"Backdoors that adversaries are clearly happy to use against us."
Not possible. By definition backdoors can only be used by the good guys (whoever they may be).
Decades-old legislation requiring American telcos to lock down their systems to prevent foreign snoops from intercepting communications isn't mere decoration on the pages of law books – it actually means carriers need to secure their networks, the FCC has huffed. On Thursday, the US regulator issued a formal ruling that states …
I was thinking the same thing this morning, in that the way things across the pond look like heading, spying from China poses a lower risk than spying from the USA. Legislating for all UK telecos to now install Huawei kit would help balance things up (after all, does anyone have hardware or software on their phone or PC that doesn't answer to the USA at various points)!
“These providers would also be required to submit an annual certification to the FCC confirming that these plans have been created, updated, and implemented.“
hey I have an idea, how about we start requiring the manufacturer to take a bit of the responsibility. Best I can tell, it is not in their best interest to provide a product that is secure.
If your router was secure, and functional, the only reason to upgrade is if the service provided requires it.
With no or less hardware churn, and if you don’t need patches, why would you pay for maintenance. Not a good business model.
The best analog to this is printer ink. At first it was that you had to only pay a massive amount for ink. That was not enough, so now the cartridge fails when the time runs out.
Does not matter how much paper you throw at it, it will not secure a device. Only a secure device can be secured.
I have seen too many hacks that were done to “secure” systems, fully patched and maintained by well trained personnel. Stop blaming the professionals and start looking at the cause.
In the real world, we know that nothing based on software is invulnerable. Plus, if you consider all of the equipment in a corporate network - routers, firewalls, servers, clients, peripherals, etc. - there are millions of configuration settings, any small handful of which, if wrong or inconsistent, could provide unintended access. And it's not as if the fundamental technologies have not proved insecure - there have been many generations of SSL and TLS to fix bugs in the protocols themselves.
That's not to say that manufacturers can't do a better job: having multiple different implementations of management interfaces and authentication/authorisation, many of which are supplied by the least-cost third party subcontracted to manufacture a device to a particular specification, means you're often starting from zero with a fresh set of bugs rather than taking advantage of previous fixes. But we have to be realistic - in IT there's a constant stream of new features that "have" to be delivered and time-to-market is often the economic imperative. If we want more robust products, we also need greater stability in our requirements.
We'd all like security to be someone else's problem. Unfortunately, present technology has evolved from a time when security - particularly of the kind necessary to deal with threats on a global scale - was simply not a goal and, simultaneously, organisations are outsourcing their business processes much more so every perimeter fence is breached to a greater or lesser extent.
It's a mess, but it's a mess we all have to deal with and it's unlikely it will get any less messy in the foreseeable future.
As one of those professionals who are charged with securing systems, I can say it's not the hardware or software where the problems lie, for the most part. Most of the time social engineering is uses to deploy the nasty. After the Aussie BoM was hit by a RAT a few years ago, https://www.abc.net.au/news/2016-10-12/bureau-of-meteorology-bom-cyber-hacked-by-foreign-spies/7923770, it was discovered to have been, most likely, been due to a staff member opening an email attachment. This is how bad actors get in to networks, not though a hole in a firewall, people open the door for them.
The way we fix it is to, yes keep out kit updated and patched, but also train our people so they can spot a potential attempted attack. If not that "speeding fine," "request from the CEO," that nice Nigeran Prince or the helpful man from "Windows Support/Amazon/Credit Card Company/etc." will be a lot more expansive then anyone could have thought.
How do you know these mass intrusions are due to whatever possible access the TLA's had to different systems instead of previously unknown vulnerabilities and/or user errors?
My money would be on the last option - bad security practises; credential phishing; plain ol' stupidity and laziness.
"How do you know these mass intrusions are due to whatever possible access the TLA's had to different systems instead of previously unknown vulnerabilities and/or user errors?"
Because TPTB have admitted it. Certainly vulnerabilities and user errors to get in there in the first place, but the wire tap back doors, once opened, were a gift.
So what you're saying is if people are trained in avoiding attacks via social engineering, these backdoors cannot be accessed by bad, state funded, attackers. To me it's better to have the backdoor there to be accessed only with a legal court order, and train the staff to stop bad actors accessing.
Yeah, Tic Tok is one of the ways they could have got in, don't forget Tic Tok has a key logger running when you use the app and people are more than a little slack with passwords, often using the same ones for most online services and Telco employees have been know to use social media from time to time.
I'm pretty sure the incoming administration will call this "far off mission" as well.... along with any consumer protection efforts. This kind of stuff is just bad for companies' bottom lines, as is any red tape. Health and safety? Workers' rights? Environment? Clearly all unnecessary restrictions to the American Way we do business.
In the Notice of Proposed Rulemaking the FCC are not just proposing new rules such as providers having to create, update, and implement, cybersecurity and supply chain risk management plans and having to submit an annual certification attesting that they have created, updated, and implemented cybersecurity and supply chain risk management plans.
The FCC are also changing the Scope of Communications Service Providers Subject to Cybersecurity Proposals.* to include non-common carriers, such as broadcasters, all television stations, AM/FM radio stations, digital audio broadcasters and digital television service providers, etc.
That has to be Agency Overreach The Communications Assistance for law Enforcement Act (CALEA) is to do this:- To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes.
*Scope of Communications Service Providers Subject to Cybersecurity Proposals. starts on page 10 of FCC pdf. https://docs.fcc.gov/public/attachments/FCC-25-9A1.pdf
...where are you when we need you?
How soon we forget!!!
Oh...and no mention of seriously misleading "advice" from NIST!
....and no mention of built in flaws in Cisco kit......
....all those bad "others"....all the modern (American) "big lies".......
....sigh!!!!!