I’m a former nation-state exploiter — here’s why I know Open Security is our best defense
No single organization is prepared to stop an attack from a nation-state
Not so long ago, I woke up every morning focused on one thing: finding and exploiting vulnerabilities.
During my 10 years working for the U.S. National Security Agency (NSA), my single objective was to identify and exploit networks to collect foreign intelligence. I was fortunate to work alongside the world’s best professional vulnerability and exploit developers. My time serving my government was formative and humbling. I learned impossible challenges are possible through unwavering persistence and patience.
But that was more than a decade ago. Now I sit on the other side of the table. I work with amazing people to build defensive cybersecurity software that protects the world’s data from attack.
As most of us understand, even the most sophisticated cybersecurity defenses are no match for well-funded, highly motivated nation-state adversaries. But there’s one thing I think more security professionals and vendors need to embrace: we can harness our untapped strength by working together as an open, transparent, and collaborative security community.
That’s why the most efficient strategy to prioritize discovering and responding to a breach is with open security — a transparent, interoperable, accessible cybersecurity stance.
Open security is not only the best defense for any organization, it should be the path forward for the security industry as a whole.
[Related article: Continued leadership in open and transparent Security]
Closed code doesn’t reduce risk
Closed code does not make a product — especially security products — safer or more secure. Rather, it's your product’s relevance that contributes the most in determining your risk.
If your organization or the products you use are popular for any reason, someone is going to find a vulnerability. And if that someone is a nation-state, as was the case with the closed-source SolarWinds product Orion, know that your attacker has nearly infinite time and resources to invest in finding a way around your most sophisticated defenses.
Our adversaries love what they do. There’s a gamification aspect to finding and exploiting vulnerabilities in software that’s highly motivating. Attackers are competitive. They want to be the first one to find a way into their target. If your organization or product is relevant, people are obsessing over how to exploit it 24/7.
Is your security team prepared to face off against such formidable opponents?
Endemic talent shortages in cybersecurity are a growing problem. And cyberattacks are increasing in number and sophistication every day. Breaches are inevitable. There are few, if any, organizations that are prepared to take on this mounting threat. How can we shift the momentum in our favor?
Log4j was actually a success story
The recent Log4j incident, which many people viewed as a security failure, actually beautifully illustrates why open-source can be more secure than closed systems.
Chen Zhaojun, a member of the Alibaba Cloud Security team, found and responsibly disclosed the Log4j vulnerability because that’s what he was paid to do. Because the Log4j library was open source, researchers were able to scrutinize it for problems.
The discovery set off a global chain reaction of notifications and patches that likely saved millions or even billions of dollars in potential damage had the vulnerability instead been discovered by an attacker. Alibaba’s investment in open security paid off for everyone who was impacted.
Contrast that with a nation-state’s attack on the propriety code at SolarWinds. In the years before it was discovered, the breach provided unfettered systems access to at least 100 companies and a dozen U.S. government agencies.
Would Log4j have been discovered in a closed and proprietary product? Probably. But it's more likely a sophisticated adversary with ill-intent would have found it. No disclosure to relevant parties. No patches. Just quiet exploitation.
Open-source creates the right incentives to make it harder to hide and avoid fixing flaws in relevant products.
More scrutiny equals better security
The security industry today is too closed. Effective products sit behind expensive paywalls. And many vendors are afraid of the risks to their reputation if they open themselves up to scrutiny.
But our only hope to face off against organized and motivated adversaries is through openness and collaboration. We need to take advantage of and invest in the strength of our security community.
Opening yourself up to scrutiny keeps you honest and incentivizes you to build a better product for your users. Think of it like going to the doctor for your yearly physical. If you catch a problem early, you can do something about it. If you wait, it might be too late to mitigate the damage.
Open code is an important start, but as an industry we also need to invest more in the people and efforts that help us scrutinize relevant products. Endeavors like Google’s Project 0, Google’s recently announced Open Source Maintenance Crew, Zero Day Initiative’s Pwn2Own, and grsecurity’s Linux security research are just a few examples.
The security industry cannot afford to leave potential vulnerabilities unexamined. Let’s work together to elevate the way we think about security. We really are stronger when we work as a community.
What are your thoughts on open security? Hit me up on Twitter at @snowboardvstree to continue the conversation.