Cybersecurity Weapon Control
While gun control in the United States is a very passionate topic for some, cybersecurity weapons are freely available to those that have the inclination to obtain them. With the recent disclosure of several cybersecurity tools (including the paid for Cobalt Strike) this may spark another conversation of regulation of software.
The open-source nature of collaborative software development can lead to greater access for enthusiasts, professionals, and criminals alike. With some features being granted on a pay-to-play basis, there are also other software packages that require an outright purchase and license to use. We see that eco-systems developed around Linux, Mac, and Windows are prolific with free software that is written for the communities, albeit closed source at times.
This freedom to obtain and use software may find itself regulated in the near future. There are accountability issues that arise from allowing cyber-weapons to fall into the hands of threat actors. If software engineers could find a way to create dependance for an online library or function in regards to registration, there may be a security control that could be applied.
Without advocating for controlling what is perceived as a open and free resource, it might be time to consider the registration of cyberweapons and their use online. When clients such as the U.S. Government become part of an attack from an Advanced Persistent Threat, it creates a window of opportunity to impart influence based on the open-mindedness of the affected. Not that drastic measures are warranted, but this could be time to construct the shell of the conversation.
Supply Chain Attacks
A supply chain attack is an indirect attack that originates from an organization that provides a good or service to the company being attacked. The idea here is that while the primary organization (US Government) will have strict security controls, it is not likely that all of the supplying vendors have the same controls.
We can see that the trust relationship, or relational boundary, between the primary organization and the vendor are what is truly being compromised. When the primary organization develops any outside relationships without requiring the same set of controls that they use internally, they will be susceptible to this type of attack.
The US Government typically relies on practices and control standards that are guided by a series of publications referred to as NIST Special Publications. While there are many different publications, NIST Special Publication 800-53 Rev 4 (Security and Privacy Controls for Federal Information Systems and Organizations) is of particular note concerning the management of internal systems and can be found here:
For agencies within the US Government that work with other companies, NIST 800-171 Rev 2 and the burgeoning CMMC (Cybersecurity Maturity Model Certification) provide guidance on how business should be conducted. Of course, just informing you that these standards and certifications exist is not enough to satisfy are need to understand the complexities of what has gone on.
For complexity sake, lets just say a man named Adam runs an organization named ACME. He has to manage all of the computers and he doesn’t have time to do it himself. Instead, he looks to industry leading software to manage his assets last March, and he is happily doing business for the rest of the year.
In December he finds out that the software he was using has been compromised, even though he has the best security around. He doesn’t have log retention for the last nine months because there were no indicators that he was compromised. Now Adam has to assume that everything in his company could have been compromised, and this incident now costs Acme more money than would have been saved by the management software.