversaries hiding behind unwitting US public relations firms to spread disinformation about the US presidential race. You can read about others here
Hostile states such as China, Russia and Iran, Easterly added, are all focussed on the same goal: spreading disinformation (false and incendiary claims) about US democracy to undermine faith in the election.
On US election day this year – due to take place on 5 November – Easterly appears to hold a strong faith in the system, not least because election officials are well-versed in dealing with crises.
“A poll worker will forget their key. There will be a storm, there will be DDoS attack, but the good news is that they are natural born crisis managers and know how to deal with disruption and know how to respond,” she said.
The beauty of an election is that you can plan for it, and for things to go wrong, even if, in the case of the UK election, you are only given six weeks’ notice.
However, last month’s CrowdStrike IT outage – which caused global disruption – caught most by surprise and highlighted the ubiquitousness of software in everything from payment systems to medical records.
Easterly – who woke up at 2am on the morning of the outage “to help get mitigation advice out there” said that one of her first thoughts was: “This is exactly what China wants to do but without rolling back the updates to get services back online.”
Earlier this year, the US government exposed Chinese hackers, Volt Typhoon, for infiltrating American critical infrastructure to embed dormant malware, ready to activate in case of conflict, such as a Taiwan attack.
“Volt Typhoon is aimed at exposing our pipelines, derailing our systems to incite panic. And that’s the lesson I took away from the CrowdStrike outage. We need to build that resilience now, so we are prepared for mass disruption – and that includes working with private sector,” she said.
Easterly added that it also reinforced a message that her organisation has been hammering home to tech vendors lately: deploy software that is ‘secure by design’. She added that cyber security vendors should not be immune to this message either.
Most vendors I spoke with at the show were broadly sympathetic to CrowdStrike’s role in the outage. Several admitted that this could have happened to them and the majority were using it as an opportunity to ensure they had the right software update and testing processes in place.
The widespread global meltdown – caused by a faulty update in the manufacturer’s endpoint security product Falcon running in Windows – also didn’t stop delegates from flocking to CrowdStrike’s Black Hat booth. The snaking crowd appeared to be lining up for collectable giveaways that celebrated Falcon’s successful attempt to foil ransomware gangs such as Scattered Spider and Fancy Bear.
Security agency heads, however, might not be as easily convinced. For every company saved by Falcon there were arguably many more whose networks went down for days following Blue Screen of Death Friday.
Easterly told attendees at another session that day that delivering major improvements in computer security will require a sea change in how companies – especially big tech companies – approach building software.
“We have a multi-billion-dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” she said.
To force companies to devote greater resources to the security of their products, the Biden administration is considering how to carry out software liability reform, which in theory would allow those affected by software flaws to sue the makers of that product.
As it stands, restrictive liability waivers ensure that when technology companies make mistakes, they generally can’t be sued for them. And when they do, damages are capped. Everyone is watching to see what happens with the lawsuit Delta airlines and others are bringing against CrowdStrike for losses caused.
Easterly added: “Congress can have a transformative impact by establishing a software liability regime with an articulable standard of care and safe harbour provisions for those vendors that innovate responsibly, prioritising secure development processes.”
What such legislation doesn’t consider, perhaps, is the increasingly complex, interdependent nature of cloud-based environments. This isn’t a get-out-of-jail card for those more focussed on efficiency than resiliency, but the reality of working in agile environments.
As Black Hat’s considered founder Moss noted during the Black Hat Locknote wrapup session, it’s not only getting harder for security leaders to keep an inventory of all the software in their enterprises, but for vendors too who might not realise what libraries they are dependent on “under the hood”.
Moss’s remarks followed Thursday’s keynote from Moxie Marlinspike, co-founder of encrypted messaging service Signal. According to Marlinspike, agile is not helping innovation but hindering it.
Agile ways of working, he argued, meant that teams end up siloed, working separately from each other, and without much visibility into what other teams are doing.
These teams also tend to lack visibility into some of the fundamentals of what makes their own products work, Thistle Technologies founder and CEO Window Snyder added during the wrap up session.
Moss added: “I worry that at some point you reach a world where we have these completely unknowable systems …you’re building this infrastructure on the cloud on top of a cloud on top of the cloud…and at some point, you completely lose the connection.
He added that such complex systems can fail in completely unpredictable ways, and he wondered whether security leaders may have to come to terms with these failures and be ok with never being able to fully describe to management why it failed.
Another panel member pointed out that if this failure was relatively low it might be ok, but for mission-critical use cases with a low tolerance for failure, it might be dangerous.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
