My Cybersecurity course has a lot of technical detail. Maybe not as much as some students wish, at least in certain topics, but finding the appropriate balance between breadth and depth is difficult.
I try to convey to students an important message, though: in order to understand the dynamics of cybersecurity in the real world ("why we are still not applying fundamental principles formulated 50 years ago?", "why there are so many vulnerabilities?", "why such an obvious defense is not ubiquitous?"), one must never think solely in technical terms or even worse, in moral terms ("you have to make sure that your code does not have any vulnerabilities, otherwise you will be a sinner and go to hell!", "company X is evil because does not release patches for its vulnerable software!").
What I tell to students is that one must always think in economical terms ("yes, this defense is interesting...but what is its cost in terms of false positives?", "yes, I should deliver code without vulnerabilities...but what is the cost of minimising their likelihood? would that give me any advantage over my competitors? do I have any liability if I deliver software with some vulnerabilities?", ). Besides, I have collected several extremely interesting readings in this respect, here and here (I think that no student ever reads these readings because not required for the exam).
I have recently read a very interesting story that demonstrates the tension between security and incentives (i.e., money) perfectly. In a nutshell, according to the sources referenced below:
- The US defense department was preparing billion-dollar contracts for building "federal cloud services", i.e., cloud services kept sharply separated from the instances used by the other customers of the cloud provider.
- Microsoft cloud services were not sufficiently robust for satisfying the requirements of these contracts.
- Microsoft thus considered a workflow with many specialized engineers capable of fixing any issues such as crashes, failures, performance problems and so on "quickly", i.e., more or less on the fly.
- These engineers obviously need high privilege accounts, as they need to execute commands capable of reading and modifying the configuration of virtual machines and of software in the "federal cloud services".
- These jobs required many people with sophisticated skills. Microsoft had, and still has, plenty of Chinese engineers with the required capabilities.
- The US defense department wanted to involve only american citizens in this role, for obvious reasons of national security. But "for Microsoft, the suggestion was a nonstarter...because the increased labor costs of implementing it broadly would make a cloud transition prohibitively expensive".
- The Microsoft person in contact with the defense department then had a brilliant (?) idea: hiring american citizens to work as "digital escorts" to the Chinese engineers. The Chinese engineers send commands to the american citizens that copy and paste those commands for execution on the "federal cloud".
- When Microsoft discussed this idea internally, a person involved in cybersecurity strategy "opposed the concept viewing it as too risky from a security perspective"; the corporate vicepresident of the cloud division instead "embraced the idea as it would allow the company to scale up".
Guess which decision was taken.
Also guess whether the "digital escorts" are as skilled and competent as their Chinese colleagues and, most importantly, whether they are able to understand the potential security issues within, say, a Powershell script.
Interestingly (according to the sources below) those who opposed the idea of "digital escorts" have left Microsoft; the Microsoft person that suggested the idea does not remember the discussion mentioned in the last bullet of the list; the vicepresident of the cloud division did not respond to the reporter that compiled this story.
Another interesting fact. In 2023, a group of attackers stole more than 60K emails of "many of the most senior U.S. government officials managing US relationship with the People’s Republic of China - the espionage equivalent of gold". Guess which government has been linked to this group of attackers?
The report by the Cyber Safety Review Board appointed to analyse this incident does not mention "digital escorts". Maybe they had nothing to do with the incident, or maybe they were too embarrassing to disclose publicly. I do not know. The report, however, clearly states that "...Microsoft’s security culture was inadequate and requires an overhaul" and "the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.".
Great but, how to resist to billion-dollar contracts?
Sources:
Commenti