Ramblings of a Tampa engineer
Technology

Nation State Threat Model

4 min read
Photo by Nahel Abdul Hadi / Unsplash

A few weeks ago at an event a discussion was brought up regarding the SolarWinds hack and the background on it. All in all the discussion got to a point where someone mentioned that its kinda tough to defend against a nation state if they are set on targeting your business.

đź’ˇ
For those out of the loop on SolarWinds a little background. They are a company that helps businesses manage/monitor their network of systems, machines and more. They've grown quite big over the years so a hacker group decided to pivot their attention to the company that has their software in hundreds of other companies stack.

This makes sense in a way - since not every single business has nation state threats on their list of things to be worried about. The discussion grew even further though and one point brought up was so interesting to me. One guy roughly said - "I bet if you took the best rocket in the military and shot it at a Ford 150 it would be destroyed, but a local Tampa Bay security company that protects a few companies has to withstand the world's best hackers every single day."

Probably a bit exaggerated, but I think its fair to say that generally a consumer built car is not going to stand up against a military rocket from a nation. Maybe forget the car and imagine a sky scraper - are any of those built to withstand sustained artillery fire? What I'm trying to get at here - most things are built without the scope to withstand a nation state throwing everything they have at it.

Dali Museum

Lets pivot and think about the Dali Museum in St. Petersburg. It was built in the heart of a city that probably experiences a rough hurricane every so often.

HOK designed the museum to complement the art, and give visitors a “Dalí-esque” experience, but at the same time protect the work from any foreseeable danger, especially hurricanes and flooding. As such, the museum was designed to withstand 165 mph wind loads from a Category 5, 200-year hurricane and includes 18 inch, cast-in place, reinforced concrete walls and a 12 inch thick roof. Storm doors shield the vault and galleries, which are all located on the third floor, protected against 30 foot hurricane storm surges. All of the glass is one-and-a-half inches thick, insulated and laminated, and was tested to resist the 135 mph winds, driven rain and missile impacts of a Category 3 hurricane.
https://inhabitat.com/fantastical-new-salvador-dali-museum-in-florida-is-also-hurricaine-resistant/

It was designed and built to ensure it could survive the natural disasters that plague this area. So lets bring this back to the point at hand.

If some nation blew up some random consumer car - there would be an outrage and probably a swift response from our military to the affected nation. Yet when you move that focus into the digital world - it more resembles the wild west. You can have a nation with entire teams/lives funded and dedicated to finding a flaw in something. More often than not they succeed and the wider community might laugh with - "wow, increase your security." or even worse it goes entirely unnoticed.

SolarWinds tried to put blame on an intern who set/leaked an insecure password of "solarwinds123" [1], but obviously for those in the industry - its a failure of the business to allow such a thing to happen. We could look back at the xz backdoor which helped tell the story of a multi year long attack and help show that presumably some nations will spend years in order to preform an elaborate digital attack. It seems bleak in some ways the longer you look at this.

Imagine you are a business that is becoming an increasingly larger target for nations around the world to hack. You might produce a software, but you probably aren't responsible or building every little thing your business uses. You probably work with different businesses and entrust them with your data to handle some aspect of your business. They may have some certifications and compliance measures to check off boxes that are a requirement to do business with you. You probably have to worry about every single new hire and hope internal protections are good as some folks may be trying to get hired solely to exfiltrate information. There is an insane amount of digital security you have to stay on top of which changes daily - always staying relevant.

So then I wonder what the solution is - because we can't assume every single little business has the security knowledge or time to protect against malicious nations with near unlimited budget and talented people. We are on our way to improvements through a variety of ways however.

  1. Memory safe languages - Anything that can help us avoid writing vulnerabilities.
  2. Reproducible builds - Helping to prove the binary you are executing/running is the same one that was released.
  3. Software Bill of Materials (SBOM) - Helping to identify what pieces make up software in order to automate detection of vulnerabilities.
  4. OpenID Connect (OIDC) - Helping to remove passwords so systems can talk to each other without elevated passwords.

Hacking isn't coming to an end and the wild west of nations waging a digital war is far from over.

[1] - https://www.itpro.com/security/cyber-attacks/358738/intern-blamed-for-weak-password-that-may-have-sparked-solarwinds

Read more posts by this author

Connor Tumbleson

The link has been copied!
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.