Well the problem is that policy makers and large industrial companies HAVE heard of it, and think it is "what is happening in Europe". And they should stop thinking that, hence this article.
As an SWE I do agree somewhat with what you say but this story is not complete. If you look at the attacks on Ukraine and the cybersecurity damage done it was fairly small in the grand scheme of things. Another important thing is that Microsoft helped them to fight back as well, so it was not a terrible investment. Was there any quantifiable risk assessment done to understand the potential damages if Russians carried out similar attacks in the Netherlands?
> As an SWE I do agree somewhat with what you say but this story is not complete. If you look at the attacks on Ukraine and the cybersecurity damage done it was fairly small in the grand scheme of things.
It's worth mentioning that the most expensive and extensive malware attack in history was caused by one of such Russian cyberattacks hitting systems which (at the time) they weren't intended to. Causing severe shipping delays and billions of dollars in damage.
Why don't we see these attacks though? I know they're worryingly practical and the West certainly has enough enemies (especially from extremist groups who don't have the same peace keeping concerns as a nation state), and yet we don't see groups just sabotaging critical infrastructure and businesses left and right. Is it really just difficulty/a lack of skill?
A reasonable guess is that some entities are storing / collecting attacks patiently waiting for one big event. Having smaller constant incidents only helps strengthen the opponent over time, thus making it harder to deploy a coordinated attack that can change history. The dutch narrative in the article is a good example of what happens whem nontechnical people make decisions over long periods of time without major incidents.
This makes sense for nation states playing war games but what about smaller actors? Terror groups seem content blowing up shopping malls and driving cars into parades (which are all things which I imagine are planned on a much shorter scale than your proposed "long game"). Why don't they go after infrastructure and businesses? Surely critical infrastructure is an interesting and attractive target for them?
there's a clue in the name I think. terror, as in deep, mortal fear. the goal of a terror group is to make as many average individuals fear for their lives as possible.
cyberattacks, even significant and disruptive ones, are abstract. it's hard to draw a line from shutting down a pipeline to an individual's sense of mortality. it's not an efficient way to get their message across.
ofc it would be a different situation if terror groups could use a cyberattack to drain the capital out of an entire bank or cause a power plant to go chernobyl.
I mean, we do and have, they just haven't yet been explicitly targeted at critical infrastructure. When they hit critical infrastructure, it has been more of an accident, that gets papered over by just paying the ransom (because it was a financially motivated attack) or the US government getting sufficiently pissed off to intervene directly state-to-state (which kinda happened with the Colonial Pipeline one in 2021).
If the attacks were targeted, were destructively motivated instead of financially motivated, there was no "kill switch", government threats ceased to work, etc... it'd be pretty bad.
I work for top tier cyber security outfit we had a sizable amount of resources allocated to helping mitigate cyber threats to Ukraine. My understanding is this is not isolated as most top tier or even smaller vendors and service providers took an active role in helping Ukraine defend against ruissian cyber attacks.
Good to see there's still some people vouching for old-school programming virtues. Among all the capital-driven centralization, scaling and complexification dominating the conversation I thought I was going crazy...
However as a fellow european, having worked for large "national/eu important companies", this article resonated a lot with me and my frustrations. Granted I don't do anything "security" related.
Everything in "it infrastructure" has been outsourced to India, at best Poland. You have competent people in eu offices that don't have the power to use their own hardware. You have to beg for weeks to barely skilled ticket masters from outsourcing companies, endless meetings.
All eu staff is relegated to feature factories or process managers. Zero ops. "It's not our core competency."
I refuse to ever again work for the large "of national security" european companies. It's soul crushing. And it is very clear nobody cares.
It hurts me everytime I read how tens of billions are allocated for whatever EU soverignity. I have been in way too many 10 managers 2 engineers teams with way too many long meetings begging teams from $indian_outsourcing_company to let me do my job.
Excellent talk. Thank you for highlighting risks, and explaining the need for robust infrastructure with clear, vivid images. Our systems need communicators like you.
There is one story I would like to clarify. The transcript says
> there were 4,000 wind turbines that could no longer be operated.
I tried to learn more about this. What I have found differs in some key details, suggesting that the turbines did stay in operation, and that the number was 5,800 turbines, not 4,000. What was lost appears to be the ability to do remote monitoring and remote control.
No questions, but as a security person, I found this to be aligned with the view of many of the people i consider to have a good pulse on the warfare side of security. You're certainly not alone in these thoughts and efforts to fix.
This is off topic, but I’m idly curious about the history of shipbuilding regulatory changes after the Titanic. Where did Brenno de Winter learn about them?
You talked a lot about how bad it is for governments to outsource stuff to Huawei and a handful of US clouds, but didn't really touch on what drive all those decisions beyond claiming it's due to non-technical leadership. It'd be great to see a somewhat deeper analysis than that in future. There are plenty of tech companies that also outsource a lot to the cloud, so it has to be more complicated than that, and there are European mini-clouds that don't get much love from European governments also.
The basic problem is fundamental: outsourcing is a very common thing you find in all walks of life, it is often the most reasonable choice due to comparative advantage. This is the reason I eventually gave up on "decentralization" as a worthwhile technical goal (after years spent working on Bitcoin). Everyone is trying to outsource everything that isn't their key competitive advantage, and that's because specialization is the heart of progress. The costs of centralization are obvious in terms of loss of resiliency, but when people aren't actually needing that resiliency for entire lifetimes it's hard to convince anyone to take the loss of progress that decentralization may appear to entail.
So what to do? As you found with your 1,600 line imgur alternative just starting over to make stuff be secure is ... hard. You wrote in C++ (not the most security conscious choice) and some of those vulnerabilities are very basic, like the one where you discover that due to a bug some users are getting empty passwords. You also sort of assume that your users will keep your app up to date, but we know they won't. So simply demanding programs be smaller isn't going to work. You'll just speedrun the history of vulnerabilities. Indeed, one reason to outsource stuff to a handful of giant providers is that they do a much better job of security overall. Yeah Microsoft may have problems with Chinese hackers, but government IT routinely has problems with greedy teenagers. So MS is still ahead of the pack.
IMO the most critical thing is really whole-systems analysis to find sources of unnecessary complexity and fix it. That won't necessarily turn the tide, but it can at least help. As a trivial example, HTTP stacks don't understand the concept of load balancing. They're still stuck in a world where every website is run by a single computer. That entails a lot of server-side complexity like dedicated LBs, maybe even DNS LB, replicated databases, health checks, drain periods etc just to avoid users seeing little dinosaurs due to normal maintenance. The complexity of this is overwhelming. When users accepted things like "This service will be offline on Sunday due to maintenance" you could get away with it but now people expect everything to be 24/7, so that complexity drives people to the cloud where it's somewhat handled for them.
Thus an obvious quick win - extend HTTP and DNS to understand IP address globbing and maybe even static route matching. If a connection to a server fails, have the stack transparently fail over to another one. Now you can scrap your server side LBs and reverse proxies but still have an HA service.
> Indeed, one reason to outsource stuff to a handful of giant providers is that they do a much better job of security overall.
Is that really true?
Shifting infrastructure to the cloud makes it cheaper, it reduces the incidence of security problems, but it magnifies the impact of security problems when they do occur.
Well, fair point. If you consider blast radius of failure then maybe it's worse off yes. But then the issue is not them doing a bad job but that too many people rely on them doing a good job,
It is the most reasonable choice when you get to disregard the long-term risks because by the time they are likely to manifest in a problem, it's no longer your concern anyway.
I don't think it's accurate to describe it as "loss of progress", either. It just makes progress more expensive. There's no reason why e.g. those support & maintenance jobs cannot be located in the same country, or at least a friendly one - it's not like there's something magical about China that makes Chinese inherently better at 5G maintenance. Nor is there any reason why the data centers cannot be run by different companies in the same country.
2. They designed the equipment that's being managed.
Those two reasons are sufficient on their own to make them inherently better at managing 5G networks. The first reason in particular is lost if you relocate the jobs to the west.
That's exactly my point. The first reason can be reformulated as, "security isn't free". The problem, of course, is that expenditures are immediate, while any mitigated attacks would be in the future. So any politician and any businessman who tries to solve it gets held accountable for the expenditures, and loses to competitors who just promise cheaper everything (and who won't even be there when SHTF as a result of those policies).
The second reason is largely the consequence of the first. There's no reason why that equipment couldn't be designed locally, either, except that costs of labor would be higher.
Tangentially I will also note that the main reason why costs of labor are lower in China is because the quality of life is so much shittier. I think it behooves us all in First World countries to consider what it really means for our societies if they truly cannot function without relying on the kind of cheap labor elsewhere that we made impossible in our own countries, largely for ethical reasons (labor rights, social welfare etc).
No, not really - however, based on this post, several people contacted me with questions like these. I asked around and got recommended https://www.amazon.co.uk/Cyber-Persistence-Theory-Redefining... for a more theoretical basis. Haven't read it yet though.
https://github.com/berthubert/trifecta/blob/main/README.md#k... has a list. The most painful one for me is that I did not know .svg files can contain javascript that gets executed in the site context if you can get someone to click on a link to your .svg file!
It has already been announced that this law will likely be extended. They later walked that back, but did admit that it is entirely possible to extend this law.
So, Dutch intelligence basically has legal leeway to pry anywhere. But I'm curious how they would hand over some "fact" to Police whom cannot normally access that information without some kind of warrant or legal approval from public prosecution.
Yes, parts of this law are very likely to be struck down by the European Court of Human Rights, if a case ever gets there. Specifically the 100% automatic powers to hack and intercept anyone who is hacked by state backed hackers are pretty unlikely to be legal under the ECHR.
There is literally nothing that can win against national security as "state actors (Russia, China, even mentioned in the text) trying to sabotage your infrastructure - look we have evidence but we're not gonna share it with the public".
