The Case for Critical Virtual Technology
You've heard of "Too big to fail", now get ready for "Too big to be vulnerable"
This is more of a non-technical RFC and partially a follow-up to my previous “The Infosec Industry is a Hammer” article.
Quick recap: one of the only ways of actually improving cybersecurity (in my opinion) at a national, or even inter-national level, is to make it a lot cheaper. Technical solutions won’t make a dent in the “number of breaches per year” metric if nobody except the fortune 500 companies can actually afford good network defense. This is a legislative problem, not a technical problem. On top of that, a big chunk of the cybersecurity industry is snake oil.
While I do believe making things cheaper will help, that’s just the first step. The second step is reigning-in “big-tech” and how they treat cybersecurity in their products.
If you as a company, sell a techonology/product that gets subsequentially adopted in more than 50-60% of X nation’s infrastructure:
First off, congrats!
Second, your product is now deemed “Too big to be vulnerable” and labeled as Critical Virtual Technology.
If some technology stack is running in more than 50-60% of a nations networks, we’d want to make extra sure that stack is built securely.
At the bare minimum:
Aggressive deprecation timeframes of features with known vulnerabilities
Secure defaults by design
Non-Optional 2FA/MFA and built in way of allow/deny listing passwords at scale on top of being able to enforce password policies
Tri-monthly security reviews
30 day mandatory update window from an initial vulnerability report.
If a vulnerability is found in something so widespread, its a potential national security risk. The current status-quo seems to think of this as “normal”. I’d say it’s high time we change that.
The bar is currently set so low we’d need Virgil to fish it out of hell for us.
The question comes down to:
Why should tech companies get away with introducing national security risks?
Food for thought 🧠.