Enough is Enough – Change Must Begin Now
Beginning last week, many organizations around the globe found themselves responding to infected computers in their environments that were hit with new malicious ransomware called “WannaCry.” Most other organizations reacted quickly to protect their network-critical files from being taken hostage by cyber criminals and held for ransom. And we are now seeing new variants of the exploits.
While experts continue to investigate the technical details, the most urgent need is to identify and ignite change that aims to lower the chances that this will happen again. This incident should prompt a broader discussion about the crucial role that all involved parties play, including those who find vulnerabilities, technology vendors who fix them in products and services, and customers who operationalize technology and rely upon it in this digital age. The approach for each group to contribute to the end result is very different.
A Way To Think About This Event
The current event brings into focus the issues that need to be discussed and thought through when a/an:
- vulnerability is found,
- exploit is created and/or used to leverage the vulnerability,
- technology vendor learns of the vulnerability and issues a fix (or is not aware of an issue),
- technology operator must update (ex: a customer’s IT department).
Those Who Find Vulnerabilities
This past week’s events are a call-to-action regarding policy changes that put defense and resiliency first. We at Cisco plan to amplify the demand for clear policies related to governments around the world disclosing vulnerabilities. Confidence in the global internet is being undermined by allegations that some governments stockpile and exploit security vulnerabilities in products, rather than reporting them to those who can fix them. Vulnerabilities should be disclosed immediately when found, apart from short-term exceptions by court order when an effort to save lives is directly involved. As last weekend’s shutdown of hospitals in the UK shows, lives are also put at risk when critical infrastructure in endangered because of undisclosed vulnerabilities.
The event underscores the importance of having transparent processes, subject to meaningful oversight, for how governments handle and disclose vulnerabilities. Cisco is, therefore, encouraged to see new bipartisan legislation introduced in the United States Senate on this topic. We look forward to working with the proponents of this legislation, and with governments around the world to establish new rules of the road. Rules that are designed to quickly route information about vulnerabilities to organizations capable of acting upon it to protect security in a timely manner.
Increased transparency about the process and how it works will build more trust, and will mitigate the risks of undisclosed vulnerabilities. It should not be a matter of “if” governments are required notify vendors, but “how long” until governments must notify them. Recent experience demonstrates that we must assume secrets will eventually fall into the hands of those who can exploit them. Therefore, we have to act quickly to ensure vendors have a reasonable opportunity to defend their customers and users before those disclosures occur.
Those Who Exploit Vulnerabilities
To be clear, those affected by this incident are victims of a criminal attack. The perpetrators are at fault here. And the affected individuals and organizations deserve a thorough investigation to find the bad actors, and to seek justice as well as peace of mind. To that end, Cisco will redouble our efforts to aid law enforcement agencies in identifying the bad actors behind these types of incidents.
Those Who Can Fix Vulnerabilities
We must acknowledge and (frustratingly) accept that software, hardware, and services vulnerabilities exist today and will continue to be discovered, no matter how hard we all work to avoid them. With millions of lines of code plus thousands of configuration options, and the ability for a single wrong keystroke to be able to result in a bug that isn’t detected, complexity is quite possibly the single biggest contributing factor. That said, technology vendors don’t get a “pass” here.
When it comes to managing vulnerabilities and bugs, technology companies’ interests and those of our customers need to be 100 percent aligned. Cisco recognizes the technology vendor’s role in protecting our customers, and we won’t shy away from our responsibility to constantly strive to do better. For a decade, we’ve aimed to reduce the security vulnerabilities and risks associated with our products through industry-leading efforts such as Trustworthy Systems initiatives, Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team (PSIRT) and Vulnerability Disclosure policies. Is it perfect? No. Are we ever satisfied? No. Are we striving to do better? Resoundingly, yes!
Those that Need to Deploy the Fixes to Vulnerabilities
If you accept the premise that there will be vulnerabilities despite all attempts to avoid them, then once the security update is available, oftentimes it falls to the users or administrators of that technology to deploy it.
Good technology operational hygiene is essential, and organizations need a measureable operational model to understand and manage security updates. This includes having an emergency response process to handle real-time threats like this recent one we saw. In terms of establishing what is possible, organizations can take into account things like Vulnerability Dwell Times, and the acceptable level of risk within the network – all of which should be understood and agreed to by senior leaders.
Network defense continues to require an ongoing “protect, detect, and remediate” strategy, and the best way to secure a network is through a multi-layered, end-to-end approach. This means: prevent as many threats as possible from getting in, have tools in place that identify those that do, and others that will contain and fix the issue.
Delivering trust and security in technology is a multi-party responsibility. Cisco remains committed to our holistic security approach beginning when a Cisco product is conceived, through its development, manufacture, and deployment. We will continue to provide the resources necessary so our customers know what they need to do to safeguard against cyber criminals. And we will also continue to advocate and engage the necessary stakeholders to ensure that policies evolve to maintain confidence in the global Internet.