Digital Debris: The powerhouse of Pacific Rim and a plea to the sector for action
The core of the assaults on Sophos’ firewall software in the Pacific Rim traces back to the digital equivalent of the ocean’s own Great Pacific Garbage Patch, a vast yet almost unseen cluster of decaying material – involving outdated and/or unpatched hardware and software. Comparable to the Garbage Patch on land or orbital debris above it, this ever-growing digital debris brings about severe repercussions. This piece delves into the scenario and presents my insights on how the sector can address this issue.
- Commencement
- Accepted realities and Digital Debris
- Clearing our future
- Stepping up today: Appeal for action
- Closing
During a series of prominent speeches in 2024, Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA) of the United States, proclaimed to the industry that “we do not face a cybersecurity issue, but rather a software excellence issue.” She emphasized that the present multi-billion-dollar cybersecurity sector thrives because technology firms across all fields, sectors, and market segments have been allowed to release and implement software with exploitable flaws. CISA is striving to alter market perceptions from “software flaws are an inevitable aspect of life” to “some categories of flaws are intolerable” through their Secure by Design effort for technology suppliers, and its corresponding initiative, Secure by Demand for technology purchasers.
The logic behind this is economically viable: the prime method to motivate technology vendors to invest in crafting and sustaining secure software is to inspire consumers to make choices with their procurement funds. These endeavors mark a critical initial move in propelling the sector towards what Easterly has outlined as a “software liability structure, one possessing a clear standard of care, and including Safe Harbor provisions for those technology suppliers that innovate responsibly through prioritizing secure development processes.”
I address CISA’s actions at the outset of this piece as I believe these initiatives are a pivotal absent element in the enhancement of the state of cybersecurity. Improving this is of immense significance to our economy, our national security, and the well-being of the global citizenry. This text complements a Sophos article titled “Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats,” which narrates our prolonged battle with state-sponsored Chinese threat actors striving to exploit flaws in our firewall software to target Sophos, our clients, and unrelated third parties. The connected timeline and technical specifics chronicle the progression of decisions, investments, enhancements, and innovations stemming from this engagement.
All the vulnerabilities depicted in our Pacific Rim disclosure had already been revealed and resolved — there are no fresh or pending vulnerability revelations — yet we share the full disclosure with an understanding that we are attracting attention to our historical flaws, acknowledging that there might be adverse market responses to this degree of public transparency. It was a contentious decision internally, but I am hopeful that the responses to the Pacific Rim release will be beneficial and mature, focusing on the insights and advancements that arose from the documented occurrences, setting an example of the kind of “standard of care” that can emerge from facing and ultimately overcoming such persistent challenges.
“For certain products, detecting vulnerabilities is simply too straightforward,” initiates the 2007 MITRE document titled “Unforgivable Vulnerabilities,” which delineates classes of vulnerabilities so insignificantly mundane that their existence could be viewed as “unforgivable.” While we may anticipate such faults from amateur software developers, we anticipate better from the league of suppliers on whom we all depend for safeguarding, such as OS suppliers, infrastructure suppliers, and cybersecurity suppliers.
In a somewhat contradictory manner, OS suppliers claim top positions on the ranking of distinct vulnerabilities, and cybersecurity suppliers are not immune either. According to an analysis encompassing over 227,000 CVEs conducted by Security Scorecard, 12.3%* of these derived from cybersecurity suppliers, and there have been numerous CVEs linked to infrastructure. We can commence disentangling and confronting the paradox by pondering the following five points:
1. Market prosperity anticipates exploitation
a. All software exposed to attackers will eventually come under assault, with the likelihood of targeting and exploitation rising alongside adoption
b. The broader the presence of the supplier, the stronger the obligation—and expense—to uphold secure software; product budgets and lifecycles frequently overlook this
2. Competition can amplify moral risk
a. Inferior software quality creates a substantial market for cybersecurity goods and services. A 2022 report from the Consortium for Information and Software Quality approximated the cost of substandard software in the U.S. alone to be at least $2.41 trillion
b. Though most software suppliers confront market rivalry, the yearning for cybersecurity has attracted billions of dollars in venture backing: an estimated $8.5 billion in 2023, and $7.1 billion in the initial half of 2024. This presents a 51% surge from the first six months of 2023, spurring enhanced market competition and urgency for sustained innovation and differentiation
c. Besides market rivalry, the cybersecurity sphere experiences daily hurdles from the true adversary, the intruders against whom we shield our clients, necessitating even quicker response times and greater adaptability
d. These cumulative pressures can lead unfavorably to the prioritization of features or updates over secure and safe designs and deployments, occasionally precipitating widespread exploitation or disturbance on a global scale
3. Patching poses challenges
a. The operational burden of patching is widely recognized
b. Patching is a shared responsibility, indicating that the supplier must develop the patch, and the consumer (or another responsible entity, such as their service provider) must implement the patch; delays in either increase the likelihood of exploitation, and an unimplemented patch is ineffectual
c. Albeit as-a-service (*aaS) models simplify the patching hurdle by empowering suppliers to overhaul defects in their hosted environments, there will likely persist an on-premises element that the sector needs to address
i. We commonly envision infrastructure (firewalls, remote access layers like IPsec or SSL VPN/proxy/ZTNA, email servers, etc.) when contemplating on-premises, but the prime category of on-premises (i.e., client/service-provider as opposed to vendor owned and managed) comprises endpoints and their operating systems and applications operatinglocally
ii. In spite of the expansion in *aaS models for specific components of security infrastructure (e.g. FWaaS), on-premises continues to be the prevailing network security framework due to reasons of independence, latency, and durability (i.e. prevention of concentrated failures) – as per Gartner, 87.5% of firewall revenue in 2024 will be for physical firewalls
iii. Some types of infrastructure and operations currently lack a foreseeable path to an *aaS model, for instance Operational Technologies (OT) and Internet of Things (IoT)
4. The misalignment of generational incentives between buyers and sellers
a. Buyers are motivated to maximize the lifespan of their technology investments by extracting as much value as possible from a technology generation. Simply put, unless faced with unacceptable functional limitations, buyers strive to maintain their infrastructure (e.g. firewalls, routers, proxies, etc.) in operational status for an extended period before considering an upgrade
i. This phenomenon can be referred to as “infrastructure inertia” and without any counteracting force, outdated infrastructure tends to accumulate over time until a noticeable failure occurs, particularly affecting those below the cyber poverty line
ii. Unlike certain consumer technologies like mobile phones or cars, the latest infrastructure versions do not carry a status or prestige boost, lacking a driving force commonly associated with rapid consumer technology advancements
b. Sellers are driven to maximize generational turnovers for various interconnected reasons: 1) to offer enhanced functionality and improved user experiences, 2) to safeguard against obsolescence and customer attrition, and 3) to boost unit sales
i. Vendors employing practices of “planned obsolescence” put themselves at a competitive disadvantage compared to those who do not, potentially risking customer dissatisfaction if actions and schedules are not clearly communicated, even when undertaken in the best interest of the buyer (e.g. to enhance security, reliability, or functionality)
c. As digital infrastructure remains in place for longer durations, vendors are increasingly likely to discontinue providing software updates
i. Vendors typically operate within set support boundaries for their products, after which support, new firmware, code updates, or security patches are no longer provided
ii. It is not economically viable to expect technology vendors to extend support for all hardware generations, firmware, operating systems, and software indefinitely, as the cumulative costs would eventually become overwhelming; a different approach to managing lifecycles is necessary
5. Gradual escalation of vulnerabilities over time
a. While more commonplace vulnerabilities (by precedence, obviousness, simplicity, etc.) are perceived as unforgivable at all times, the highest vulnerability, the zero-day, is initially somewhat forgivable upon discovery. However, even the formidable zero-day vulnerability has a declining impact; for example, WannaCry’s vulnerabilities (CVE-2017-0144 and CVE-2017-0145) were exceedingly severe in 2017, but by 2024 any remaining exposures are considered ordinary and hence unforgivable
i. Without going into detail, it is important to note that a similar challenge arises in cryptography: strong cryptography today weakens with advancements in future computing capabilities. The industry is addressing this parallel issue through various quantum-safe initiatives, and there are shared lessons to be learned; terms like “strong,” “safe,” and “unforgivable” are relative and time-dependent
I term the alignment of these five points as the Digital Detritus dilemma. The inertia of infrastructure results in neglected infrastructure that becomes increasingly perilous over time, presenting a growing, unsanitary, unpredictable, and unmanageable attack surface for adversaries to exploit. This concept mirrors the issue of space debris, describing the complexities and risks in space missions due to the accumulation of discarded objects in orbit from previous missions. Both scenarios exemplify what economists refer to as negative externalities; activities from the past that impose future costs on others without being adequately reflected in market prices.
Another well-known instance of this is pollution, such as the Pacific Ocean Trash Vortex mentioned earlier. In the context of Digital Detritus, costs are incurred by both the buyer (from escalating attack risks and disruptions, leading to potential extinction events; around 60% of small businesses experiencing a cyberattack go out of business within six months) and the vendor (e.g. rising costs of R&D and support, reputational risks, legal liabilities, and impacts on market valuation). Unwitting third parties may also be affected, facing harms when abandoned infrastructure is utilized in masked or indirect cyber attacks, botnets, supply chain compromises, or other forms of cyber victimization.
* Per an analysis conducted by SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement Team (STRIKE), security vendors have reported 27,926 CVEs out of the total 227,166 at the time of their assessment.
Over the last decade in cybersecurity, there has been a noticeable shift in organizational mindset from “it won’t happen to me” to “it can happen to any of us.” Though this healthier attitude is not yet widespread, especially among those below the cyber poverty line, it is moving in a positive direction.
Through the combination of the 2023 National Cybersecurity Strategy by the Biden Administration and the initiatives undertaken by CISA through Secure by Design and Secure by Demand, we are witnessing the early stages of a shift in vendor perspective from “software defects happen ¯_(ツ)_/¯” to “let’s shift the responsibility from those least capable (target rich / resource poor) to those most capable.” Capability here refers not only to financial resources but also to those with a substantial stake in the game and those possessing the highest levels of expertise. Among software vendors, cybersecurity and operating system providers carry the highest obligation and must set the precedent. One significant development in this direction is the Secure by Design pledge. Sophos signed the pledge at its inaugural event during the RSA Conference in May 2024, and to date, there are 234 signatories committed to upholding the three core principles of Secure by Design:
1. Own the security outcomes for customers – Shifting the burden of ensuring everything goes right from the customer to the vendor. This includes adopting Secure by Default Practices (eliminationof preset passwords, on-field testing, simplification of enhancing, discouragement of outdated legacy functions, attention-catching notifications, secure setup blueprints), Reliable Development Techniques (Safe Software Development Lifecycle (SSDLC) system adherence, recorded cybersecurity achievement aims, vulnerability oversight, conscientious usage of open source software, secure defaults for developers, nurturing a Research & Development culture of safety, evaluating with actual security task groups, aligning with zero trust structures), and Pro-Security Corporate Strategies (recording without supplementary cost, treating security features as an essential customer entitlement rather than a lavish item, embracing open standards, assisting in upgrade processes). Commercially, this should also signify combining products that demand considerable expertise to utilize (e.g. XDR, SIEM) into services that merge the technologies with their most effective implementation (e.g. MDR, Managed Risk services)
2. Embrace absolute openness and liability – Refusing the old-fashioned belief that revealing vulnerability specifics offers a “map for attackers” or ammunition for competitive exploitation, and concentrating rather on the wealth of benefits. Taking strides towards the disclosure of levels of detail as Safeguarded by Default Techniques (compiled security data and trends, patching data, information on unused privileges), Safeguarded Product Development Methods (security constraints, threat patterns, secure development cycles, self-affirmations, vulnerability disclosure specifics, software listings, and vulnerability disclosure strategies), and Pro-Security Corporate Strategies (Secured through Design executive backing, secure by design schedule, memory-safety schedule, published outcomes) that will guide cybersecurity towards the type of protection improvements that we have observed in the automotive sector (CISA’s Bob Lord and Jack Cable explore this in the video here)
3. Guide from the apex – Organizational behaviors, frameworks, and motivations that prioritize security as a corporate necessity, as can be exhibited through actions such as Safeguarded through Design combines in financial summaries, routine briefings to a Board of Directors, empowering the Secure by Design executive, creating significant internal rewards, generating a Secure by Design advisory committee, generating and evolving customer advisory groups
Except for cyber offenders, everyone is applauding CISA’s initiatives to prosper, progressively ushering in a more safeguarded future for all of us. However, what can we do about the current vulnerabilities that exist today, and will persist for some time?
I would like to specifically address what I perceive as the duties of cybersecurity suppliers. As mentioned, I believe we must uphold operating system, infrastructure, and cybersecurity suppliers to a loftier standard among all technology suppliers, and I believe cybersecurity suppliers must set a precedent.
Sophos learned a series of insights through the sequence of Pacific Rim about constructing security cultures, modes of contemplating product lifecycles, and, certainly, managing security occurrences. The organizational, procedural, product, and tradecraft advancements that we made during the engagement were characterized by difficulty and achieved by perseverance. We emerged with a collection of “dos and don’ts” of owning security outcomes for our customers, which I will condense.
Let’s commence with a few “cybersecurity supplier groundwork” presumptions: First, that we have embraced and are proactively in stages of operationalizing the three primary principles of Safeguarded through Design, summarized above. Second, that we have already pledged to the Secure by Design statement, and have started publishing, through such channels of transparency as our Trust Center, our advancements in each of the seven pillars of the statement (multi-factor authorization, preset passwords, reducing whole categories of vulnerabilities, security updates, vulnerability disclosure strategy, CVEs, and proof of intrusion). We had a robust SSDLC, sets of product telemetry, business and product security operations, and X-Ops research ability before Pacific Rim, enabling us to stay one stride ahead of our adversaries, but a lot of our progress towards the now-documented CISA ideals was made because of our experience. Although experience is the finest teacher, studying and adhering to a well-crafted handbook is the kinder educator. Please, make use of it.
In addition to my urging to align with CISA guidance, let me also share a compilation of insights gained through the course of Pacific Rim that contributed to our navigation of the occurrences, and our improvement at the conclusion:
1. Mergers and Acquisitions (M&A)
a. Although the Pacific Rim event was not instantly caused by an acquisition, it was rooted in one dating back to 2014. Cybersecurity is a swiftly evolving sector, with substantial investment and consolidation. Sophos has acquired and integrated a total of 14 companies since then, and with each deal our diligence processes and integration disciplines improve. The two pointers for us here were:
i. In environments that inspire perpetual enhancements, yesterday’s methods might not have been as thorough as today’s, and it can be worthwhile to revisit critical areas through fresh perspectives when enhancements are introduced. Specifically, we would have gained from reevaluation of particular segments of product structure
ii. When procuring companies, there is typically some discretion in the equilibrium between speed of integration (including adoption of standards and processes) and allowing the acquired firm to continue operating undisturbed. This is particularly accurate when procured companies have swiftly growing, flourishing businesses rather than being earlier-stage technology acquisitions. We would have benefited from a quicker integration into our corporate SSDLC procedures
2. Dedicate to programmable telemetry and analytics
a. As is regular with most infringement probes, the process of gathering data was a successive process, where revelations in a first tranche signify the necessity for fresh data to be compiled in the subsequent tranche, etc. At the outset of the engagement, we depended on our hotfix facility to programmably extract new data from influenced firewalls, and though this was effective, it would require up to 24 hours for the hotfix updates to be implemented and the data to be returned. By the culmination of the engagement, we had our Linux EDR agents deployed as a standard facet of our firewall operating system, and we could utilize it for immediate queries and responses
b. Throughout the engagement, we heavily relied on our ability to accurately ascertain which of our customers were susceptible, which had accepted automated updates through our hotfix facility, which were exhibiting signs of compromise, and which units were in possession of our adversaries. This enabled us to dispatch targeted communicationsto our clients and allies through our outreach initiatives, and to closely oversee the activities of our rivals
3. Commit to operationalizability (o18y)
a. Unapplied fixes do not contribute to shielding customers, and even if a supplier releases a fix, there is often a considerable delay between announcement and implementation. The capacity to operationalize an update (o18y) swiftly, securely, and seamlessly, is just as crucial as the update itself. Having the ability to promptly apply updates and a modular architecture as explained below integrated into our firewall operating systems since 2015 significantly enhanced our capability to safeguard our customers during the engagement
b. Immediate hotfix facilities for crucial updates (following secure deployment procedures, such as comprehensive testing, phased rollouts, version control, etc.) can be the determining factor between addressing a vulnerability and having it exploited
c. Modular architectures that enable component updates without necessitating a complete firmware update and reboot make hotfix facilities viable
4. Empower Your Support and Customer Success teams to overcome resistance
a. Notifications within the product regarding available patches or updates are beneficial, but often inadequate, especially with infrastructure devices that may go for weeks, months, or even years without any administrator logging in if they are operating smoothly. This is just another aspect of infrastructure inertia, which demands effort to overcome it, preferably an effort other than visible exploitation or failure
b. Although vendor Support departments are commonly viewed as inbound business functions, we utilized our Support team to run outreach campaigns to our inactive at-risk customers, leading to a remarkable decrease in the number of unpatched units
c. Ensuring that you possess updated contact details for your clients is crucial; maintaining accurate data is fundamental for services like MDR (Managed Detection and Response) where consistent communication with clients is vital, and it can also assist in reaching your non-service product clients in case of an unresolved vulnerability or if product telemetry, such as a Critical Attack Warning system, anticipates an imminent attack
5. Supervise your fleet
a. While there are numerous threat actors globally compromising vulnerable infrastructure, the Volt Typhoon threat group is rightfully attracting significant attention for their bold pre-positioning activities. Similar to welcoming a vampire into your abode, at its core, the Volt Typhon threat is being welcomed into victim networks due to the Digital Detritus problem, yet the blame for extending the invitations cannot solely rest on the victims; it is a shared responsibility with suppliers, necessitating supplier cooperation to address
b. Following Pacific Rim, we now perceive our clients’ deployment of our products as an extension of Sophos, and we monitor the array of assets as we would our own infrastructure. This is a mindset that we advocate for other suppliers to adopt
c. The majority of internet infrastructure assets operate on Linux-based operating systems, so even though they are custom-built, typically fortified appliances, they still function as instances of high-privilege servers and should be treated and safeguarded accordingly; just as you would never operate a high-privilege server without robust detection/response and observability capabilities, you should not allow a client-owned asset to operate without these same capabilities. This strategy guided us to embed EDR and utilize it in our firewalls
d. This capability not only empowered us to precisely assess the exposure status within our client environments but also aided us in outmaneuvering our rivals in their campaigns, thereby better shielding our customers from harm
e. This capability effectively becomes a facilitator for “MDR for firewalls” or other on-premises, high-privilege assets, something that suppliers could opt to utilize as a distinguishing factor or monetize; at present, Sophos views it as a distinguishing factor
6. Search for, accept, and extend assistance
a. It is often enticing for cybersecurity suppliers to act defensively when facing incidents like Pacific Rim, owing to various valid concerns, e.g., embarrassment/ridicule, opportunistic behavior from competitors, or erosion of customer/partner confidence. However, an incident calls for collaboration and sharing rather than pride, shame, or competition, all in the best interest of the customers whom we are tasked with safeguarding
b. Throughout Pacific Rim, we collaborated with numerous organizations and agencies, including ANSSI, Barracuda, Bugcrowd, CERT-In, CISA, Cisco Talos, CTA, Digital Shadows (now part of Reliaquest), FBI, Fortinet, Greynoise, JCDC, Mandiant, Microsoft, NCA, NHCTU, NCSC-NL, NCSC-UK, NSA, Palo Alto Networks, Recorded Future, Secureworks, and Volexity
c. This approach played a significant role in enhancing our ability to enhance the security of our customers and those of other suppliers worldwide
7. Emphasize ought-to’s over obligated-to’s
a. At times as a supplier, you may find yourself confronting challenging decisions on how to navigate through such adversary engagements. You may need to decide on matters such as gathering indicators from client assets across various countries with differing privacy regulations, offering updates for versions of your product that are long past support but still widely used due to infrastructure inertia, or absorbing expenses related to contacting unresponsive clients, among others
b. A deontological approach, centering on our commitment to safeguarding as cybersecurity suppliers, can provide clarity in such challenging circumstances
c. For example, even if you are not bound by contract to deliver an update for end-of-life products, and even if the code branches and testing environments for those retired versions are stored in cold storage, do not let the absence of obligation and inconvenience/cost hinder you from making a reasonable effort
d. Foster positive partnerships with your legal teams. There may be opportunities to explore new avenues safely when taking actions to protect, and do not employ legal frameworks as a replacement for mature risk management practices, e.g., threatening to silence or restrict researchers
8. Manage your own disclosure narratives and schedules, and facilitate others to manage theirs
a. It is beneficial to start with the expectation that whatever you know about the engagement and your response will eventually become public; use this insight to guide the completeness of your disclosures and communications, striking a balance between timeliness and ensuring accuracy
b. If you are a cybersecurity supplier who identifies a vulnerability in a competitor’s product or operation, adhere to the same responsible disclosure practices you would anticipate; prioritize shielding customers from harm over gaining competitive advantages
9. Compete in the market, not in the spur of the moment
a. When a competitor encounters a notable incident, whether it is an egregious vulnerability in their product or a widespread outage, practice empathy. When clients, Support, Engineering, and ResponseOnce teams have navigated through challenges, it becomes important for us to mutually hold each other accountable in order to facilitate advancements in the entire sector.
It is imperative for cybersecurity suppliers to ensure they are embracing the CISA initiatives. Similar to how we regularly share threat intelligence, we should also exchange organizational and operational best practices, especially those learned from our trials and tribulations.
Here are a couple of ideas to spark dialogue within the cybersecurity ecosystem regarding ways to enhance infrastructure inertia and address Digital Detritus challenges. When I mention ecosystem, I am referring to the amalgamation of vendors, clients, regulators, standardization bodies, researchers, insurers, investors, service providers, etc., all of whom contribute to the cybersecurity landscape. (By discussion, I mean to kickstart conversations with these concepts, not as endorsements, but as potential conversation starters — presented, at least partially, in the spirit of Cunningham’s Law.)
1. Verified life cycles – Buyer and seller motivations are often misaligned in terms of generational longevity. Sellers may be inclined to shorten product cycles, but implementing time-based restrictions on functionality could put them at a competitive disadvantage if their competitors do not follow suit. For instance, if Company A decides to deactivate operations on their router or firewall after a specific end-of-life date, Company B could promote that they don’t enforce such limitations. This competitive edge could give Company B the upper hand, despite Company A actively working to reduce the Digital Detritus issue. One possible solution might be a “verified lifecycle” program, where products could attain a recognized certification for adhering to a specific product lifecycle. This lifecycle could incorporate factors such as a clear product deactivation date, progressive customer notifications, a seamless migration mechanism to facilitate transitioning from one generation to the next, and cybersecurity advantages recognized by the cyber insurance sector through preferred products and rates.
2. Upcycling – E-waste is already acknowledged as one of the fastest growing segments of solid waste globally, generating over 62 million metric tons in 2022. Apart from significant environmental concerns addressed by regulatory compliance, there is also a related cybersecurity issue: data leaks. The introduction of verified lifecycles could potentially worsen this problem without corresponding measures. One viable approach could be to offer enhanced incentives for recycling infrastructure equipment. These incentives could involve vendor readiness for recycling to ensure automatic secure data wiping, streamlined integration as a secure default behavior within a verified lifecycle, and governmental incentives proportional to the issue’s scale, such as rewarding vendors and original equipment manufacturers (OEMs) for more modular designs conducive to upgrades and disassemblies. Additionally, more appealing incentives for contests like the DoE’s E-SCRAP program to foster innovation in this field, and subsidies (e.g., tax credits) for vendors embracing circular principles.
3. Pricing Markets Designed for Security – Beyond pollution, one of the most pervasive global negative externalities is greenhouse gas emissions. Carbon pricing provides a market-driven approach to address this issue through measures like carbon taxation and emissions trading, where responsible actors receive credits that can be sold in the carbon market as offsets to less responsible entities. These markets create supplementary incentives for positive behaviors and their impact should not be underestimated. For instance, Electric Vehicle (EV) manufacturer Tesla has garnered over $9B since 2009 by selling carbon credits to other automakers who failed to meet regulatory thresholds. A similar cap-and-trade market could be established for secure-by-design practitioners (evaluated based on self-declared and randomly audited progress toward their commitments) to earn credits that can be traded as offsets to others while they work on improving their practices. Enhanced transparency within the market can furnish purchasers with more insights into which vendors generate credits, which consume them, and the advancements made over time.
Among the thoughts shared by Jen Easterly in her 2024 speeches, she envisioned “a world where cybersecurity is obsolete.” Initially, this may seem contradictory to the purpose of the agency she leads, as well as the efforts of many within the industry. While she acknowledged her statement was partly in jest, it mirrors the desire of doctors for their patients to not require medical attention; essentially, wishing for patients to always be healthy, and consequently, professional athletes. I have always believed that cybersecurity could benefit from widespread adoption of a code of ethics similar to the medical field, a testament to our version of Hippocrates’ primum non nocere (first, do no harm). The Secure by Design commitment addresses this ethical concern.
While medicine strives for cures but often settles for treatments (not merely for job security as skeptics may suggest, but because treatments are more readily available than cures), the cybersecurity industry predominantly deals in treatments, whereas CISA is aiming at cures. It’s akin to aspirins and vitamins, as the saying goes — we require both to achieve superior outcomes for those under our care.
Sophos X-Ops is open to collaborations and can provide additional detailed IOCs based on specific cases. Reach out to us at pacific_rim@sophos.com.
To read the full narrative, visit our landing page: Sophos Pacific Rim: Counter-Offensive Against Chinese Cyber Threats.
About Author
