Trust Me!

by Hank Berkley
Contributing Editor

Though cybersecurity pundits will make a lot of recommendations regarding steps to make you safer the truth is that it is not possible to be completely protected. In the complex and integrated world in which we operate we are exposed to so many technical dangers that we survive by placing trust in others. We previously wrote about third party risk, but focused primarily on vendors and entities with whom you have a transactional relationship. Recently there has been a lot of light being shed on some parts of your business where you have less control and visibility. The concerns are around the hardware and software that underpin everything we do.

The first concept to understand is that few things are built today that are of a static nature. We can look at a car engine as a simple example. In “the olden days” one would get more power out of an engine by physically replacing a carburetor or making some mechanical changes. Today this is done by updating the software in the engine control unit (ECU). The same concept applies to your laptop, your manufacturing equipment, your network gear and even your building air conditioning. Everything today is based on software, although it is referred to as “firmware” in these situations.

Why is this important? Because you have no idea what that firmware does or what changes might be made to your infrastructure. To make matters worse, a lot of our devices get their updates automatically using our networks and our WiFi.

To be fair, these updates are usually geared toward improving performance, fixing discovered problems or adding features. But there is little to stop nefarious people from making undesirable changes – changes that can jeopardize your business.

The U.S. and Israel caused Iranian uranium centrifuges to self-destruct by secretly modifying the firmware in the control circuitry*. The U.S. government accused Chinese manufacturers of installing monitoring tools on servers used by Google and Amazon in their cloud services. Chinese telecom companies have been accused of installing invisible “bugging” updates on cell phones used in their country if the owner tries to dial an area code 202 (Washington, DC) number.

To date much of this activity has been done by government agencies or affiliated entities, but there are some examples of business’s using updates as a tool. Whether these are valid moves or not can be debated. John Deere uses its software in combines to restrict farmers from using non-Deere parts for repairs. Apple slowed down older iPhones to conserve power and extend battery life. But what if the motives were obviously bad?

What if Caterpillar caused random failures to occur in $3 million 797 mining truck to encourage sales of new trucks? What if your network equipment secretly sent copies of your data to a competitor? This is the concern that the U.S. government currently has with using Huawei networking equipment. They are afraid that data will be secretly shared with Chinese competitors, or worse, that Huawei could interrupt all communications at will. The fact that the equipment doesn’t do this today is no assurance that a future update would not add that “feature”. The Chinese likely have a similar fear of American networking companies like Cisco.

Unfortunately, we all operate in a world where we need to rely on others to manufacture our tools and to update the firmware as necessary. Thus, we are forced to make choices about who we trust. And if that wasn’t difficult enough, we need trust those who others trust. If you think that AWS (the Amazon cloud IT provider) is fundamentally honest, you could still be breached by vendors that they trust to provide servers if they turn out to be untrustworthy.

Do you really know whether that latest update to Microsoft Word® is now sending your documents to Microsoft to be sold to your competitors? Is your disk drive that was manufactured in Taiwan keeping hidden copies of your data only to be recovered when the drives go to a recycling center in Canada?

The point here is not to make you paranoid (though that might be justified), but rather to make you aware that a lot of decisions we make without too much thought implicitly mean we are putting our trust in others. None of us are powerful enough to verify everything that goes on in our business, but some choices are more important than others and deserve some thought.

* It is not our intention to take a position on any of the players mentioned here and some of this is considered speculation by some people as there isn’t always a smoking gun that identifies them with certitude.