The politicisation of patching
Can economic sanctions really improve the security landscape?
The EU announced this week that the option of full economic sanctions is open to deal with malicious attacks on EU states' computer networks. At first sight this sounds like a reasonable strategy, but it raises interesting questions for the security industry as a whole.
The potential restrictive measures including travel bans, asset freezes and blanket bans on doing business with a person, company or government, which could be used for the first time. EU foreign ministers agreed that so-called "A joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity," the bloc said in a statement.
The move reflects concern over cyber attacks on voting systems and large-scale incidents such as WannaCry, but it also highlights a growing trend of political interest in online security that doesn’t always pan out as planned. A good example is the UK government's promise to introduce an encryption backdoor in order to prevent criminals and terrorists from plotting in secret - denying them a ‘safe space’. Of course, compromising encryption only achieves one thing for sure, and that is compromising encryption, whether for good or ill. Rather brilliantly, just weeks later the EU has announced plans to ban the introduction of backdoors into encryption, demonstrating just how difficult it is to gain consensus anyway, without adding in the political element to boot.
Almost simultaneously, it has been announced that banks regulated by the European Central Bank (ECB) will be forced to reveal all major cyber security breaches from this summer. Sabine Lautenschlaeger, a member of the ECB's executive board, said in a speech given in Frankfurt that this would help "assess more objectively how many incidents there are and how cyber threats evolve. It will also help us to identify vulnerabilities and common pitfalls," she said in the speech. It is not clear what the penalties for non-notification in this case are, but under the soon-to-be enforced GDPR they are significant.
One issue that the ECB doesn’t face and the EU does is that imposing widespread economic sanctions depends on having an entity that is clearly responsible for an incident, whether at the level of a nation state or an enterprise. Unfortunately for business, it’s much easier politically to blame corporate culture than entire nations, and the figures on patching known vulnerabilities are not favourable.
A recent Verizon report found that the public sector patched 30 per cent of findings eventually, with 33 per cent completed on time, while the financial sector managed to patch 25 per cent of findings, 33 per cent on time.
Ilia Kolochenko, web security expert and CEO of High-Tech Bridge said at the time that these very low figures came as little surprise: “Many large companies and organizations still fail even to maintain an up2date inventory of their digital assets, not even speaking about proper patch management.”
Without proper patch management, businesses are often left open to attacks, particularly on applications. “Insecure web applications dominate the top attack vectors in almost all the industries. Cybercrime is a [criminal] business, and thus follows the basic rules of business: spend less, get more. Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0days and complicated APT attacks. Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. Emerging risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards – outsourcing and IT externalization aggravate this complicated challenge. Application security becomes a major problem for organizations and shall be addressed in a high priority”, summarised Kolochenko.
So, in the future, would a successful compromise of a web application and subsequent chained attacks - say on partner or third party companies - be the responsibility of the initial victim and trigger sanctions from the EU? On the one hand that seems unlikely, but on the other, if there is a perception that attacks are rampant and enterprise is failing to prevent them, increased regulation will surely follow.