Thank you all for your feedback on my previous posts – LinkedIn is a marvellous email system. Let me summarise as best as I can the comments. First of all there were those of you who said I am a crazy man and need locking up for suggesting such terrible things; then there were the group of you who said I was an idiot for not recognising how far America had really gone and that "I don't know the half of it". Some of you were kind enough to send me copies of competitors sales manuals, one a particular favourite with a title that says is all "piranha" – all the things you should say to stop Huawei winning business, and another document from another competitor who detailed why customers should never buy Huawei equipment because someone had found a vulnerability, I had seen that one before. Some said China must stop being bad and a similar number said America should stop shouting. So it is good to see that I am creating a consensus.
So what should we do? At some point the world is going to have to work together. It is going to recognise that all of us have a role to play in reducing this threat:
- Governments have a role to demand better security from their vendor's products. If a vendor's biggest customer never asks for security or what they ask for is weak and feeble, that is what they will get.
- Vendor's have to demand more. What does good look like? What are the standards? At the moment the problem with standards is that they are not standard. There are a plethora of overlapping standards, few standards have any sensible measures of success and they are not always accepted around the world.
- Shareholders must demand more. The Mandiant report could have gone further, was there any material loss? I am assuming no as the Boards would have stopped the work, unless of course you had replaced your sensitive material; Mandiant could have detailed what was it that caused the breach and did all of their customers execute best practice; they could have also been their own masters, to omit other countries who were up to no good politicises a report and gives those that need to change their behaviour a cop-out.
- Boards must demand more. My insurance won't pay out if my car is stolen because I leave the keys "unsafe"; my bank won't pay-out if I don't take care of my pin – these are seen as stupid actions. We must recognise not patching has the same impact, not adopting the top 4, or 20 or 35 mitigating actions is just stupid. Verizon say 85% of the breaches could have been stopped if we did the basics, yet we don't. Do not get me wrong – theft is theft and it should not be condoned, but we also have a personal responsibility in technology as we do in other walks of life.
Technology is not going to get simpler; the challenges are not going to get simpler so we need to think differently, how about:
- All countries allow sensors to be placed on entry and exit points of their networks so we can track and trace and begin to fix the attribution issue;
- If a country such as America has technical gubbins that can detect, deflect or stop malicious activity let's share it, all of us share our knowledge to reduce the threat
- Why don't all technology vendor's (who after all have caused the problem) put a percentage of their revenue into an R&D pot solely for the use of defensive technologies
- Let's forget personal privacy (eeck I sense a deluge of emails), the reality is if you are online you must be known and data will be shared for the purposes of crime prevention and detection
We should all be worried where you are seeing more and more countries suggesting they give their intelligence or law enforcement agencies the ability to penetrate, attack or disrupt technology in other countries – where will this end? Whilst many of us accept the www is a bit of a wild west this potential move by Nation States takes us to a place where there are only losers. We need to agree a moral, and legal, line in the digital sand that we should not cross. In this context the creators of Stuxnet did us no favours as in some people's minds it legitimised the use of offensive cyber activity – if it is right for you, you cannot complain if I adopt a similar behaviour.
You will have your own thoughts and ideas. We need to see leadership around the world of people who want to collaborate, who want to work on solutions and who want to take a long term strategic view whilst doing practical things to improve the situation today. In this context the talks between America and China are a good first step which we should all applaud and support.