The upcoming election has created the perfect opportunity for the $100 billion cybersecurity industry to throw some fear, uncertainty and doubt — colloquially known as “FUD” — into the daily conversation.
Vendors see this as an opportunity to double down on their marketing to help congressional offices “defend democracy.” But they’re selling the same solutions that got these offices in trouble in the first place. Isn’t it time to try a different approach?
It’s important to understand that unlike other branches of government, each congressional office is responsible for their own security when it comes to their IT infrastructure. In many instances, offices outsource management of their systems to contracting agencies, which contributes to the problem.
Additionally, congressional offices and political parties were targets long before the industry took notice. Party staff are juicy targets for social engineering, phishing, and other forms of targeted attacks from APT groups. Stealing the data they’re holding can be a windfall for political adversaries or nation-state actors.
Even for organizations that have deployed security solutions, it doesn’t make them any safer. But the same vendors are peddling their wares to sell more kit to the government.
What I find particularly interesting about this FUD merry-go-round is the pushback from the security researcher community. In previous iterations of the FUD cycle, this tight knit community has limited the response to snarky remarks from the social media sidelines. This time they have coalesced, using hashtags like #nomorenextgen to express their distaste for what’s transpired. The community, it seems, is fed up.
It’s fed up with the millions of dollars in marketing campaigns; it’s fed up with the empty promises of cyber nirvana. It’s fed up with the constant hyping of threats. It’s fed up with the solutions that may or may not be real. Frankly, the industry is fed up with itself.
What makes it that much worse is the market telling people that these problems are intractable and only the most advanced technologies can make them go away. The truth is, these problems aren’t all that novel.
Research shows that more than 90 percent of exploits are the result of a user clicking a URL. Whether a drive-by download or a phishing link leading to ransomware, it most assuredly comes from the browser.
But organizations — especially political offices — can’t shut off the web. It’s the critical tool for candidates, staff and consultants to do their job. Necking down browser capabilities requires time for configuration and management that overworked IT teams can’t spend, while also lowering morale.
The risk-of-the-web balancing act is playing out across thousands of organizations today. “Next generation” improvements to the security stack have proven expensive and futile. Despite spending billions, we’re not any safer. There has to be a better way.
Recently, another government organization has looked to an alternative approach to this massive problem. Their “better way” doesn’t include next generation artificial intelligence, machine learning, or more IT staff. Rather, they reassessed how users can access the web while eliminating risk to their organization.
The Department of Defense Information Network (DODIN) — One of the most threatened networks in the world — is making a concerted effort to disconnect themselves from the web while preserving access for users. Their approach is to rely on a browser running outside of their network, shifting the attack surface area away from themselves. By releasing an RFI for a cloud browser, the DoD is showing the world that there is another approach.
For those of you as fed up with the FUD cycle as I am, I encourage you to not resign yourself to fate or to fall prey to the industry’s tactics of selling fear. The DoD is streamlining its tech stack and leading the way out of the FUD cycle by disconnecting from the web with a cloud browser. Congressional offices should follow suit.
This post was originally published on Cyberscoop. On September 20th, 2018 Authentic8 will be hosting an event in Washington DC on the browser and its role for the outcome of the November 2018 midterm elections - reserve your seat here.