Something did not sit well with me yesterday. I have been mulling things over for most of today and it all started with Politico (at https://www.politico.com/news/2023/09/12/pentagon-cyber-command-private-companies-00115206) where we are given ‘The U.S. is getting hacked. So the Pentagon is overhauling its approach to cyber.’
This setting comes in a few stages. Lets start with the given that I have no opposition to the Pentagon getting involved. But the stage is not that simple. So we start with the quote “attacks on critical U.S. companies and federal agencies, and as the Pentagon eyes Chinese hacking efforts with increasing concern.” The first issue is that I would have said “Chinese and Russian hacking efforts”, it would be more accurate. There is an additional side to all this. If American corporations had done their job BETTER, this issue would not be the critical issue it currently is.
Equifax (2017)
Marriott International (2018)
Capital One (2019)
First American (2019)
Solarwinds (2020)
Colonial Pipeline (2021)
LikedIn (2021)
Microsoft Exchange Server (2021)
Twitter (2022)
This is merely a small grasps, this grasp has millions of records online for each of these cases, In this Linked in stood out with “Personal records of over 700 million users – 92% of the user base – were scraped from the platform and put up for sale in a hacker forum. Why did this happen? Attackers found a public API without authentication and breached it to scrape content.” This case is also the larger issue (beside the fact that it was an API and I wrote about that risk in ‘A simpleminded A, B, C’ On August 30th (at https://lawlordtobe.com/2023/08/30/a-simpleminded-a-b-c/) a simple setting now out in the open. People still think I was grasping at straws? Now here we see (in the LinkedIn case) “Attackers found a public API without authentication”, as such couldn’t they do their bloody jobs? I understand the setting of the Pentagon, but there needs to be a bill for utter stupidity and a link to your data without authentication is definitely one.
Corporations have been cutting corners on cost and staff and now that the consequences are out in the open, the Pentagon needs to rescue them? Screw that!
It is nice that the Pentagon comes to the rescue, but every rescue needs to come with an audit of that company and a hefty bill for the action. Consider a pointless rescue by coast guard and Marine rescue, these people get a hefty fine, I see that someone employs an API without authentication in pretty much the same way.
Yet the article is merely the start. You see, we can all agree on “Hackers are increasingly infiltrating private companies and government agencies far outside the Pentagon’s usual purview, and the hacks are being perpetrated by cybercriminals who honed their strategies abroad before striking the United States.” OK, that is fine and the fact that the Pentagon and its digital weapon systems are brought to bear is fine, but the utter stupid setting by corporations that cut corners is part one and that is on those corporations. I am even willing to accept that it took a disgruntled employee to hand visibility to the wrong people. Yet that also implies that these corporations have a larger problem and THEY have to pay for that.
So about Three weeks ago, we were handed the 2023 DoD Cyber Strategy guide. The PDF (see bottom) is a nice piece of work. My issue is with page 6 where we are given “The Department will continue to persistently engage U.S. adversaries in cyberspace, identifying malicious cyber activity in the early stages of planning and development. We will track the organization, capabilities, and intent of malicious cyber actors. We will leverage these insights to bolster the cyber resilience of the Nation and will coordinate with interagency partners to publicize this information as circumstances permit.” As I personally see it, it should say “The Department will continue to persistently engage U.S. adversaries in cyberspace, identifying malicious cyber activity in the early stages of planning and development. We will track the organisation, capabilities, and intent of malicious cyber actors, whilst registering corporate shortcomings. We will leverage these insights to bolster the cyber resilience of the Nation and will coordinate with interagency partners to publicise this information as circumstances permit, where corporate shortcomings will not be silenced.” In this case some will state that this is not the job of the DoD and they would be correct, but Corporate America fell short and they now want help, that shortcoming needs to be illuminated as well. You cannot have it both ways.
The document gives us a lot to think about and I agree with 99% of it all, especially when it comes to the Department of Defense Information Network.
I created the Hub+1 intrusion solution in 2014 (or 2015). As far as I know, no one is at this time ready for that creative little caper. I got there shortly after the Sony hack. The information never added up to me and I started to wonder how it could have been done (always a nice way to find the issue by re-engineering the possibilities). And all this is long before we consider issues like non-repudiation, a simple setting I learned about in UTS (University of Technology Sydney) about 3 years before the Sony hack and corporations have been cutting corners ever since. Consider the routers of the FBI, DoD, DMV, Department of Homeland Security and the postal services. Now check EVERY router and tally the ones where the password was Cisco123. I reckon you will find close to a dozen routers. I know it is more presumption than speculation on my side, but that is the larger failure and that is BEFORE we check all the corporate routers. People in IT have been too lazy (for many obvious reasons) and most of them involve resource shortages and why should the Pentagon pay for that bill?
I see that corporate America needs to pay for their cutting corners, the Pentagon has enough issues to work through and when it needs to step in (and when shortcomings are found) that corporation needs to get billed. This is specific. Corporate players cannot shield themselves from top tier hackers, that is BS. But letting the Pentagon pay for corporate stupidity is equally stupid and that needs to be out in the open.
So this was my rant on stupidity, enjoy the day.