|"Stronger, Safer, Together", "Crawl, Wall, Run" and other trite phrases often heard in policy podcasts. :)|
So over the weekend I made a few people mad on the Twitters by suggesting that the internet white hat group I Am The Cavalry was wasting its time with its IoT security advocacy, some of which has turned into law, various Commerce Department guidance, FDA regs, etc.
On one hand, more secure IoT devices are obviously, good, right? But on the other hand, when the rubber hits the regulatory road, you get a weird mix of "Please don't have built in backdoor passwords on your IoT devices" and "please make all IoT devices updatable". These typos of regulations attempt to fix point-problems with existing technology in a way that may or may not introduce bigger systemic risk.
The government has an interest in reducing systemic risk on the Internet as a whole. This is read by various agencies as a license for additional regulatory actions since that is almost the only tool in their box. But everyone on offense realizes we cannot do it the way that I Am The Cavalry wants to.
The Mirai worm is an example of this issue: A couple of kids built a massive IoT botnet that was then used to DDoS a few various networks. DDoS's are known issues and typically take one company off the map for a while, and are very hard to prevent as it comes down to doing filtering in a distributed and robust way against an adversary, which is not a fun problem to have.
But when they DDoSed Dyn, a provider of DNS, they caused actual disruption on the internet. But instead of trying to solve the problem of having a centralized weak point running an obsolete protocol that we depend on for literally everything, we've decided to try to make an internet where nodes can be trusted, which we know is impossible!
Additionally, requiring point solutions for IoT devices may introduce more systemic risk than we are comfortable with. Because it's impossible to say "I want SECURE updates to all IoT devices" and have any two experts agree on what that means, we have to say we want them "signed cryptographically". But these updates are coming from places that we know we cannot trust - small vendors are often weak targets, and the supply chain gets only weaker from there.
It is as if we tried to implement regulations to write SECURE PHP code so every Wordpress site didn't become a font of usernames and passwords for hackers. All of these ideas are on their face, a waste of time, which is why the offensive community tends to look at organizations solving problems OTHER than the centralized weak points as a bit silly.
I posed this point to one of the government boards looking at the IoT issue, and was told it was not helpful, but hopefully this blog answers why I wrote them this in the first place. Offensive security is almost always about finding centralized weak points that your adversary has forgotten about, or does not realize need protection, and a lot less about busting through the security layers they have in place. That's the whole ball game, every day, for the last 20 years for most of us in the industry.
An easy example is this: If your team isn't freaking out about this vulnerability in GoAhead Web Server, then they are clearly missing situational awareness.
I understand that instead of "simple" regulatory and legal fixes, this requires shepherding new massive engineering and technical efforts through the political sphere, but I still think if we want to move the dial, we have to engage in a way that truly changes the terrain.
(Secretive Sniff You is a good anagram for Offensive Security :) )