[marcusb]

> I keep seeing it pop up again and again and it only makes sense in that context.

Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.

If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.

If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.

I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.

[citizenpaul]

>it shifts accountability away

I agree. I think what we are split on is purpose/intent.

>could not reasonably be expected to protect against.

Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.

> “get out of jail free”

This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.

> these reports get used to fund the security program

So we agree?

[marcusb]

> I agree. I think what we are split on is purpose/intent.

I… don’t think so? Your original comment was that companies claim nation state attack as a way to get government funding. That has nothing to do with assessing blame for an attack.

> Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who?

If you think you as a private entity can defend against a tier 1 nation state group like the NSA or Unit 8200, you are gravely mistaken. For one thing, these groups have zero day procurement budgets bigger than most company market caps.

That’s why companies reflexively blame nation state actors. It isn’t to get government funding. It is to avoid blame for an attack by framing it as something they could not have prevented.

> So we agree?

No, I don’t believe we do.

[dehugger]

When I went through a tech school cyber security program (10+ years ago now) we were told that the situation was "If Canada wants to hack you, it is improbable you can stop them. If the US wants to hack you, they will. Therefore we will not be focussing on strategies to counter nation state actors." It was a forgone conclusion that you would lose against them. I imagine the situation hasn't improved much in the last ten years.

[drdeca]

Maybe not feasible now, but maybe it could be feasible at some point in the future if things are built on top of seL4 , with similar techniques used to demonstrate that the programs in question also have some desired security properties, building on the security properties the kernel has been proven to have?

Of course, one might still be concerned that the hardware that the software is running on, could be compromised. (A mathematical proof that a program behaves in a particular way, only works under the assumption that the thing that executes the program works as specified.) Maybe one could have some sort of cryptographic verification of correct execution in a way where the verifier could be a lot less computationally powerful while still providing high assurance that the computations were done correctly. And then, if the verifier can be a lot less powerful while still checking with high assurance that the computation was done correctly, then perhaps the verifier machine could be a lot simpler and easier to inspect, to confirm that it is honest?

[marcusb]

Sure, every little bit helps. But, keep in mind formal verification isn’t going to prevent configuration errors, and it remains to be seen if, for example, automated verifiers can do anything like the sel4 proof at scale. sel4 is tiny compared to most other software systems. There will still be technical avenues to attack, and if those get closed off nation state actors will just go back to spying the old fashioned way.

[globalnode]

> zero day procurement budgets bigger than most company market caps

do you mean they pay companies to put backdoors into products? or you mean they just go hunting for vulnerabilities. maybe both?

[marcusb]

Mostly I mean they research vulns and buy exploits on the open market, but yes they are also getting backdoors placed in commercial products.