Cyber Defense Magazine - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
O2, Ericsson, and Equifax:<br />
How Certificate Expirations<br />
Led to Some of the Largest<br />
IT System Failures of the<br />
Last Two Years<br />
By Tim Callan, Senior Fellow, Sectigo<br />
Our modern IT landscape depends<br />
fundamentally on digital certificates.<br />
Certificates are nearly ubiquitous in<br />
contemporary computing systems and<br />
permeate every aspect of our digital lives.<br />
They are essential to the secure functioning<br />
of our business processes, communication,<br />
retail purchasing, utilities, transportation<br />
systems, personal electronics, and so much<br />
more. Virtually no digital process or device<br />
would securely operate without the use of<br />
certificates.<br />
Each certificate authenticates the identity of<br />
a machine, device, or software operation to<br />
ensure that only the intended connections<br />
are occurring, and most systems won’t enable<br />
encryption unless certificates are available.<br />
This latter fact is because encryption on its<br />
own does not constitute protection if the<br />
encrypted information might wind up in the<br />
hands of the wrong party.<br />
Certificates must be issued by a Certificate<br />
Authority (or CA), which is the trusted authority<br />
for identity on that particular network. For<br />
internal uses like IoT networks or enterprise<br />
device certificates, the company that owns<br />
the devices can be the Certificate Authority.<br />
But for the public internet (including use for<br />
web sites, server-to-server connections, or<br />
email) certificates need to come from a public<br />
CA that has roots universally trusted by the<br />
systems on the internet.<br />
With so much depending on certificates, it<br />
may not be surprising that an unexpected<br />
expiration can cause an application to stop<br />
working or security to lapse. in fact, it was<br />
revealed in December that the expiration<br />
of two certificates disrupted the lives of<br />
hundreds of millions of people. Early in the<br />
month, mobile service outage for tens of<br />
millions of customers using O2, Softbank,<br />
and other services ultimately owed itself to<br />
the expiration of a certificate that was part of<br />
the backend data service Ericsson provided<br />
to mobile service providers around the world.<br />
And then the following week, the House<br />
Oversight Committee released its report on<br />
2017’s Equifax data breach.<br />
December’s mobile outage affected carriers<br />
in eleven countries for as long as a day. The<br />
consequences to the carriers were huge. O2<br />
gave all affected customers a credit worth two<br />
days of their data plans. Softbank experienced<br />
this outage a day before its IPO – a tremendous<br />
black eye exactly when the technology giant<br />
was looking for investor confidence. And it is<br />
reported that O2 could penalize Ericsson up<br />
to $100 million for failure to meet its SLA.<br />
70 <strong>Cyber</strong> <strong>Defense</strong> <strong>Magazine</strong> - <strong>Annual</strong> <strong>Print</strong> <strong>Edition</strong> <strong>2019</strong>