Trust in a Trustless World
Why Trustless Models are Hard in Cybersecurity
What is the hardest thing someone can earn? It can’t be money, because everyone earns money at some point in their lives, regardless of how much. It can’t be time, because we’re always losing the finite amount of time we have from the moment we’re born.
The hardest thing someone can earn and the easiest thing one can lose, in my opinion, must be trust. Even those that trust easily can lose their confidence in someone based on a minor rift.
Cybersecurity’s Trust Problem
The cybersecurity industry is one that believes in a “trustless” framework. This means that everything is to be audited and inspected, scrutinized and checked, in search of threats.
This framework, while necessary and warranted, has created paranoia for those that are not familiar with the threat landscape and risk profile. Imagine knowing that there is a threat to your life, but you have absolutely no idea where it will come from, whether from a friend or foe, your environment, or something artificial,l. It’s there, but you can’t see it.
In a trustless model, you can adjust to your dangerous environment by assuming the worst. Even in your friends, you assume that either their motives are secret, or they are being used against you. Everything that happens plays out the same; you investigate and confirm everything, revealing nothing until you know it is safe.
This is an analogy of how the cybersecurity world works between different organizations. At least, theoretically. As one person said in a tweet that inspired this article, “Trustless models don’t exist, you always trust something”. This is true, you do always trust something.
Think about it. How many times does a familiar procedure with a familiar entity have to occur before you trust that it is safe, or at least that a specific outcome will occur?
Trustless Models are Necessary
You may ask, “What’s the big deal if I trust something or not?” Well, to answer your question, let’s take a look at the now-infamous SolarWinds attack. Clients trusted SolarWinds to provide a secure platform. That trust opened those clients to sharing their entire network infrastructure in many cases with the software, believing it was safe to use.
This thought process was further confirmed with the Exchange attack, which dwarfed SolarWinds in size.
They trusted SolarWinds, and in return may have suffered a breach by the Russians, giving them detailed information that was meant to be kept secret.
This proves that the tweet was true; “you always trust something”. That said, this violates the core of what a “trustless” model is supposed to be. This is no longer a “trustless” model, it’s a “discretionary trust” model.
If we (the cybersecurity community as a whole) are going to teach about trustless models, and talk about implementing them, then we should implement them as they were intended.
This is not a call to automatically stop trusting your dearest friends and family, quit all partnerships with third-party vendors, and become a hermit.
This is a call to scrutinize partners and vendors, with the understanding that your adversary almost certainly will.
Trust but Verify
You’re on the same team as your vendors and partners. Unless your vendor happens to secretly be a front for a foreign intelligence organization or cybercriminal ring – in which case, I would assume you are not on the same team.
Although you are on the same team, don’t automatically believe that your vendors and partners are doing security as well as you or that they can keep you safe on their own. Remember that any time you decide to use a third-party vendor or include an external partner, you inherit a higher risk level.
The key is neither to trust them completely nor to wholly distrust them and toxify the relationship. Instead, follow the old Russian (ironic) proverb of “trust but verify”.
Yes, I know this still says “trust” and not “don’t trust”. However in verifying you imply a certain level of trustless-ness.
This can be done in a number of ways, not all of them available all the time. In the case of SolarWinds, one strategy would be requesting details about SolarWind’s own security practices. I’m not going to act like I know about what that kind of inspection would look like; for all I know, they would have passed with flying colors. However, that additional step may have uncovered details that would have made potential clients hesitant. This is the case with every single vendor out there, not just SolarWinds. They just get to be the subject because of the aforementioned breach.
There is no silver bullet, no magic pill, no miracle fix.
We’ve seen the threat that having too high of a trust level with external partners and vendors can amount to. What we didn’t discuss was the risk level of not having any external partners or vendors is.
Obviously, risk varies from organization to organization, but I personally believe the risk from isolation is high.
While using SolarWinds recently exposed clients to the breach, the Orion platform was widely used for a reason. Organizations found it to be useful, and superior to other products on the market or their own product, should they choose to develop one. The same can be said of Exchange.
While the SolarWinds breach has left a scar, these types of events are exceedingly rare, thankfully. Even the far larger Exchange attack targeted primarily older versions of Exchange. Following cybersecurity best practices by regularly patching and updating may have saved tens of thousands of organizations.
Besides, businesses aren’t designed to be hermits. They’re designed to be out in the world, providing their services.
Regardless of the strategy you choose to implement, it’s important to know that a trustless model can be achieved, it is important, and it does make a difference.