NCSC CTO: Broken market must be fixed to usher in new tech
It may take ten years but vendors must be held accountable for the vulnerabilities they introduce
CYBERUK National Cyber Security Centre (NCSC) CTO Ollie Whitehouse kicked off day two of Britain's cyber watchdog's annual shindig, CYBERUK, with a tirade about the tech market, pulling it apart to demonstrate why he believes it's at fault for many of the security problems the industry is facing today.
In a speech-cum-call to industry, one which echoed many of the points made by CISA director Jen Easterly at RSA last week, Whitehouse thundered: "We know how to build cyber resilient technology. If you look at CHERI, there's a mechanism of addressing memory safety and legacy codebases through to rust and similar. We know how to do it technically.
"The challenge is we actually have a market problem and actually producing the level of cyber-resilient technology we actually want and we actually need. So, we have to ask ourselves, why is it that it's not being realized in practice?"
He pointed to the circa 14 percent increase in disclosed and registered vulnerabilities, the ones that intelligence agencies are aware of, that is, to illustrate the point.
"We know that there are various adversaries who are amassing vulnerabilities and not disclosing them in the way that we want, and this is compound growth," he said.
"Similarly, the claimed security efficacy of solutions is not realized in practice, either in a solution in isolation or in operations. We have claims, not meeting reality."
The presence of decades-old vulnerability classes pervade software still to this day, such as the recent spate of path traversal bugs, but they aren't blamed on lazy development so much as they are on technology debt – which is just one part of the broken market.
"We have levels of technical debt, extremely high levels in organizations, and in technology more generally. And the vulnerability when it is found, that technical debt is often really, really quite shallow."
One of the main issues around tech debt is that while we can measure it, the industry needs to impose a cost of negligence on failing vendors, and not simply allow them to escape that liability through their terms and conditions.
The idea of holding vendors to account in this way and ensuring there are significant penalties for security failings is a core tenet of what would be an ideal reform of the market, in Whitehouse's view, and it's one the industry has held for years.
That view is of course the same as his counterparts at CISA too. At RSA last week, Easterly suggested the federal government should play a role in ensuring vendors are shipping secure products.
There is, of course, the possibility that the money governments pay for software isn't sufficient to be a forceful enough lever for change.
If one vendor can afford to lose a government sale while keeping their plethora of existing customers, then there's nothing stopping them from simply backing away and refusing to make the changes the industry needs.
That's where legislation, and to a point regulation comes in. If the cost-of-negligence burden is to be placed on the vendors, then it will likely have to come via the legal system. The regulatory and legislative process is often too slow to adapt to the changing tech industry, however.
On the flipside, vendors that demonstrate proactivity in embracing improved security practices, such as secure by design, should be incentivized to do so. Those incentives will likely center on transparency around software components and technical debt, and the negative reward of evading punishments for bad practice.
This discussion doesn't even touch upon the ever-present issue of security in open source software, which is an entirely different beast.
- UK and US lead international efforts to raise AI security standards
- RSA Conference 2024: The good, the bad, and the downright worrying
- World's governments to keep spending to erase technical debt
- UK's National Cyber Security Centre entry code cracks up critics
Fundamentally, the market in its current state is driven by value and cost, NCSC's CTO argued. "That is the enemy of cybersecurity," Whitehouse said, and cost is everything in the boardroom.
Cyber fatigue is rife among business decision-makers – many just want to be able to put a lump sum down, perhaps over just a few years, and have security addressed forever. It, of course, doesn't work like that, so the proper incentives need to be in place to ensure the focus on security is more of a marathon than a sprint.
Away from the current security threats, of which there are many, there is also a wave of exciting tech on the horizon. Like it or not, human-machine interfaces are coming, for example, but Whitehouse addressed this in a way that questioned whether the security industry is properly set up to welcome that technology into the world safely.
"We do not have a technology challenge. We know how to build cybersecurity-resilient technology. We have a fundamental market challenge to do so. So, how we incentivize that market to do it will be on us all in the next period if we want to ultimately win." ®