I am a security practitioner. I have worked both on sides of the fence. Sometimes building walls, or kicking them down. A few years ago, I realized how far from hardware I have traveled. Machine Learning, Artificial Intelligence, and realtime detection require specialized equipment. I had to dive deep into the device to appreciate where software bottlenecks exist today. What surprised me more is how this journey highlighted how far apart hardware and software tribes are today. So much so, colleagues often scoff that I know hardware at all.
The PDP-11 I trained on was a workhorse, hardware was king, and access was on a timeshare. No one was seriously concerned about an attack when you did not have direct access to one of these exotic systems. More importantly, all the companies were vertical and controlled everything from setup to service. None of those rules apply today.
With the advent of bare metal and white-box systems, the world shifted from a closed supply chain to a fragmented open mosh pit. Companies rush to meet timeline and cost deadlines cut corners at every turn. Supply chain managers take engineered specifications and shop them to the lowest bidders. Managers, convinced they have low-cost options terminate skilled technical engineering teams in favor of vendor-supported programs. Everyone looks down the supply chain for support, knowing it’s not there.
Intel and other chip manufacturers opened our eyes to the risks and made us WannaCry. 2017–2020, and we are still way behind the curve. “As many as 1.7 million internet-connected endpoints are still vulnerable to the exploits, according to the latest data. Data generated by Shodan, a search engine for exposed databases and devices, puts the figure at the million marks.”
Even more stunning was the vendor responses. Having moved from 10 years in Cybersecurity software back into hardware, I was shocked to see how downright negligent the market was. I expected vendors, suppliers, and manufacturers to experience the standard seven stages of grief when these new attack vectors arose. Instead, they stopped at step 3.
- SHOCK & DENIAL- You will probably react to learning of the loss with numbed disbelief. …
- PAIN & GUILT- …
- ANGER & BARGAINING-…
Anger and bargaining are the modes manufacturers, and suppliers are in today. Pain and guilt only translated to change if a customer was actively asking for information or clarification. Anger went to Intel and eventually AMD, with everyone pushing the blame down to BIOS, BMC, and other providers such as AMI. Of course, everyone said that change would come with new processes and updates. But that never happened. Especially when Intel advised not to update the Microcode with patches they provide. Even when it does, there is a crazy patchwork of solutions obscured to the end customer. Arcane legal and business relationships confuse people and leave them to kick the proverbial can down the road or blindly trust whatever they get. It should come as no shock that misconfiguration and patching is still the number one assessment for cybersecurity risk. Misconfiguration is costing the industry five trillion dollars. Yes. That is with a T.
There is no credible program of support offered by the major players outside of Dell, IBM, or HPE. It’s a loose patchwork of best efforts loaded into legacy business processes that look nothing like modern software execution. The set and forget mentality of hardware and low-level software management is so pervasive that individuals feel hopeless to change or write everything off with a rip and replace model. Simple tools that track customer issues back into engineering teams were revolutionary two years ago when I jumped back into this market. The idea that Atlassian is for software and hardware development in manufacturing and ODM’s is still a shock. Lack of understanding resulted in a patchwork approach or is nonexistent. Ironically, some companies can point to excellent examples of success. But that usually is just one silo in the organization and not shared across it.
So we are firmly in the fourth phase now.
- “DEPRESSION,” REFLECTION, LONELINESS- …
Of course, this has to change. We can’t rely on rip and replace strategies to fix devices that will not be patched or managed in a timely fashion. Or maybe never. New demands for IoT, factory automation, distributed edge networks, self-driving cars, smart cities, utilities, and the list goes on, will continue to leave whole sections of the economy unprotected. We have to evolve as an industry to address these business processes, ensuring the best security we can deliver. Companies lax in deploying modern tools should be changed or educated. Most importantly, spreadsheets don’t work to capture and transmit such critical information anymore.
We are in the last stages of grief.
- THE UPWARD TURN- …
- RECONSTRUCTION & WORKING THROUGH- …
Today we have to accept that hardware and the software it requires are constant vectors. We can’t assume someone in the supply chain world will magically support this for free. Primarily when we focus on low-cost providers locked into design cycles for 3–5 years. It’s for these reasons customers demand more of Contract Manufacturing / EMS as a choke point. That includes Dell, IBM, HPE, and others as they are dependent on this eco-system as well. Not just in the traditional markets of computing and storage, but medical, IoT, telecommunications, and general infrastructure. If vendors can clearly articulate a value promise, including new service and support offerings that unite a business case vs. just one market, then we might start reconstruction.
- ACCEPTANCE & HOPE-
Let’s be clear. It’s not just about the patches and continuous updates that are now commonplace. It’s the performance. The performance takes time to balance after patches and modifications. Look at ZombieLoad. Exploits like this affect the processors back to 2011. It’s in the cloud. It, like the other patches, sap performance. Performance that forces customers to buy more hardware to fix. Which becomes a vicious cycle of pay Peter to pay Paul. Key players in the market can lean in and be heroes.
Customers are demanding more support for a longer time. No one has a cohesive plan. Some are trying, but partnership models are few and far between. It’s time to advance an explicit model of support and pricing, elevating the conversation with everyone in the supply chain. Not everyone is AWS, GOOGLE, MICROSOFT, and can afford to maintain all these infrastructures. DevOps to SecOps are specialized business functions that rely on supply-chain information. It’s time to move into acceptance and hope phase by expecting more and paying for it.
A more thorough description of the issue with white papers and video of the exploit in action can be found at this site: https://meltdownattack.com/. I encourage you to read more on these and find ways to enhance your security posture from bottom to top.
