Companies that develop products used to maintain our infrastructure have a big problem. The security of the infrastructure is 10 years behind the times. There are three types of companies:
- Some companies don’t care about security.
- Some make a token effort to secure their products, and the executives think things are just fine the way they are. After all, they haven’t been hacked yet. So they must be okay. And Joe, the guy who designed the security, is a sharp guy. True, they asked him at the last minute to bolt on some security, and they gave him a fixed budget and an extremely short deadline. And Joe delivered.
- Some realize that there are major issues, but don’t have enough money to do the job the right way.
All three types of companies are in trouble. But only one type realizes it. It’s going to take some stimulus money to fix this. Adding security is a tough business decision. How many customers are willing to pay more and get less functionality?
But let’s assume companies find some funding, and address their security issues. Should there be a fourth category – those companies that have perfect security? No. Their security may be adequate for today, but if they stop advancing, their security gets weaker over time. Security is not the same as simple engineering. You can solve an engineering problem once, and the product will always perform the same way.
Security is not like this. Do nothing, and your security degrades. The more time passes, the more the security degrades. Some of the components of the new Smart Grid is suppose to last 20 years in the field. There is no way a secure system will remain secure for 20 years. Computers become faster, and can do brute force attacks faster every year. 56-bit DES was secure. Then 10 years ago, in 1999, someone prooved it;s no longer secure.. Same thing happened with the was the MD5 hash. Look at the recent Voting Machine Hack. Checkoway and his colleges found a way to hack into a machine where all of the software was in ROM. It’s a clever hack, and not one the designers imagined 10 years ago. And 10 years is a long time for security. Can we really think we can build a smart meter that will be secure for 20 years?
Companies are ignorant about the risks of security. This is not surprising. The only reason a company goes public about a hack is when they are forced to admit it. How then, is a company able to calculate the probability of a hack? Frankly, security is primarily guesswork and funding decisions are based on public interest, and not on where it’s really needed. Instead, companies rely on hope and prayer. After all, if nothing happens, the security must be okay.
How can we be protected from companies who are forced to makes decisions driven by customer demand, and by that I mean the customers demand lower prices for their utilities. Why should the consumer be forces to pay for blunders on the vendor’s part. And companies can’t measure the risk of inadequate security. It’s pure guesswork.
So what;s the solution?
We have an organization that protects the health of consumers – the FDA, and in particular, the FSIS . They make sure the food we eat is safe. They have more than 7,800 inspectors. Local health inspectors check restaurants for violations to protect the public. To quote Wikipedia,
The vital services of FSIS have touched the lives of almost every citizen, every day in America. FSIS is accountable for protecting the lives and wellbeing of 295 million U.S. citizens and millions more around the world.
Why can’t we do the same thing for Cybersecurity? Let’s set up an agency that breaks into our infrastructure systems. If they succeed, the company gets fined. The details of the problems are kept confidential.
That should keep the companies on their toes. This agency will only get better over time. This cyber-FDA a great place to train our hacking talent. They will develop their own tools. The tools are kept internal to the organization. We shouldn’t give weapons to our enemies. The cost of the organization would not be that high to maintain. There is also a chance of promotion into other government agencies, for our top hackers.
And perhaps the fines they levy on companies can be used to do more research into security. Seems like a win-win situation.