The Essence of Digital Debris: Propeller of Pacific Rim and a Plea to the Business for Action

Central to the onslaught faced by Sophos’ firewall software in the Pacific Rim are remnants akin to the Great Pacific Trash Vortex, a vast yet nearly imperceptible collection of decaying elements – in this scenario, outdated and/or unpatched hardware and software. Resembling the Trash Vortex on our planet or the orbiting space debris, this continuously expanding digital debris poses serious repercussions. The analysis within this piece delves into the scenario and presents my reflections on how the sector can address this issue.

1. Commencement
2. Acknowledged Realities and Digital Debris
3. Purifying our Future
4. Rising to the Occasion Today: Urging Action
5. Wrap-Up

In a series of prominent presentations during 2024, Jen Easterly, the head of the United States of America’s Cybersecurity and Infrastructure Security Agency (CISA), conveyed to the business realm that “our challenges are not rooted in cybersecurity but in software excellence issues.” She emphasized that the prevailing multi-billion-dollar cybersecurity sector exists due to the lenience granted to technology firms across all domains, sectors, and market niches to release and implement flawed software. CISA endeavors to change the industry’s perspective from considering “software defects as an inescapable facet of operations” to recognizing that “certain classes of defects are inexcusable” through their Secure by Design initiative for tech providers, and its companion, Secure by Demand for purchasers of technology.

From an economic standpoint, the most effective means to encourage tech providers to invest in crafting and upholding secure software is by motivating consumers to make choices based on security with their procurement expenditures. These endeavors mark an initial crucial stride in steering the industry towards what Easterly has defined as a “software liability system, one that establishes a clear standard of prudent conduct, including Safe Harbor provisions for those tech vendors who engage in responsible innovation by giving paramount importance to secure development methods.”

I initiate this essay with a compact overview of CISA’s initiatives as I firmly believe these actions have been a vital missing factor in enhancing the cybersecurity landscape. It wouldn’t be an exaggeration to assert that progress in this area holds immense significance for our economy, national security, and the well-being of citizens worldwide. This piece complements a post by Sophos titled “Pacific Rim: Inside the Counter-Offensive—The Techniques Used to Counter China-Based Risks,” which chronicles our extensive battle with Chinese state-sponsored threat actors who were relentlessly attempting to exploit vulnerabilities in our firewall software to target Sophos, our clienteles, and unrelated third parties. The included timeline and technical details outline the sequence of decisions, investments, enhancements, and innovations stemming from this engagement.

All the vulnerabilities detailed in our Pacific Rim dossier had been previously disclosed and addressed — no fresh or pending vulnerability disclosures exist — yet we disclose the comprehensive report fully aware that we are casting a light on our historical flaws, and that such a high degree of public transparency could evoke adverse market responses. Internally debated, I hold an optimistic outlook that the responses to the Pacific Rim report will be constructive and mature, concentrating on the lessons learned and the advancements spurred by the recounted events, offering an exemplar of the type of “standard of prudent conduct” that can emerge from combating, and eventually triumphing over, such persistent challenges.

“For certain products, discovering vulnerabilities is just too effortless,” begins the 2007 MITRE report titled “Unforgivable Vulnerabilities,” which delineates classes of vulnerabilities so apparently banal that their occurrence could be deemed “unforgivable.” While we might anticipate such drawbacks from amateur software developers, we anticipate a higher standard from vendors fundamental to our protection, such as operating system suppliers, infrastructure providers, and cybersecurity companies.

In a somewhat contradictory manner, OS suppliers hold prominent positions on the top roster of distinct vulnerabilities, and cybersecurity firms are not immune. In an evaluation of over 227,000 CVEs conducted by Security Scorecard, 12.3%* of them emanated from cybersecurity providers, and there have been numerous CVEs associated with infrastructure. We can begin to unravel and tackle this paradox by contemplating the ensuing five factors:

1. Business Success Anticipates Vulnerability

a. All software open to attackers will inevitably encounter assaults, with the probability of targeting and exploitation escalating in tandem with adoption

b. The larger the vendor’s presence, the greater the obligation—and expense—to sustain secure software; product budgets and lifecycles frequently neglect this aspect

2. Competition Can Intensify Moral Peril

a. Inferior software quality engenders a sizable marketplace for cybersecurity merchandise and amenities. A 2022 report from the Consortium for Information and Software Quality estimated that the cost of substandard software in the U.S. solely amounted to at least $2.41 trillion

b. Though most software providers confront market competition, the demand for cybersecurity has attracted billions of dollars in venture capital: an approximated $8.5 billion in 2023, and $7.1 billion in the initial half of 2024. That marks a 51% surge from the prior year, propelling heightened market rivalry and the necessity for perpetual innovation and differentiation

c. In addition to market competition, the cybersecurity field faces daily tribulations from our true adversaries, the threats we defend our clients against, necessitating even quicker response times and enhanced agility

d. These combined pressures can steer the focus towards functionalities or updates over secure and reliable designs and deployments, occasionally leading to widespread exploitation or disruptions at a global scale

3. Implementing Patches is Challenging

a. It is well acknowledged how operationally cumbersome patching can be

b. Patching is a collective responsibility, signifying that the vendor must produce the patch, and the customer (or another responsible entity, such as their service provider) must apply the patch; delays in either realm heighten the likelihood of exploitation, rendering an unimplemented patch futile

c. Although as-a-service (*aaS) models streamline the patching quandary by empowering vendors to rectify defects en masse in their hosted environments, there will likely persist an on-premises element that the industry must grapple with

i. When contemplating on-premises, we often envision infrastructure (firewalls, remote access layers such as IPsec or SSL VPN/proxy/ZTNA, email servers, etc.), but the principal category of on-premises (namely, customer/service-provider managed as opposed to vendor possessed and handled) pertains to endpoints and the respective operating systems and applications they operatelocally

ii. Notwithstanding the rise in *aaS models for specific aspects of security infrastructure (e.g. FWaaS), on-premises remains the predominant network security framework due to factors such as independence, response time, and robustness (i.e. prevention of centralized failures) – as per Gartner, 87.5% of firewall revenue in 2024 will be generated by physical firewalls

iii. Some categories of infrastructure and operations currently do not have any foreseeable path towards an *aaS model, for instance, Operational Technologies (OT) and Internet of Things (IoT)

4. Buyer and seller motivations not aligned across generations

a. Buyers are driven to extend the lifespan of their technology investments by utilizing a generation of technology for as long as feasible. In simple terms, unless facing unacceptable functional limitations, buyers aim to maintain their infrastructure (e.g. firewalls, routers, proxies, etc.) in operation for as long as they can before considering an upgrade

i. This could be termed as “technology inertia,” and without any opposing force, outdated infrastructure tends to accumulate over time until it reaches a point of inevitable failure, especially among those beneath the cyber poverty line

ii. In contrast to some consumer technologies like smartphones or automobiles, there is no prestige or status associated with having the latest infrastructure, which diminishes a motivating factor commonly seen in faster-moving consumer technology cycles

b. Sellers are motivated to maximize generational shifts owing to various reasons: 1) to offer enhanced functionalities and improved user experiences, 2) to counter obsolescence and customer attrition, and 3) to boost unit sales

i. Vendors that adopt forms of “planned obsolescence” put themselves at a competitive disadvantage compared to those who don’t, and potentially at the risk of dissatisfying customers if their actions and schedules are not clearly communicated, even when done in the best interest of the buyer (e.g. to enhance security, reliability, or functionality)

c. The longer a digital infrastructure stays in place, the higher the chances that vendors may discontinue providing software updates

i. Vendors operate under specific support limits for their products, beyond which they cease to offer support, new firmware, code updates, or security patches

ii. It is not economically viable to expect technology vendors to support all hardware, firmware, operating systems, and software generations “forever,” as the cumulative costs would eventually become overwhelming; there is a need for a different approach to lifecycle management

5. All vulnerabilities gravitate towards the unforgivable as time goes by

a. Even if more commonplace vulnerabilities (based on precedence, clarity, simplicity, etc.) are deemed unforgivable at all times, the pinnacle vulnerability, the zero-day, is initially somewhat forgivable upon discovery. Nevertheless, even the dreaded zero-days have a lifespan; for instance, the vulnerabilities exploited by WannaCry (CVE-2017-0144 and CVE-2017-0145) were extremely potent in 2017, but any remaining exposures in 2024 are considered mundane and thus unforgivable

i. Without digressing, it’s pertinent to note a similar issue in cryptography: today’s robust cryptography weakens with the advancement in tomorrow’s computing power. The industry is addressing this parallel challenge through various quantum-safe initiatives, and there are shared lessons to be learned; terms like “strong,” “secure,” and “unforgivable” are relative and time-dependent

I describe the interplay of these five points as the Digital Detritus dilemma. The inertia in infrastructure leads to neglect of the infrastructure, which becomes increasingly perilous over time, presenting a progressively expansive, unsafe, unpredictable, and unwieldy battleground for malicious actors to exploit. It bears a striking resemblance to space debris, highlighting the challenges and risks we encounter in space missions due to the accumulation of abandoned objects in orbit from past missions. Both scenarios exemplify what economists define as negative externalities; that is, past actions imposing future costs on other entities without being adequately factored into market prices.

Another widely acknowledged instance of this is pollution, like the Pacific Ocean Trash Vortex mentioned earlier. In the case of Digital Detritus, costs are thrust upon both the buyer (from escalating risks of attacks and disruptions, ultimately leading to organizational extinction events; 60% of small businesses shut down within six months post a cyberattack) and the vendor (e.g. rising R&D and support costs, reputational risks, legal liabilities, effects on market valuation). They are also imposed on unknowing third parties who may suffer consequences when abandoned infrastructure is utilized in concealed attacks, botnets, supply chain breaches, or other indirect forms of cyber victimization.

* As per an analysis by SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement Team (STRIKE), security vendors accounted for 27,926 CVEs out of the total 227,166 at the time of their study.

Over the last ten years in the field of cybersecurity, organizations have witnessed a shift in mindset from “it won’t happen to me” to “it can happen to any of us.” This healthier approach has yet to fully permeate, especially among those below the cyber poverty line, but it is heading in a positive trajectory.

Through the amalgamation of the 2023 National Cybersecurity Strategy by the Biden Administration and the efforts of CISA with their Secure by Design and Secure by Demand initiatives, we in the US are at the initial stages of shifting vendor perspectives from “software defects happen ¯ _(ツ)_/¯” to “let’s shift the burden from those who are least capable (target rich / resource poor) to those who are most capable.” Capability encompasses not only financial resources but also those with the highest stakes and expertise. Among software vendors, I believe cybersecurity and operating system vendors bear the greatest responsibility and must lead by example. A significant step in this direction is the adoption of the Secure by Design pledge. Sophos signed up during its inaugural event at the RSA Conference in May 2024, and currently, there are 234 signatories who have committed to supporting the three key principles of Secure by Design:

1. Take charge of customer security outcomes – Shifting the “everything must go right” burden from the customer to the vendor. This includes embracing Secure by Default Practices (eliminationof default passcodes, field trials, strengthening simplification, discouragement of unsafe outdated features, attention-catching notifications, secure setup blueprints), Secure Development Techniques (Secure Software Development Lifecycle (SSDLC) framework compliance, recorded cybersecurity achievement targets, vulnerability management, accountable utilization of open source software, secure defaults for programmers, fostering a culture of security in R&D, testing with practical security operations groups, adherence to zero trust structures), and Pro-Security Business Strategies (free logging, considering security features as essential elements rather than premium items, embracing standard protocols, delivering upgrade support). From a business perspective, this should ideally involve bundling products that demand significant expertise for utilization (such as XDR, SIEM) into services that integrate the technologies with their optimal operational methods (e.g. MDR, Managed Risk services)

2. Adopt revolutionary transparency and responsibility – Dismissing the outdated belief that disclosing vulnerability specifics offers a “guide for attackers” or ammunition for competitors, and instead focusing on the myriad advantages. Proceeding towards the revelation of various details as Secure by Default Techniques (cumulative security figures and patterns, patching statistics, insights on inactive privileges), Secure Product Evolution Techniques (security measures, threat concepts, secure development frameworks, self-declarations, exhaustive disclosure of vulnerabilities, software inventories, and vulnerability disclosure policies), and Pro-Security Business Strategies (Executive sponsorship for Secure by Design, roadmap for secure by design, blueprint for memory safety, released outcomes) to propel cybersecurity towards safety advancements akin to what we have observed in the automotive sector (CISA’s Bob Lord and Jack Cable delve into this in the video here)

3. Set the tone from the top – Fostering organizational cultures, frameworks, and motivations that prioritize security as a core business element, as exemplified through initiatives such as integrating Secure by Design principles in financial disclosures, routine briefings to the Board of Directors, empowering the Secure by Design executive, instituting significant internal incentives, establishing a Secure by Design committee, and forming and evolving client committees

With the exception of cyber offenders, everyone is applauding CISA’s endeavors to prosper, progressively steering us towards a more safeguarded future. However, how do we address the current vulnerabilities that persist, and will linger for a substantial duration?

I wish to particularly emphasize what I perceive as the responsibilities of cybersecurity suppliers. As discussed, I believe it is imperative to demand a higher benchmark from operating system, infrastructure, and cybersecurity suppliers compared to all other tech vendors, and I opine that cybersecurity suppliers should lead through demonstration.

Sophos assimilated a series of insights through the Pacific Rim ordeal concerning cultivating security cultures, methodologies for contemplating product life cycles, and, naturally, handling security crises. The enhancements we made in operations, protocols, products, and expertise during this engagement were marked by challenges and achieved by persistence. We emerged with a set of “do’s and don’ts” regarding owning security outcomes for our clients, which I will encapsulate.

Let’s commence with a couple of fundamental “cybersecurity vendor foundation” presumptions: Initially, that we have embraced and are actively implementing the three fundamental principles of Secure by Design, concisely outlined above. Second, that we have already committed to the Secure by Design pact, and commenced sharing our progress across the seven pillars of the pact (multi-factor authentication, default passcodes, reduction of entire categories of vulnerabilities, security updates, vulnerability disclosure protocol, CVEs, and proof of unauthorized intrusions) through portals of transparency like our Trust Center. We possessed a robust SSDLC, assortments of product data, business and product security network, and X-Ops research capacity prior to Pacific Rim, which empowered us to stay ahead of our antagonists, yet a considerable portion of our advancement towards the now well-documented CISA ideals was a result of our encounter. While experience is a great educator, adhering to a well-crafted guide is a more benevolent educator. Kindly, put it into practice.

In addition to my plea to align with CISA directives, allow me to also impart a series of insights gleaned through the Pacific Rim incident that facilitated our navigation through the occurrences and our amelioration post the incident:

1. Business Transformation (Mergers and Acquisitions)

a. Though the Pacific Rim crisis did not directly emanate from an acquisition, it stemmed from one traced back to 2014. Cybersecurity is a swiftly evolving sector, teeming with investments and mergers. Since then, Sophos has acquired and amalgamated a sum of 14 enterprises, and with each transaction, our due diligence procedures and integration approaches enhance. The two key takeaways for us were:

i. In environments fostering ongoing enhancements, protocols from the past might not have been as stringent as current norms, making it worthwhile to reassess critical aspects through fresh lenses upon introducing improvements. Specifically, we would have benefitted from re-evaluating certain facets of product architecture

ii. When procuring entities, there typically exists a trade-off between swift integration (embracing standards and procedures) and permitting the acquired entity to continue its operations undisturbed. This stands particularly true when the acquired entities boast rapidly expanding, thriving businesses as opposed to nascent technology integrations. We would have found value in swifter assimilation into our corporate SSDLC practices

2. Invest in adaptable telemetry and analytics

a. As is characteristic in most breach investigations, the process of gathering data was iterative, where discoveries in one phase necessitate the collection of new data in the subsequent phase, and so forth. At the campaign’s onset, we leaned on our hotfix mechanism to programmatically collect fresh data from impacted firewalls, and while this was effective, it took up to 24 hours for the hotfix updates to be implemented and the data to be retrieved. By the conclusion of the engagement, our Linux EDR agents were routinely deployed as an integral part of our firewall operating system, streamlining instantaneous inquiries and responses

b. Throughout the engagement, our capability to precisely ascertain which of our clients were susceptible, which had received automated patches via our hotfix system, which exhibited signs of breach, and which systems were under the control of our adversaries was pivotal. This enabled us to dispatch targeted communications.**1. Communicate effectively with our clientele and associates via our outreach strategies, and vigilantly observe the activities of our opponents

3. Put resources into operational functionality (o18y)

a. Unapplied fixes fail to shield customers, and despite a vendor releasing a fix, there is often a substantial delay between announcement and implementation. The capability to operationalize an update (o18y) promptly, securely, and non-disruptively is just as vital as the update itself. Integrating the hotfix capabilities and modular structure discussed below into our firewall operating systems since 2015 proved pivotal in safeguarding our clientele through the interaction

b. Hotfix amenities enabling critical updates to be swiftly enacted (adhering to safe deployment practices, such as thorough testing, phased rollouts, versioning, etc.) can determine whether a vulnerability is rectified or exploited

c. Modular architectures facilitating code component updates without necessitating a complete firmware update and reboot enable hotfix amenities

4. Your Assistance and Customer Success teams can eliminate stagnation

a. In-product alerts notifying about patch or update availability are beneficial, but they are frequently inadequate, especially with infrastructure devices that may go for weeks, months, or even years without an administrator logging in if it’s operationally “just functioning.” This represents another aspect of infrastructure inertia, necessitating some impetus to dislodge it, ideally a form of pressure other than observable exploitation or failure

b. While vendor Assistance teams are typically considered inbound business functions, we utilized ours to launch outreach initiatives to our unresponsive at-risk clientele, resulting in a noteworthy decrease in unpatched units

c. Similarly, it is crucial to maintain current contact details for your clientele; sound data hygiene is fundamental to services like MDR (Managed Detection and Response) where regular communication with clients is imperative, and it can also aid in reaching your product (non-service) clients in the event of an unsettled vulnerability, or if product telemetry, like a Critical Attack Warning system, anticipates an imminent attack

5. Supervise your collection of assets

a. Despite numerous threat actors compromising vulnerable infrastructure globally, the Volt Typhoon threat group is gaining attention for their bold preparatory maneuvers. Analogous to inviting a vampire into your abode, at its core, the Volt Typhon menace gains entry into victim networks owing to the Digital Detritus dilemma, yet culpability cannot solely be placed on the victims for extending these invitations; it’s a shared obligation with vendors and necessitates collaborative vendor efforts to tackle

b. Post-Pacific Rim, we perceive our clients’ deployment of our products as an extension of Sophos, and we oversee the asset “fleet” akin to our internal infrastructure. This is a mindset we urge other vendors to adopt

c. Most internet-based infrastructure assets operate on Linux-based operating systems, hence despite being purpose-built and fortified appliances, they essentially function as high-privilege servers and should be viewed and safeguarded accordingly; much like you would not risk operating a high-privilege server lacking robust detection/response and observability abilities, you should not permit a client-owned asset to operate without such capabilities. This mindset steered us towards integrating EDR and employing it in our firewalls

d. This functionality not only facilitated precise evaluation of the vulnerability status within our client environment but also enabled us to outmaneuver our adversaries in their initiatives, thereby more effectively shielding our clients from harm

e. This functionality essentially enables “MDR for firewalls” or equivalent on-premises, high-privilege assets, a feature that vendors could either leverage as a distinguishing factor or monetize; currently, Sophos regards it as a distinguishing feature

6. Pursue, accept, and extend assistance

a. During incidents like Pacific Rim, it’s often enticing for cybersecurity vendors to adopt a guarded stance due to various legitimate concerns, e.g., fear of scorn/ridicule, opportunistic rivalry from competitors, or erosion of client/partner trust. However, an incident is not a moment for pride, embarrassment, or competition; it’s a moment for collaboration and cooperation in the interests of the clients we are entrusted to safeguard

b. Throughout Pacific Rim, we collaborated with numerous organizations and agencies, including ANSSI, Barracuda, Bugcrowd, CERT-In, CISA, Cisco Talos, CTA, Digital Shadows (now a part of Reliaquest), FBI, Fortinet, Greynoise, JCDC, Mandiant, Microsoft, NCA, NHCTU, NCSC-NL, NCSC-UK, NSA, Palo Alto Networks, Recorded Future, Secureworks, and Volexity.

c. This approach played a crucial role in enhancing our ability to fortify our clients, as well as clients of other vendors globally

7. Emphasize must-dos over obliged-to’s

a. At times as a vendor, you may encounter challenging decisions on how to proceed amidst adversary interactions. For instance, decisions may arise concerning gathering indicators from client assets across various countries with distinct privacy regulations, whether to furnish updates for unsupported product versions still in extensive use due to infrastructure inertia, or the costs associated with contacting unresponsive clients, etc.

b. A deontological approach, centered on our goal to shield as cybersecurity vendors, can offer clarity in such complex scenarios

c. For example, even if there is no contractual obligation to deliver an update for discontinued products and even if your code branches and testing environments for those retired versions are archived, do not allow lack of obligation and the inconvenience/cost to hinder making a reasonable effort

d. Foster robust collaborations with legal teams. There may be opportunities to explore permissible limits when taking steps to safeguard, and refrain from using legal frameworks as a substitute for developed risk management practices, like threatening to silence or lock out researchers

8. Manage your disclosure narratives and timelines, and empower others to manage theirs

a. It’s beneficial to operate under the assumption that whatever information you possess on the engagement and your response will eventually be made public; leverage this to influence the comprehensiveness of your disclosures and communications, and strike a balance between timeliness and seeking assurance

b. If you are a cybersecurity vendor uncovering a vulnerability in a competitor’s product or operations, adhere to the responsible disclosure practices you would anticipate; prioritize shielding customers from harm over seeking accolades

9. Compete in the marketplace, not in the spur of the moment

a. When a competitor encounters a noteworthy incident, whether it’s an egregious vulnerability in their product or a global outage, practice empathy. When clients, Assistance, Engineering, and ResponseOnce teams are no longer in a difficult situation, it becomes important for us to mutually hold each other accountable in order to drive an improvement across the industry.

Cybersecurity providers must ensure that we all embrace the CISA initiatives. Just like how we regularly share threat intelligence, we should also exchange organizational and operational best practices, especially those that result from our challenges.

Lastly, here are some concepts to spark conversations within the cybersecurity ecosystem about enhancing infrastructure momentum and issues related to Digital Detritus. By the term “ecosystem,” I mean the collective group of vendors, clients, regulators, standardization bodies, researchers, insurers, investors, service providers, and more who all have a role in cybersecurity. (I use the term “conversation” to indicate that these concepts are not endorsements but are put forth as ideas to initiate discussions — presented, in part, in the spirit of Cunningham’s Law.)

1. Verified life cycles – There exists a mismatch in incentives between buyers and sellers regarding generational cycles. While sellers are motivated to shorten these cycles, they would face a competitive disadvantage if they enforced time-based functional limitations on their products while their competitors did not. For instance, if Company A decided to deactivate their router or firewall after a specified end-of-life date, Company B could promote the fact that they do not implement such a restriction. This would give Company B an edge over Company A, even though Company A is actively working to reduce the issue of Digital Detritus. One potential solution could be a “verified lifecycle” wherein products could gain an established certification for adhering to a product lifecycle. This lifecycle could comprise: 1) a clear deactivation date for the product, 2) gradual notifications to prevent surprises for customers, 3) a migration facility provided by the vendor to facilitate transitioning between generations, and 4) recognition of cybersecurity advantages from the cyber insurance industry in the form of preferred products and rates.

2. Reuse – Electronic waste (e-waste) is identified as one of the fastest-growing categories of solid waste globally, with over 62 million metric tons produced in 2022. In addition to significant environmental concerns, some of which regulatory conformity addresses, there is also a cybersecurity issue linked to this: the leakage of sensitive data. The adoption of a verified lifecycle could worsen the problem without some form of counterbalance. One approach to address this could involve enhanced incentives for recycling of infrastructure equipment. This could encompass vendor preparation for recycling to ensure automatic secure data wiping, including automated triggering as part of a verified lifecycle as a more secure default behavior; and government incentives that reflect the scale of the issue, including rewarding vendors and ODMs for more modular designs that aid in upgrades and disassembly, more attractive rewards for competitions like the DoE’s E-SCRAP program to encourage innovation in this domain, and subsidies (e.g., tax credits) for vendors investing in circular principles.

3. Secure by Design pricing markets – In addition to pollution, greenhouse gas emissions represent one of the most critical negative externalities globally. Carbon pricing offers a market-oriented solution to this issue through mechanisms such as carbon taxes and emissions trading, where responsible entities receive credits that they can sell on the carbon market as offsets to less responsible entities. These markets create further incentives for positive behaviors, and the impact is considerable. For example, Tesla, the Electric Vehicle (EV) company, has generated over $9B since 2009 by selling carbon credits to other auto companies that failed to meet regulatory requirements. A similar cap and trade market could be established for reputable Secure by Design actors (as demonstrated by self-declared and randomly verified progress towards the commitment) to obtain credits that they could sell as offsets to others while they are in the process of improving their practices. Increased transparency in the market can also offer buyers more insights into which vendors are credit producers, which are consumers, and the progress they are making over time.

Among the concepts Jen Easterly presented in her 2024 speeches, she outlined a vision of “a world where cybersecurity is obsolete.” At first glance, this might seem contradictory to the purpose of the agency she leads and the efforts many of us have dedicated to this field. While she admitted it was partly humorous, it is not too dissimilar from doctors hoping that their patients no longer require their services; in essence, being in perfect health, and professional golfers at that. I have always believed that cybersecurity could benefit from widespread adoption of a code of ethics, similar to medicine, as our version of Hippocrates’ primum non nocere (first, do no harm). The Secure by Design commitment addresses this ethical concern.

Medicine strives for cures but often settles for treatments — not for job security, contrary to what skeptics may suggest, but because treatments are more accessible than cures. The cybersecurity industry predominantly deals in treatments, while CISA is striving for cures. It’s like aspirins and vitamins, as the metaphor goes; we will always require both to achieve better outcomes for those we serve.

Sophos X-Ops is eager to cooperate with others and provide additional detailed IOCs on a case-by-case basis. Reach out to us at pacific_rim@sophos.com.

For more details, visit our landing page: Sophos Pacific Rim: Counter-Offensive Against Chinese Cyber Threats.

About Author