The Pacific Rim attacks against Sophos’ firewall software represent a much larger issue in the cybersecurity industry – the accumulation of digital detritus caused by obsolete and unpatched hardware and software. This essay explores the challenges posed by this digital detritus and offers insights on how the industry can address this pressing problem.
According to Jen Easterly, the director of the United States Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity industry faces a significant software quality problem rather than a cybersecurity problem. This is because technology companies have been shipping and deploying software with exploitable defects, leading to the need for a multi-billion dollar cybersecurity industry. In response, CISA has launched initiatives like Secure by Design to shift market attitudes towards prioritizing secure software development.
The vulnerabilities exploited in the Pacific Rim attacks had already been disclosed and remediated. Despite potential market reactions to such public transparency, Sophos decided to share the full report to highlight the improvements made as a result of confronting these challenges. The industry faces challenges such as the increasing trend of vulnerabilities towards the unforgivable over time, emphasizing the importance of addressing digital detritus to enhance cybersecurity.
The analysis of cybersecurity vendors’ vulnerabilities sheds light on the need for improved software quality and secure development practices. Factors like market success predicting exploitation, competition aggravating moral hazard, and the operational burdens of patching further complicate the state of cybersecurity. It is crucial for vendors to prioritize secure software development and accountability to mitigate these risks.
The essay also delves into the concept of digital detritus, drawing parallels to environmental issues like pollution and space debris. The negative externalities of digital detritus impact both buyers and vendors, highlighting the need for a shared responsibility in addressing these challenges. By aligning with initiatives like Secure by Design and adopting best practices, cybersecurity vendors can lead the way in improving the state of cybersecurity for all stakeholders.
Lessons learned from the Pacific Rim incident underscore the importance of investing in programmable telemetry and analytics, operationalizability, customer outreach, and collaboration with stakeholders. By monitoring their fleet of assets, vendors can stay ahead of adversaries and protect customers effectively. The essay also emphasizes the need for vendors to engage in responsible disclosure practices and foster partnerships for a more secure cybersecurity ecosystem.
Proposed solutions to the digital detritus problem include certified lifecycles, recycling incentives, and secure by design pricing markets. By promoting ethical principles and striving towards cures rather than just treatments in cybersecurity, the industry can work towards a more secure future. Collaboration and transparency are key to addressing the challenges posed by digital detritus and improving cybersecurity outcomes for all.