The cloud and 5G security apocalypse is only a matter of time
AMSTERDAM – Network X – Greg van der Gaast recalls his first encounter with hacking at the tender age of 16. "My sister brought home a VHS cassette of the movie Hackers, and what this movie taught me was that if you break into computers you get it on with Angelina Jolie," he said. "I was highly motivated as a 16-year-old."
One year later, the man subsequently described as one of the five most infamous hackers on the planet had hacked into a nuclear weapons facility in the US and recorded the largest mass hack on record. There was no sight of Angelina, but he was visited by three men in suits from the Defense Department and another from US immigration – there to remind him of his semi-legal status as a Canadian in the US. "Offered" a job that meant receiving cash payments in a parking lot from federal agents, he spent much of the next three years behind a computer.
Not all of it, though. "I was in a high-speed chase," he told attendees at this week's Network X show in Amsterdam. "I also once had to meet an arms dealer with a recording device taped to my testicles, which was uncomfortable, although not as uncomfortable as when I had to remove it."
These days van der Gaast's lifestyle involves fewer such hairy moments (ouch). He speaks at trade shows, writes books and runs his own business advising companies on their cybersecurity strategy. And what he sees is scary. His rather peculiar analogy for the state of the security industry is a car factory whose third-floor assembly line spits cars onto a parking lot below, leaving employees to pick over and restore the mangled remains. As cars rain down, and the pile grows, there are not enough people to clean up the mess. And no one asks: "Why are we dropping cars from the third floor?"
The moral of the story is that security breaches usually happen because of bad practice upstream, while the industry's attention is focused on the downstream disaster in progress. "I've seen the same causes for every big breach I've witnessed in the last 20 years – I have never walked into a company that had good asset management," he said. "We keep building on top and on top and on top, not realizing the whole stack is compromised from within. You are not in control of your servers and your repositories or what code goes into your products' firmware."
No one knows what's under the hood
It's a view shared by Karsten Nohl, a German security expert paid by telcos to hack their systems and report back. As operators rush to "cloudify" their networks, he has found supposedly isolated websites providing a point of entry to IT systems, poor configuration of cloud-management tools, no safe segregation of network parts, reliance on open-source code with scores of unknown authors.
"Patching, hardening, network segregation, EDR [endpoint detection and response] – none of that happens in these networks," he told Light Reading. "A 5G network we tested before it launched was already outdated by three years."
The move from traditional vendors like Huawei to an array of smaller vendors with an IT background has simply thrown up a different set of problems. "Vendors like Huawei will not allow you to patch systems – you ask to patch, and they do a six-month cycle and charge for it, and it is completely pointless," he said.
"In the cloudified world, you don't have any patches because these are stripped-down VNFs [virtual network functions]," Nohl explained. "You don't use a standard operating system and creating patches for stripped-down Linux means doing it yourself, but now there are 20 vendors involved and none has experience in that."
Abstraction of complex systems and technologies has arguably created multiple layers of dependency, like a Jenga tower that would collapse if one block were disturbed. "If I control a hypervisor, I control the operating systems on the hypervisor," said van der Gaast. "I even control what your security EDR on top of it sees." Meanwhile, the people who developed and maintained older systems have moved on or retired.
The concept of intent-based networks is a recent example of this push to abstract complexity. In this scenario, alarmingly clever software receives instructions from a person and carries out a list of jobs that would previously have been done by flesh-and-blood programmers. It is like a garage run by one man who identifies your car's problem and then pushes a button that sets robots to work on fixing it – rather than the team of mechanics you might expect.
Python as a computer-language alternative to C# is a more classic case of abstraction, and one that has not necessarily brought savings, according to van der Gaast. "We like to do everything in Python because it's very quick," he said, pointing out that Python is multiple times more computationally intensive than older languages. "You could cut your monthly AWS bill just by switching."
Hunters and hunted
In the meantime, the opportunity for cybercriminals is growing as more and more data passes through networks in a technology-addicted world. BT's cybersecurity platform used to process about 100,000 "events" each day as it proactively hunted threats, said Hila Meller, the UK operator's managing director of global security sales. Today, it processes around 2 million a second.
She is evidently worried by the abstraction that comes from relying on external public clouds. "When you move to a multicloud approach, you really lose visibility when it comes to the supply chain," she said. "You don't know what it is they use, what the different elements are, and what could be the risk or pricing implications."
Hackers are increasingly sophisticated, too. Unsurprisingly, many of the attacks on the West emanate from Russia. They are no longer carried out by teenagers watching Angelina Jolie movies but by government agencies or criminal gangs that have "digitalized" along with the rest of society.
"The biggest have hundreds of people working for them," said Mikko Hyppönen, a Finnish security expert who hunts hackers. "They pay salaries. They have their own data centers with technicians to maintain them. They have units to recruit hackers and lawyers and business analysts."
Most big companies used to spend just 2% of their IT budgets on cybersecurity. The figure is now approaching 15% within some organizations, according to van der Gaast. And yet there has been no corresponding decrease in breaches or attacks, he notes. In a hyperconnected society that seems largely oblivious to the risks, it is hard to see that changing. "The Internet is the best thing and the worst thing that has happened in our time," said Hyppönen.
- Open RAN so easy to hack it's 'scary,' says top security boffin
- German coziness with China and Russia created a huge telecom risk
- The sanctioned, army-linked Russians inside the O-RAN Alliance
- After de-Russification, SecurityGen bids to de-risk 5G
- Mavenir is replacing Huawei in Deutsche Telekom's core
— Iain Morris, International Editor, Light Reading