My ‘22 cyber wish list: 1. MFA FOR EVERYONE. Idiotic we’re not mandating this for critical infrastructure.
2 DISCLOSURE. We only know about SolarWinds because @Mandiant did the right thing. What Americans don’t understand but enemies do: USG lacks visibility into critical systems
3 RIP OUT LEGACY SOFTWARE. Organizations should be fined for using Windows XP the same way Americans are fined for driving without updated registration. Madness.
4 PATCHING. “.
5 SECURE CODING BY DESIGN. I spent thousands to move my toilet plumbing 2” to bring it to code. Why…
aren’t we requiring this for safety critical systems like the grid, water, dams, pacemakers. More madness.
6 SBOM. Software bill of materials with security ratings for each piece of code. We require restaurant chains to disclose calorie counts but we have no idea how vuln…
erable or secure the code is that makes its way into autonomous trucks, cars, water treatment systems, etc. (Props to FDA for getting the ball rolling with med devices).
7 MORE GOOGLE PROJECT 0. Govt’ funding for tour of duty of the top US security engineers to find/plug 0days.
AND WHILE I’M SHOUTING. 8. Eradicate misogyny in infosec. I can’t tell you how many young women wrote to me after I got Twitter mauled to say “This is why we leave.” It has become a national security threat. We can’t address these challenges when we keep self-selecting jerks.
9 BE KIND TO ONE ANOTHER. We’re suffering from a mental health crisis. The world needs kindness more than ever.
10 Epidurals for every woman who wants one. Not cyber related but had to throw it in.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
A few call outs from this morning’s blitz on Chinese cyber espionage. 1.We’ve known China’s Ministry of State Security contracts out some of its sensitive operations to a satellite network of hackers, now USG is calling them out by name (Yes!) and detailing the connections.
2. It’s not just front companies, USG is accusing Chinese universities of playing a critical role in MSS’ recruitment. We’ve reported on these connections before, but China is particularly sensitive about coverage that outs its universities.
3. My personal favorite! USG addresses zero day hoarding in its comments, noting that in this case, the NSA turned over additional Exchange zero days to Microsoft. I would like to buy the bureaucrat who inserted this phrase a beer: “Rather than withholding them...”