We recently spent a day on the Ericsson campus in Plano, Texas attending the “Hot Topics in Networking and Security” conference, cleverly shortened to the acronym “HoNeST.” This event was coordinated by the University of North Texas’ Department of Computer Science and Engineering and featured both academic perspectives on networking and security as well as business, government, and industry presentations. As we’ve come to expect from any talk concerning cybersecurity, there was a thread of pessimism and gloom: too many systems are vulnerable to hacking, there aren’t enough qualified technicians to go around, many of the systems are designed or planned poorly. If there’s any good news, is that’s the experts seem to know what to do to fix the problems – the question is whether they’ll get the help, time, and funding to implement those solutions.
Here are four things we learned…
- There remains a lot to be worked out with the “internet of things.” This technology is a part of every “future of IT” talk and sparks the imagination of garage doors talking to thermostats talking to dishwashers. But technical protocols still need standardization, whether its device coordination, file transfers, or messaging. In short, the internet of things is easily hackable as of now. One presenter hoped that manufacturers and service providers will start making security a fundamental aspect of design and solution across the value chain, not a last-minute afterthought of “okay, now how can we secure this?” Keep in mind also the issue of updates and patches. Consumers are used to buying new phones every two years to keep up with technology. They’ll be less inclined to do so with major appliances, so device longevity is a factor. What happens to your refrigerator’s software and firmware as technology advances while it stays in your kitchen for 15 years?
- Hacking is inevitable. This scary concept was repeated by several presenters. 2.4 billion records (that we know of) have been compromised since 2013. The FBI director told Congress that there are two kinds of companies – those who have been hacked and those who will be hacked. In this kind of climate, companies and organizations must assume their systems are compromised. What’s worse, 30% of hacks come from the inside (the big Target hack came via the company’s HVAC vendor) and it can take up to six months between a hack and its discovery. That said, companies don’t necessarily have much incentive to strengthen their security to protect customer records. The Sony hack cost that company between 2% and .9% of its sales, while Target’s hack cost that company just .1% of sales. None of those figures, of course, includes the cost to the consumers or the credit card companies to clean up the mess.
- Security should be more important. As mentioned, from security experts comes the insistent drumbeat of addressing security vulnerabilities at the design stage, rather than building a band-aid fix at the end. Bad decisions from the past that ignored security concerns continue to create problems for us today in legacy systems and products. (In 2005, researcher Marcus Ranum outlined the six dumbest computer security ideas (http://www.ranum.com/security/computer_security/editorials/dumb/) The solution for most of those problems, as one presented noted, involves an unending list of rules and red flag warnings delivered to users in a kind of IT version of “blame the victim.” And while companies may spend an estimated $80 billion on cybersecurity in 2016, the budget of the international OpenSSL project (that seeks to better encrypt the internet) is only $1 million and is staffed by mostly volunteers.
- The Secret Service hunts hackers. The conference featured a talk by a Secret Service agent about his efforts in finding hackers. One case took four years, but they eventually arrested two international hackers who had stolen over 2 billion records. By the way, if the suspect is in Russia or China there’s no way to get them out, though the agent did remark that hackers like to travel with their riches. When one attendee asked about the infamous “deep web” where shadowy transactions are made, the Secret Service smiled with a shrug and said “We’re there, too.”