Veteran Cybersec Researcher Urges Work with Govt, Regulators
The cybersecurity community needs to stop “arming” and normalizing cybercriminals, and accept a bigger role for government and regulation, veteran researcher Daniel Cuthbert told the audience at the recent Black Hat Europe conference.
Cuthbert, global head of cybersecurity research at Banco Santander, took Halvar Flake’s 2017 talk “Why we are not building a defendable internet” as the starting point for his keynote at the conference, asking if we’d seen any progress since then.
He said he’d seen how “My industry, and my friends and what we’re doing has moved away from that core group of curious kids doing stuff on the internet and the World Wide Web, to how external forces have taken what we were doing and causing a lot of havoc.” The UK’s National Cyber Security Centre’s annual review had noted that 63 ransomware incidents had merited a Cobra meeting, meaning that the highest levels of government had become involved.
“Technology has all of a sudden meant that it’s an area for people who want to be able to manipulate and do bad things, but also a battleground of values,” he said.
However, the security community needed to take a good long hard look at itself and its practices, Cuthbert said. Taking the example of bugs, he said, “Bugs have made my career. I’m obsessive about bugs, I love bugs. I love how bugs are exploited. I love the fact that a simple bug could cripple a nation.”
But, he continued, “The bugs that we find now, are no longer just being shared amongst friends. Those bugs have become big money.”
A zero-click iOS bug could be worth upwards of a million dollars: “People want to have access to bugs… because they want to have access to data to control to manipulate… our industry has the potential with what we do to drastically change the outcome of how people think, how people act and how countries operate.”
But if anything, the community was overly obsessed with zero days, “Because it’s the lame attacks that are still getting done.” The world has been held to ransom by ransomware groups over the last five years. Even smaller groups were capable of making hundreds of millions of dollars, he said.
This posed a dilemma for a cyber security community that loves sharing info on bugs, and techniques, he said, because the criminals were also watching and listening and absorbing this information. “We’re arming criminals at an alarming rate.”
ChatGPT also potentially made life easier for phishers, Cuthbert added: “So one of the biggest cons of phishers, which is great from a detection perspective, is that English might not be their first language. So we can detect problems with the language.” But ChatGPT has changed the equation here.
He noted that Bruce Schneier had said there’s no incentive for manufacturers or companies to build secure products of systems. “We always thought that getting breached might impact a company enough to change their ways,” said Cuthbert, but it turned out this hadn’t been the case, he said. It becomes a question of PR messaging.
This means government and legislation had a bigger role to play. “The reality is that for the last 20-odd years, we’ve all been having house parties when Mum and Dad are away. And we thought we were cool.”
This meant, “We posted stuff all over the neighborhood and lots of people came and somebody did something in your dad’s sock drawer which is really disgusting. And Mum and Dad came home now they’re like, ‘I’m sorry, like rules need to be coming down now.’”
Regulations and Policies
While the “earlier” Daniel would have hated the idea, “We do need some form of regulation, and bills and acts to clean up our act. Because we can’t do it on our own. We tried. We asked our vendors to make stuff in a secure way. It didn’t matter.”
While Cuthbert himself was controversially charged under the UK’s Computer Misuse Act in 2005, “I’m now sitting on the government’s security cyber board, which is just interesting.”
He described the U.S. Cybersecurity and Infrastructure Security Agency as “As really cool …. They’re actually quite approachable. They’re not your typical government suits … They’re trying to fix the internet.”
GDPR has been around for a while, he said, and “It finally made companies realize you need to understand what you do with that person’s data… the reality is security went up.”
That said, the U.S. Cloud act was “questionable”, while when it came to the current UK’s Online Safety Bill, “I don’t think they spoke to anybody with a good understanding of encryption and how putting backdoors in encryption could be a bad thing.”
While there were bad regulations, “for the best part, you have some good ones”. These were starting to trickle down to normal life, while government agencies and law enforcement had become smarter and more targeted when it comes to criminality. At the same time, vendors were being forced to take action, for instance by adopting memory-safe languages.
But the cybersecurity community had to continue to put suppliers on the spot, he said, while also considering its own attitude towards the bad guys, both in how it disseminates information and how it thinks about attackers.
“My world has been offensive for a very long time in the security space. But the reality is that there’s so much money to be made now. We are arming the wrong people. Because you never see the blue side of things.”
And, he said, “Can I just say can we stop giving goddamn criminals logos and stupid mascots?
They are not nice… by normalizing them, we’re normalizing criminality”