Simple Endless WeaknessWe have moved past the Advanced Persistent Threat (APT) and now live in a world of the Simple Endless Weakness. Why waste the money developing unique, highly complex malware to accomplish a task? Burning carefully-crafted attack code that will quickly have a signature and behavior profile seems pointless when you can use an attack so ubiquitous it could be attributed to anyone. When the majority of sites cannot pass an OWASP Top 10 scan, we no longer need zero-days to inflict damage on a large scale. Like a bent cartoon rifle pointed back at itself, it can do damage that operators with near zero skill can’t understand and don’t predict.
IoT – Internet of ThreatsMany estimates show between 50 and 100 devices are added to the Internet every second. These numbers may be inflated or hyperbolic but even if they are, we saw how easily many IoT devices were leveraged to DDoS Internet services with the Mirai botnet. At what point is the Internet no longer an infrastructure but the sum of its vulnerabilities? When we reach the point when the vast majority of the Internet is made up of unpatched, vulnerable and poorly-configured devices that can be orchestrated to inflict devastation – doesn’t that majority make it a weapon? A tool can be a weapon, and a weapon can be a tool. However, if the tool is used more and more frequently as a weapon, should it be treated as a tool or a weapon? This may seem melodramatic when looking at the loss of Netflix for a few hours, but will it be farfetched when a power grid goes offline? What about air traffic control?
Protocols Aren’t DiplomacyThe world of statecraft used to be one of overt and covert “diplomacy.” In diplomacy, you have protocols. Rules of engagement allow for communication to occur via the proper channels. The Internet is no different. It uses BGP, TCP, UDP and a plethora of others to facilitate communication. However, the Internet protocols aren’t diplomacy. They are much closer to the double agents; they are allies and saboteurs at the same time. The recent DynDNS attacks showed us how attacks on DNS infrastructure can cause massive service outages. By its nature, the Internet was always interconnected to provide redundancy. Like the alliances designed to prevent wars, our shared infrastructure was meant to strengthen us. Now, it is used against us. Diplomatic protocols were designed to prevent wars. What happens when those protocols are used as a weapon of war? Perhaps we would get further protecting the Internet if we treated it as a weapon and not a flawed tool. How we should do that is anyone’s guess. Much like Pandora’s Box, it is already open. We could look at regulation like the gun safety laws weapons’ manufacturers follow. We could look at the Cyber UL to guide manufacturers to make more secure devices. No matter what we do, we need to stop looking at the Internet as an always-on resource and instead as one that, if not actively protected, will become a weapon of mass destruction for anyone that wants to use it.