Binding Operational Directive 17-01
We’ve mentioned several times while discussing the development of the ARPANET, which we’ll see this week led to the Internet, that the security of the network itself, the security of the data passing over it, and security of the hosts connected to the network were not a front-of-mind concerns for the original designers. As we all experience today, this design decision has created numerous problems for a world so dependent now on the operation of what we all hope is trustworthy Internet.
Trust. The news this week shows that trust is increasingly hard to come by.
First Equifax, a company whose purpose for being is to create a trusted source of all of our credit worthiness, admits that it could have prevented the catastrophic breach of its networked systems if it had patched an Apache Struts web application vulnerability sometime in the two months between the announcement of the vulnerability (and its corresponding patch) and the later intrusion using that vulnerability. Patch management has been a best practice since the mid-1990s, and I hope all of you run automatic software updates on your laptops and other personal networked devices.
And on September 13, 2017, the U.S. Department of Homeland Security (DHS) issued Binding Operational Directive 17-01, which questions the trust that many people, corporations, and governments put in “information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.” If we can’t trust the anti-virus and intrusion prevention software running on our networked machines, whom can we trust? As you may or may not know, in order for these programs to protect our systems they must have unencumbered access to practically everything on our systems, which is pretty much our entire lives these days. And to keep up-to-date in the never-ending battle against malware and malicious hackers, these trusted programs communicate regularly with a trusted server somewhere (typically run by the anti-virus and intrusion prevention manufacturer) on the Internet.
What’s the path forward in Binding Operational Directive 17-01? Two things that have me scratching my head.
On the one hand, the directive sets a timeframe for action: 30 days to identify what Kaspersky products are installed on government systems; 60 days to plan for their removal; and 90 days to complete the removal. Does that sound like Internet time to you? It sounds to me like this thinking was what got Equifax into trouble.
On the other hand, the U.S. government says that it is willing to consider a written argument from Kaspersky Labs that would address their fears. So far, Kaspersky has issued only a commercially based argument as to why the U.S. government should trust Kaspersky products with its sensitive data. I hope that that doesn’t convince anyone in DHS with a rudimentary understanding of networks and computer science. Then again, Kaspersky will have a hard time proving that their program won’t release any sensitive information on the system it is meant to protect. Doing that sounds a lot like trying to solve the Halting Problem. And do you even bother trying when the security program downloads new functionality as an integral part of its functionality (i.e., to update itself so that it can protect against new threats)?
It will be interesting to see where this all goes. It’s hard to operate in this world without some level of trust.