The problem I have witnessed for decades is: the system births, abets, and provides the environment for doing what is often the “wrong” thing.
That is nevah, evah gonna change 🤷♂️
10 July 2024 (Washington, DC) — After back-to-back cybersecurity conferences in Berlin and Washington, some quick thoughts generated from a story in my newsfeed last night, “The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did”.
The main point of the write up captured in this statement:
The tech company’s failure [Microsoft] to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable, a whistleblower said.
But there is another issue in the write up. I think it is:
The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack. But for reasons that experts say remain unclear, that never happened.
The one-two punch may help explain why some in other countries do not trust Microsoft, the U.S. government, and the “cultural forces” in the great US of A.
Let’s think about these three issues briefly.
First, large technology companies use the word “trust”. For example, Microsoft apparently does not trust Android devices. On the other hand, China does not have trust in some Microsoft products. Can one trust Microsoft’s security methods? For some, trust has become a bit like artificial intelligence – the words do not mean much of anything.
Second, Microsoft, like other big outfits needs big money. The easiest way to free up money is to not spend it. One can talk about investing in security and making security “Job One”. The reality is that talk is cheap. Cutting corners seems to be a popular concept in some corporate circles. One recent example is Boeing is successfully dodging trials and accountability with a U.S. Department of Justice “deal”. Why? Money maybe? Money, of course. I’ll hold off on that one because our boss, Greg Bufithis, has a doozy of a post in progress on Boeing.
Third, the committee charged with looking into SolarWinds did not. For a couple of years after the breach became known, all of SolarWinds’ missteps were “deep-dived” analyzed by super-cyber investigator Andy Jenkinson, among others. And he has chronicled the absolute shit show that is Microsoft.
Okay, enough thinking. The SolarWinds’ matter, the push for money … and more money … and the failure of a committee to do what it was asked to do explicitly three times suggests:
• A need for enforcement with teeth and consequences is warranted.
• Tougher procurement policies are necessary with parallel restrictions on lobbying which one of our clients calls “the real business of Washington”.
• Ostracism of those who do not follow requests from the White House or designated senior officials.
Enough of this high-vulnerability decision making.
But the problem is that as I have witnessed in my cyber work over the decades (especially in Washington) is the system births, abets, and provides the environment for doing what is often the “wrong” thing.
There you go 🤷♂️
