Turning off your phone isn't the answer... but what is?

Late last week Australia discovered the silver bullet in cyber security. The prime minister presented the easy fix- just need to regularly turn off our devices every now and then, and that will stop the threat dead in its tracks. Whilst this solution may work in very very specific circumstances, I wanted to at least walk through the limitations of this fix, but also the reality that we have when conclusive endstates we induce greater risk into our digital environment.?

Why this isn't quite correct

I believe if we reverse through the Lockheed Martin Cyber Kill Chain, we can at least make some basic deductions why rebooting presents a negligible impact?

• Installation (CKC 5)- When my team and I conduct our offensive actions, one of our activities is installation or persistence. A reboot action does not clear off our persistence and upon reboot, any code a threat actor has loaded onto the system will be triggered. I would even argue cached content in a browser would also persist. This of course does not just apply to what a threat actor has installed, but also includes malicious code already installed, including dodgy apps from the Android store (who knew that the flashlight application needed so much access to your system... better turn the flash light off).
• Delivery (CKC 3) & Exploitation (CKC 4) - Exploring initial vectors into how malicious code is intorduced into our systems, the reality is once code is introduced its likely that, in the case of a mobile device, the actions on objectives (CKC 7) such as ransomware events, or simply dumping content at a set point in time is realised. As a result, the reboot really doesnt mattter. There is also the other reality around expoitation, which is reliable exploits.?
• Weaponisation (CKC 2)- Lets bring it back to basics, the cost of a zero click RCE on a number of platforms now exceeds $1 million dollars. Factor in planning, logistics, command and control and other requirements for such exploitation, and the cold hard reality is that 80-90% of us are not worth the effort. The sheer costs of the sort of attacks that would be prevented by a regular reboot are such that most of us arent affected.

The one time this will work is when something is running in memory and the threat actor has no intention of persisting, at which point a reboot simply clears off a threat actor that needed to do a hit and run and is indifferent to the reboot anyway.

So why does this matter?

Reality is there is no harm in a reboot of a personal device at regular intervals and it may very well clear off something hanging around in memory. The issue is what I call "bear patrol syndrome" after an event in a Simpsons episode. After a minor incident with a bear walking through town, the residents of springfield employ bear patrol program with plenty of sirens and their own B2 bomber. Lisa Simpson points out that a rock present is also equally effective at performing the same function, and this is evidenced through the absence of bears. Performance based or the dramatic arts should play a limited role in cyber security; theatrics and manipulation of human behaviour with no evidence is at best a control mechanism to force positive behaviours and at worst its the?foundation for cults and attitudes that erode social fabrics.

We've seen such conditioning in the past in cyber security, including:

1. $20 anti virus fixing every single problem
2. VPNs somehow stopping white kids in hoodies spying on you because the TLS connection to your bank or other services clearly isnt preventing interception.

My worst experience of this was dealing with a domestic violence victim who suffered through a lack of education and reinforced by the "a current affair" approach to cyber security recently employed by the prime minister. Existing prejudices likely exacerbated through years of mental abuse, alongside thought processes and fears through introduced ideas, saw the victim convinced in the absence of evidence that their partner was still present on their electronic devices even after investigative efforts of multiple professionals. Unfortunately, a few grifters had long capitalised on this, convinced her the individual was still here, and prolonged her mental anguish. The actions taken by the prime minister only reinforce the culture of digital mysticism that have now captured so much of the western world and only serves to continue harming us.?

Looking forward, the conditioning and absence of evidence or reasonable conclusions also presents a number of risks that I foresee:?

1. Illusions that an overspend in cyber security, often to the benefit of individuals providing no meaningful contribution, somehow saves western civilisation.
2. a centralised and authoritative cyber security function imposes draconian measures, slowing innovation and costing more than the problems they seek to solve.
3. Failing to meaningfully address real problems in cyber security through empirical, objective focused actions.?

I use the word empirical quite deliberately; the absence of evidence based approaches, even when ASD/ACSC has published the globally recognised top 35 mitigations informed by decades of incident response (incorporating the ASD essential 8) was a bit of a disappointment. You don't need to be a political genius to realise that, when you're advocated approach of rebooting regularly doesn't work and systems are still getting hosed, everyone will question what expertise our government really has to make us "the most cyber secure country by 2030".?

So what is the answer?

The best answer I could give came to me several weeks ago and probably codified during writing. Context is everything, so the best we can do is absorb what reliable information we have at hand and make a decision.

There is never a perfect decision, only tradeoffs, and whilst our digital environments will always maintain some insecurity, the economic and cultural value we have realised out of these over the years probably highlights that we have done pretty well so far, but theres always more to do.