According to security expert Curt Massey, standards, certifications and compliance force industry and government to keep an inherently insecure system insecure.
Curt Massey spent an entire 35-year career protecting our national security. His military service, civilian law enforcement, corporate security and military contracting experiences have imbued him with the unpleasant knowledge of our core vulnerabilities and a visceral drive to build a team capable of finding answers to questions most don’t even want to ask. “Look, it’s my team," Massey has said, ”they don’t see impossible, they see challenges which they are eager to overcome -- they are saving the world, I just juggle cats.”
A visionary and entrepreneur, Massey now leads STT's strategic direction. Here is what he had to say about today’s world of cybersecurity.
It seems we are suddenly being hit with all sorts of cybersecurity breaches. In general, what seems to be the problem?
In my opinion, we aren’t suddenly being hit with cybersecurity breaches; they are just being reported on a much more frequent basis than in the past. With stockholders and political pitfalls to worry about, many corporations and government entities under-reported cyber attacks and losses until the effects and potential for catastrophic harm have just become too obvious to ignore. Add to that equation the fact that more and more of our critical infrastructure has moved online, and you suddenly have a great plethora of ripe targets whose value continues to increase exponentially.
What is a typical breach and why don’t current security solutions address it?
I hate to say this, but I don’t see a "typical" breach; cyber-crime and cyber-warfare (yes, we are under attack right now) attacks are now directed across all possible targets; basically any machine hooked to the Internet. The techniques used in these attacks haven’t changed, there have been new cyber-crime tools and devices that incrementally increase efficiency and the ease of use for these criminals and national enemies, but all the possible basic means of attack are known and they utilize the same attack vectors. These are the same security holes and flaws that have been with us since prior to the commercialization of the Internet. The major computer/Internet security players attempt to mitigate damage by treating the symptoms, while doing nothing to address the disease. Like prescribing aspirin for headaches while ignoring the tumor that is killing the patient.
Will standards, certifications and compliance address these problems?
No. I will accept that they are well-intentioned, but standards, certifications and compliance are part of the problem. They are the prime reason that all the industry and government experts state that you cannot stop a determined hacker from compromising your network. Standards, certifications and compliance force you to keep an inherently insecure system insecure. If you go all the way back to a nascent ARPANET and follow its incremental development from 1974 to just prior to commercialization in the early 1990s, you find that it was a trusted network, there were no "strangers" involved and it was designed to maximize redundancy during a period where computers were unreliable. The fact of the matter is that the Internet was designed from the ground up to be open, and the practical result of that is the inherent insecurity we see today. The warnings and pleas by the true pioneers of the Internet to address security flaws were completely ignored in the rush to commercialize it.
What is the newest problem that has been found in foreign manufactured chip sets?
Once again, a beast of our own making; after the vast majority of our chip-manufacturing capacity was driven overseas, China – ever industrious and ever serious about their own national security – got into the chip-manufacturing business in a very large way. Years later we find that a great many of our computers and other machines and devices that use microchips -- that could be virtually everything -- are "infected" with rogue chips. These rogue chips are malevolently hard-coded with routines that automatically begin communicating to China’s, and other countries’ cyber-warfare commands, which can also send instructions to these rogue chips. We can’t just replace these millions of chips, as we no longer have the capacity to produce them and, not so shockingly, China and others will not allow us to put inspectors in their chip-manufacturing supply chain
So, yes, we are now forced to rely on the good will of China and other foreign chip suppliers as part of our national security policy; I’m not very comfortable with that.
Are the Russians and Chinese that good or are we just that bad?
The same conditions that enable self-educated children to hack into the Pentagon make cyber-crime and cyber-war "low hanging fruit;" it’s cheap, it’s easy and, for some bizarre reason, there is a great deal of prestige attached. Anybody can acquire the knowledge and tools to penetrate systems hampered by adherence to current standards, certifications and compliance. If you just enter "hacking," or more properly, "cracking" as a search term online, you are well on your way to becoming a world-class hacker.
Have you ever been breached, in any way, by any of the penetration testers or outright hackers who have gone up against your technology?
No. You can’t attack what you can’t see … or touch.
What is so different about your security approach and why does it work?
Most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it.
We refused to accept that premise.
We devoted a huge amount of research into exactly what makes the Internet insecure and found that the answer was right there for anybody with an open mind who cared to invest a little time. We identified the inherent flaws and determined methods to fix them. Our approach was simple in concept, but excruciatingly difficult and complex in execution. We had to be able to "plug the inherent security holes" and ignore the protocols and standards that promulgate an insecure Internet. But our technology also had to still be able to function seamlessly and flawlessly within that same environment and do so in such an efficient and faultless manner so as to run unnoticed by the user and incur negligible performance hits on average computers. It needed to be redundant, self-healing and not interfere with existing network infrastructure.
We have achieved our goals. A properly configured STTealth network is impenetrable from external and internal cyber-attack. Our messaging component is orders-of-magnitude more advanced, stable and … private than any other technology in existence.
Oh, and those rogue chips? They are completely emasculated and isolated; we also identify machines thus affected.
Where do you see IPS security going in the next few years and where are the roadblocks occurring?
We will truly solve the issue for those smart and agile enough to incorporate our technology. Many, of course, will continue to keep their heads in the sand and will find that, as more networks become unassailable by virtue of our technology, they will become the focus for continually increasing attacks. Many haven’t been attacked simply because the Internet is such a target-rich environment.
As far as the road blocks, once again, standards, certifications and compliance; that and the fact that people are stuck in this "punch, counter-punch" mentality of reacting after their current, very expensive IPS is broken and then buying the next, very expensive version and on and on, ad-nauseum. This scenario certainly makes some players a lot of money, but it will never solve the problem.
I do believe that we will all look back on the era from the early 90s until today as a very strange time when we allowed the very conditions to exist that enabled widespread cyber-crime and cyber-war.
Larry Karisny is the director of ProjectSafety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.