It’s a scary, ominous thought:

The cybersecurity systems we currently have in place aren’t working.

That’s what Ron Ross told the National Commission on Enhancing National Cybersecurity during a meeting in Minneapolis.

Ross should know what he’s talking about; he’s the National Institute of Standards and Technology’s top computer security scientist.

One of the vulnerable areas Ross mentioned in his comments centered on firmware (as well as software and hardware components of underlying systems and networks).

To be exact, Ross said that there are “limitless” – and growing – opportunities for hackers “to exploit vulnerabilities resulting from inherent weaknesses in the software, firmware, and hardware components of the underlying systems and networks.”

When it comes to firmware, vulnerabilities can and do exist:

• Just this month, BitDefender released a report (here and here) about “smart sockets” — devices which connect things like thermostats, coffee makers, garage doors, smart TVs, security cameras and medical devices with the internet. The report spelled out in fine tooth comb detail how smart sockets are vulnerable to firmware upgrades which can be exploited by hackers, exposing users to all sorts of online and physical security risks.
• Last March, hacker Jason Hughes reportedly penetrated the Tesla car’s operating system firmware, discovering references to a new (and unannounced) Tesla Model S P100D and a 100kWh battery. Hughes later alleged that Tesla remotely downgraded his firmware after he started talking about what he found.
• In December 2013, a highly-secret NSA document (Known as the Advanced Network Technology (ANT) catalog) quietly became public. Included in the report was 50 pages of extensive pictures, diagrams and descriptions of top secret NSA hacking tools. One, codenamed IRATEMONK, is, “Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate and Western Digital.”

The solution to these firmware challenges isn’t easy. In his speech, Ross mentioned concepts like “safety and reliability…from the beginning”, “disciplined and structured approach” and “assured and trustworthy solutions” which “require a significant investment of resources and the involvement of essential partnership including government, industry, and the academic community.”

As I mentioned in a previous post, we faced some highly destructive challenges in the 1960s and 1970s as we sent men to the Moon and brought them safely back to the earth. But we persevered, we overcame them and succeeded in reaching our goal.

It’s my hope that we can and will do the same in cyberspace…before it’s too late.