As I sit here and type, it is hard not to take a breath and feel rather melancholic thinking back over the last twenty years. Today is the 8 Sept 2021, just a few days before the 20th Anniversary of the terrorist attacks on the North and South Twin Towers of 9/11 in 2001. An event that marked a major change and shift across the entire world. It was also the start of a revolution of determined digital dominance as part of an overall United States, Alphabet Agencies’ strategy to gain total visibility, total data capture, collation, insight, and ultimately control.
This strategy commenced, what we would later come to know as the 4th Industrial Revolution that would see every person, man, woman, and child be tracked, monitored, digitally eavesdropped upon, as was set out originally, digitally identified and geographically placed. Looking back upon the Senate’s sign off of billions of taxpayers’ dollars, a question must be asked, was it in vain, were the right decision made, and did anyone consider the real risks of what might be good for the goose, might also become incredibly destructive if used by the gander (cybercriminal). Let’s not forget, the Afghanistan war of twenty years also commenced shortly after 9/11 and the removal of the US and Ally forces after twenty years has also been questioned after the loss of thousands of lives and more taxpayers $billions.
If we stop and consider that effectively the Internet was developed by Tim Berners-Lee in 1989 for Academia (and government) for secure data sharing and at the same time, Public Key Infrastructure (PKI) was also developed to provide total security by authenticating the devices and the users by the NSA and GCHQ. PKI was rolled out in the mid 1990’s and was made up of encrypted digital keys and digital certificates to the world, and globally adopted. From our own findings, and revelations including planted certificates by governments, it is without question the governments and the Intelligence Community (IC) started abusing the Internet and PKI from the outset. This started the cancer growth that we now witness at every single company globally as no company, or government for that matter, knows exactly what their own PKI looks like or indeed has control of it. To confirm, digital certificates on a single laptop can number 200,000, yes that is two hundred thousand. Multiply that by 4, being the typical number of devices per person and then by the number of people within a company for example and you can easily see how certificate control and management of billions of digital certificates is a monumental task. Who would notice a few in there that were planted by a compliant Certificate Authority or planted in a software update as was the case at SolarWinds and used for the world’s first digital weapon, Stuxnet.
The challenge companies also have is they are ‘encouraged’ to recruit and have planted Agency staff (Double Hatters) who are all too willing to assist and send data back to the Mothership, plant some digital certificates and encourage general acceptance and risk profiles of not knowing what makes up their PKI. This can even extend to the digital certificates that make their websites, and servers secure and as a result, are frequently left insecure that then facilitate infiltration, plants, and data exfiltration. We will expand upon this again later, however this very Modus Operandi became the exact MO for cyber criminals and ransomware attacks. The so-called Sophisticated attacks are doing no more than our own CI and governments have been doing for twenty years, the only difference is the IC community designed and developed their tactics and Offensive Website capability to digitally eavesdrop, cybercriminals do it to steal Intellectual Property (IP), plant their own malicious code, extract Personally Identifiable Information (PII) or demand a ransom. The Monster has unequivocally been turned on its creators. Not only did the government extract, with questionable legality, PII data on everyone, they created the methods to infiltrate, and encouraged everyone to ignore the very same vulnerabilities to enable them to carry on their own practices. As such, a CEO, CISO, or Executive has limited to no knowledge of what an F & 0 cyber security rating actually means or implies and the IC sector still plays this down, however, has a plethora of thousands of Offensive Website Experts as part of their overall program and team.
F and 0, is the worst possible Cyber Security Rating. Our research of over 1000 organisations shows such ratings as a systemic issue, and Tier 1 Banks, Central Banks, Government, Healthcare companies and everything in between. These organisations have, as a direct result of poorly managed, and insecure websites and servers, suffered cyber or ransomware attacks. Open-Source Intelligence, known as OSINT, was originally developed to enable security professionals to ensure the company was secure at the junction of the company’s networks and computers and maintain that security, not just appear to be, by scanning their websites and servers that connect to the Internet. Sadly, it is unquestionable that cybercriminals are more proficient, and more highly motivated to utilise OSINT technology and even Artificial Intelligence (AI) as part of their reconnaissance to identify exposed, vulnerable, and exploitable websites and servers that companies are overlooking, neglecting, and ignoring. These websites, including Department of Homeland Security (DHS), National Cyber Security Centre (NCSC) and thousands more who are all maintaining suboptimal websites and servers often with CRI ratings of F & 0.
We witness F & 0 ratings everywhere. It is important to understand the exact meaning of such a Cyber Rated Index (CRI). Firstly F & 0 is the worst possible grade and score, it does not get worse. The CRI rating takes numerous metrics into account. The CRI considers OWASP Top Ten, Mitre CWE, HackerOne and globally accepted and known website vulnerabilities. For reference, it is the most comprehensive insight to a website’s configuration and security, it is a globally accepted metric. It is never subjective, or an opinion. It is exactly the information that is legally shared by the websites and servers when requested. To put things into perspective, if one was to look at someone’s Facebook or LinkedIn profile, that data being reviewed is OSINT data. One only has known how to look, and in the security world, be diligent and disciplined enough to do so frequently.
With billions of USD being spent, and trillions of USD being lost, we are at a major junction of economic decisions. Those that know, know. Governments continue scoring the most monumental Own Goals and have this year, encouraged, facilitated, even allowed cybercrime to reach USD 6 trillion making it the world’s third largest economy behind the US and China. The question is just how complacent, or how complicit are our governments and where does the facilitation, and crime start and stop?
The Investment community are seemingly very happy investing in companies in Cyber who then get breached, shares fluctuate a tad, go back and orders come in all the while they have maintained, and stayed with a CRI rating of F. They simply IPO, go from a Series A to Series B and pass the hot potato.
One last question, why, when we are hurtling towards the first anniversary of the world’s largest and most destructive cyberattack on SolarWinds, an attack that utilised, and accessed an insecure SolarWinds website, rated at F & 0, and subsequently causing breaches of thousands of customers, including US Government, are SolarWinds still maintaining their F & 0 CRI rating all this time later?
Furthermore, why have the US government stayed using the compromising services from SolarWinds who are now declaring the best ever figures last quarter. Thoma Bravo, one of SolarWinds major shareholders, sold around a quarter of $billion shares the day of a Board meeting and two days before the public announcement of the cyberattack. Shares dipped periodically and are now pretty much at the same, pre breach level. Little to no attribution apart from blaming the Russian State Nation sponsored cybercriminals. No Share loss over a short period, and no loss of business. Critically though, no more security, period!
We have witnessed some of the largest, most destructive cyber and ransomware attacks over the last couple of years. What is being learned? CEO’s and CISO’s have flouted security pre, and post being breached which must always raise the question, Complacent or Complicit? With costs and losses of over $6 trillion this year, at what point will the masses demand change and no longer allow such gross negligence? Of course, a lot of people’s ‘price’ can be met and paid off out of such vast figures. We are on the precipice of a massive economic shift and fall into a global cartel situation led by corruption and cybercrime.
The NSA, GCHQ and many governments have an awful lot to answer for, currently they still believe they can dismiss and try to sweep away what is really happening along with the access and enablement being provided. The real judgement day is coming and the masses, i.e you, your children and their children are being manipulated digitally with their knowledge, and possibly involvement. To conclude, a question to the reader: If a clever person learns from their mistakes, and a wise person learns from the mistakes of others, what do you call a person who learns nothing from either?
Andy Jenkinson is a senior and seasoned innovative executive with over 30 years' experience as a hands-on lateral thinking CEO, coach, and leader. He has crafted, created and been responsible for delivering over £100M of projects within the Cyber, Technical, Risk and Compliance markets with some of the world's largest leading organisations. He is an author of book entitled, “Ransomware and Cyberwar, the global economic shift”.