Skip to main content

Mavenir Extends AI And Analytics Portfolio To Enable Mobile Network Optimization, Automation & Security

Security Alert: Make Sure Unauthorized Devices Are Not On Your Network

 Axios

Perfect cybersecurity is a pipe dream

At a hearing on SolarWinds last Friday before the House Oversight and Homeland Security committees, U.S. Representatives seized on a statement by SolarWinds’ former CEO that in 2017 an intern had mistakenly posted a password, “SolarWinds123,” on the public-facing internet that could have provided a malicious actor with full access to the company’s update server. Why it matters: Last week’s congressional hearings — and the confused and confusing response to the hack by some policymakers, industry mavens and government agencies — underscored the inherent tensions in “achieving” cybersecurity in a world of cross-cutting, and often mutually exclusive, goals. Get market news worthy of your time with Axios Markets. Subscribe for free.Though the compromised password was just one theory for how the Russian intelligence services may have compromised SolarWinds — and there is no evidence that this was, indeed, how they accomplished their initial intrusion — an incredulous member of Congress pounced on the idea that such a potentially monumental cybersecurity failure could have originated in such a banal human error. Human errors provide a good, easy-to-understand framing for complex problems, particularly attractive to politicians and private actors alike insofar as it individualizes responsibility — on the shoulders of a single intern, no less, with SolarWinds — while avoiding the deeper structural issues at play in cybersecurity.For sure, individual mistakes can and do sometimes have massive systemic effects. One of the greatest intelligence coups in U.S. History, the Venona Project, was born from a World War II-era mistake by Soviet officials wherein some keys to “one time pads” — among the most secure forms of coded communications — were used twice, allowing U.S. Cryptanalysts to crack Soviet ciphers. Human failure has also led to massive compromises in the digital era, with deadly real-world effects. For instance, in 2004, a CIA officer attempted to send an encrypted digital message to one of the agency’s assets within Iran — but, in a kind of “carbon copy” from hell, mistakenly included information in the transmission that “could be used to identify virtually every spy the CIA had in Iran,” reported James Risen in his 2006 book "State of War." Tragically, this particularly Iranian asset was actually a double agent, and Iranian security services rounded up the CIA’s Iranian network as a result of this single botched message.The big picture: Though human error is an always-present cybersecurity threat — you can’t stop everyone from clicking on a malicious link — there are deeper, thornier issues at work. And these cannot be solved, if they indeed are solvable, without trading some important goods for other ones.Platform sharing makes life easy for companies — and hackers, tooThe ubiquity today of managed service providers, companies that outsource platforms for IT management and other core network functions, guarantees that firms have less insight into and control over the software running on their systems.The ease of not building these capabilities in-house (if doing that is even possible) — saving employee time, increasing interoperability, and perhaps most importantly, positively benefiting the bottom line — is potentially partially offset by what may be increased risk brought on by the use of these services.The use of such providers can make one’s own networks more opaque, and by using these platforms, firms are also importing whatever flaws may lay quietly dormant within them — as happened, disastrously, with SolarWinds. Moreover, compromises via software supply chains like SolarWinds are particularly pernicious because it is so difficult to pinpoint their origin, and once they spread from company to company, or from platform to platform, rooting out hackers can be a logistical and counterintelligence nightmare. Private companies are outsourcing work to other private companies, which are themselves providing services to government agencies, who themselves may not realize just how exposed they are, even on unclassified networks. The bottom line: The imperatives of commerce in an era of cutthroat competition, and the need for the smooth functioning of large, complex bureaucracies in the digital era, will inevitably lead to greater cybersecurity risks — even if organizations or government agencies attempt to institute "zero trust" security models.No silver bullets for cyber defenseThere will never be a “silver bullet” in cyber defense — and if there were, it would likely be deemed entirely unpalatable, thanks to deeply held norms and assumptions shared among U.S. Cybersecurity institutions and actors. For instance, the National Security Agency cannot monitor all private U.S. Internet service providers as part of some massive early detection system against cyber threats. Even assuming such an arrangement would be possible or desirable, given the potentially vast civil liberties violations, there might be more pedestrian reasons for opposing it.Lawful interception systems that concentrate power also concentrate risk: If a foreign power secretly gained access to such a system and burrowed in, it could be cataclysmic.Between the lines: Private digital networks are inherently fragmented and opaque to outsiders — precluding any type of one-size-fits-all upstream response. Greater transparency from the private sector help might ameliorate some of these problems, but it won’t solve them. At last week’s congressional hearings, for example, Microsoft president Brad Smith suggested imposing legal duties on private companies to report breaches, which could help stanch the spread of some compromises by facilitating important information-sharing.But this is still an effort at mitigation and not outright prevention. Other proposals floated occasionally — like the notion that private companies should be able to “hack back” against attackers in their networks — are fanciful at best and delusional at worst. Tensions between offense and defense in cyberspaceThe United States' offensive cyber operators will aim to manipulate the broader IT environment. Defenders within the public and private sectors, in turn, have their own prerogatives. These needs will always be in tension — and are most likely unresolvable. The big picture: While the NSA does important defensive work, this reliance on, and facilitation of, insecurity is a core part of the NSA’s work. Indeed, according to an NSA document leaked in 2013, the NSA carried out a secret “SIGINT Enabling Project,” the objective of which was to engage "the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs … [to] make the systems in question exploitable through SIGINT collection.” Nothing underlines the tension in the NSA’s work more clearly than the evidence that it pushed what it knew to be a flawed encryption standard upon the National Institute of Standards and Technology (NIST), so that NIST in 2006 would (unknowingly) validate it as safe for general use — all while NSA was able to crack it.Moreover, the NSA and the CIA need to keep vulnerabilities of all sorts secret in order to exploit them against intelligence targets. Expecting them not to do so would be folly.The government’s “vulnerabilities equities process” provides some formal (though largely secret) framework for determining whether to disclose known bugs to outside parties.But this is a decision made within government regarding its own prerogatives, which may not align perfectly with the welfare or wishes of the wider public. There are other cases where the government and the public interests might not align. Let’s stipulate that legislators wanted to, for instance, require Microsoft products to meet certain security standards for general public use. What if those standards interfered with important collection programs for the CIA or NSA, whose targets abroad were running Windows? Whose needs should be prioritized if national security is deemed to be at stake? And who should get to make that determination?Between the lines: Many U.S. Intelligence officials view the very porousness and insecurity of the digital domain as an immense structural opportunity and advantage. They see good reasons to exploit these avenues for collection in the country’s intelligence activities abroad (and sometimes at home). Yes, but: Such activities do not mitigate risk or online insecurity. In fact, they almost certainly increase it more broadly. Some argue that this trade-off may be worth making. But it's a trade-off nonetheless.The bottom line: In cybersecurity, we'll never have it allThe philosopher Isaiah Berlin wrote... “The notion of the perfect whole, the ultimate solution, in which all good things coexist, seems to me to be not merely unattainable — that is a truism — but conceptually incoherent; I do not know what is meant by a harmony of this kind. Some among the Great Goods cannot live together. That is a conceptual truth. We are doomed to choose, and every choice may entail an irreparable loss.”Berlin was talking about moral choices — like the “goods” of liberty and equality, which were often mutually exclusive. In cybersecurity, such “goods” — which are often rooted in deeper prerogatives of national security, individual privacy and the system of free enterprise — also sometimes work at inherent cross-purposes. We cannot maximize them all simultaneously.My thought bubble: The pursuit of cybersecurity, along with the managed maintenance of desirable cyber insecurities, must be overseen by policymakers. They owe the public a fuller account of their ethical and practical calculus. More from Axios: Sign up to get the latest market trends with Axios Markets. Subscribe for free


Comments

cta banners

Popular posts from this blog

Mavenir Extends AI And Analytics Portfolio To Enable Mobile Network Optimization, Automation & Security

  TipRanks Raymond James: These 3 Stocks Are Poised to Surge by at Least 50% In a recent note on the state of the stock markets, Raymond James equity strategist Tavis McCourt points out a series of policy factors that are playing a role in the current market volatility; the situation is more complex, perhaps, than most of us have been willing to admit. McCourt notes permutations of the SLR rule, political dynamics on the Senate Banking Committee, and the regulatory atmosphere towards potential capital return are all influencing the Fed’s moves and the market reactions. “We believe the Fed will do everything they can to ensure orderly trading in US Treasuries and does not want to see the volatility and liquidity concerns that have occurred in the last week/over the course of the pandemic. We also believe that the Fed is not interested in having a spike in yields as Treasury seeks to finance the next round of stimulus," McCourt opined. The strategist added, "While the SLR conve

Network Security Firewall Market Size, Industry Players, Revenue And Product Demand Forecast Till 2027

  The MarketWatch News Department was not involved in the creation of this content. Mar 02, 2021 (AmericaNewsHour) -- Global Network Security Firewall Market is valued approximately USD 3.09 Billion in 2019 and is anticipated to grow with a healthy growth rate of more than 22.90% over the forecast period 2020-2027. The network security firewall is a safety system that is created for the prevention of unauthorized access to non-public facts on a network. The firewall may be utilized as software program as well as hardware and may segregate a selected network and its records from an out of doors network to keep that precise network facts non-public. The There are a severe amount of benefits that incorporates the usage of a firewall in a network are, particularly the clean set up and the high pace. Enforcing a firewall for a network is also tons less expensive than to have to secure each computer individually. The global pandemic of COVID-19 is propelling the market growth over forecast y

Security Alert: How To Make Sure Unauthorized Devices Aren't On Your Wi-Fi Network

  You keep your device’s operating systems updated. You’re using internet security software. You're pretty savvy about not falling for online scams. Even so, malware and cybercriminals can still get through. Run this free check to see if your router has been hacked by criminals giving them open access to all your files, passwords, and more. Your security arsenal includes a firewall. Here’s a free test to make sure that your firewall is blocking access to bad actors and bots. Start the day smarter. Get all the news you need in your inbox each morning. How many devices are connected to your home’s wireless network? A handful? Dozens? As time goes on and you add new gadgets, it's easy to lose track of everything connected, or worse, notice things that don't belong. Here’s how to determine what’s on your network and prune anything that shouldn’t be: Get into your router’s admin page This is a relatively simple way to get an idea of who's using your network. Bonus: It's