I agree. I think what we are split on is purpose/intent.
>could not reasonably be expected to protect against.
Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.
> “get out of jail free”
This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.
> these reports get used to fund the security program
> I agree. I think what we are split on is purpose/intent.
I… don’t think so? Your original comment was that companies claim nation state attack as a way to get government funding. That has nothing to do with assessing blame for an attack.
> Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who?
If you think you as a private entity can defend against a tier 1 nation state group like the NSA or Unit 8200, you are gravely mistaken. For one thing, these groups have zero day procurement budgets bigger than most company market caps.
That’s why companies reflexively blame nation state actors. It isn’t to get government funding. It is to avoid blame for an attack by framing it as something they could not have prevented.
When I went through a tech school cyber security program (10+ years ago now) we were told that the situation was "If Canada wants to hack you, it is improbable you can stop them. If the US wants to hack you, they will. Therefore we will not be focussing on strategies to counter nation state actors." It was a forgone conclusion that you would lose against them. I imagine the situation hasn't improved much in the last ten years.
Maybe not feasible now, but maybe it could be feasible at some point in the future if things are built on top of seL4 , with similar techniques used to demonstrate that the programs in question also have some desired security properties, building on the security properties the kernel has been proven to have?
Of course, one might still be concerned that the hardware that the software is running on, could be compromised. (A mathematical proof that a program behaves in a particular way, only works under the assumption that the thing that executes the program works as specified.)
Maybe one could have some sort of cryptographic verification of correct execution in a way where the verifier could be a lot less computationally powerful while still providing high assurance that the computations were done correctly. And then, if the verifier can be a lot less powerful while still checking with high assurance that the computation was done correctly, then perhaps the verifier machine could be a lot simpler and easier to inspect, to confirm that it is honest?
Sure, every little bit helps. But, keep in mind formal verification isn’t going to prevent configuration errors, and it remains to be seen if, for example, automated verifiers can do anything like the sel4 proof at scale. sel4 is tiny compared to most other software systems. There will still be technical avenues to attack, and if those get closed off nation state actors will just go back to spying the old fashioned way.
I agree. I think what we are split on is purpose/intent.
>could not reasonably be expected to protect against.
Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.
> “get out of jail free”
This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.
> these reports get used to fund the security program
So we agree?