The incoming US administration, led by President-Elect Donald Trump, has the unfortunate circumstance of inheriting modern cybersecurity threats facing not just government, but also businesses and end users alike. We have built our next generation economy on digital transactions, instant information, social media, and Internet of Things devices, and each presents a path to risk.
Unsecured IoT Presents a Significant Risk
Speaking specifically to IoT – while the intent of these devices is to increase productivity, streamline information gathering, and provide convenience and luxury in the digital age, many of these devices suffer from security risks that range from simply absurd to end-of-life, including:
- Devices that have the same password and cannot be changed. This is the case in the Mirai botnet successfully used in cyberattacks against the United States, France, and Liberia.
- Products that are older, end-of-life, and no longer receive security updates, like Windows XP and Windows Server 2003, and that are still used worldwide.
- Critical infrastructure, like power generation, election systems, and 911 systems that are vulnerable to modern attacks due to age or flaws in other devices that can outages like Distributed Denial of Service (DDOS) attacks.
- Consumer and business-class products that have not been properly secured via passwords, security updates and patches, or even guest access.
Hackers will always take the path of least resistance to achieve their goal, whether a foreign nation attacking a mail server or a hacker looking to steal credit cards. If there is a simple way to conduct the crime, and go undetected, they will purse it. The incoming administration has to tackle these problems and ensure that the flaws mentioned above due not compromise our security as a nation.
Recommendations That the Trump Administration Should Consider Immediately
- Engage the Federal Trade Commission (FTC) and independent bodies, like Underwriters Laboratory (UL Listing), to establish minimum standards for security a device must adhere to when connected to the Internet. We all trust that plugging an appliance in to an outlet will not cause a fire, so why not establish that a device connected to the Internet will not create a cybersecurity risk? As businesses and consumers we have no idea if these devices are safe and we need to establish guidelines that manufacturers need to follow. These technologies, in many cases, are in their infancy and we need to address the risks now before it becomes too late.
- Enforce that end-of-life products be removed and properly disposed of across all government agencies and critical infrastructure. Some power generation utilities are still running operating systems like Windows NT 4.0 and are unable to be updated, so they should be replaced due to current regulations and cost of replacement. These systems represent a massive risk to our critical infrastructure, but we have adopted a “band-aid” approach of tools and segmentation to contain the issue. This is not sustainable. We need to move forward and remove these legacy systems, plan for new ones, and remediate the risks just like fixing aging bridges and roadways.
- Modernize the penalties for cybersecurity, and create a new industry. Our laws for cybersecurity attacks are grossly inadequate and based on whether the attack involves financial theft or intellectual property. Remember when Napster and BearShare allowed the free downloading of music without paying royalties? Today, the sharing of music illegally is well understood as a crime, and whole businesses like Apple iTunes and Spotify have been built around the legal distribution of music to manage the end user demand. Illegal cyber activity can be turned into capitalism legally if we address the crimes correctly and provide businesses a vehicle to thrive on the activity. For example, it is currently illegal to hack back if you are being attacked. Why? An entire business of offensive cybersecurity technology could be spawned if businesses could fight back and bring the cyber war back to the black hats doorstep if they try to breach a company.
While these three recommendations are generally common sense, I recognize the third one is highly controversial. We live in a controversial time and just elected a President that has never served in politics or the military before, is the oldest President-Elect, and has some highly controversial opinions on life and the direction for our country. This represents a new opportunity to address the core risks and not be afraid to break new ground when necessary since the next generation economy and cyber age is here to stay.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.