Search Rocket site

The Conspiracy of Silence: A Q&A with Mainframe Researcher Phil Young

Heidi Losee

June 20, 2018

Having worked in mainframes for decades, I’ve had a front-row seat to one of the industry’s most persistent problems: its attitude toward mainframe security. For a long time, the common belief has been that mainframes are an impenetrable fortress, immune to the types of external attacks and data breaches that grab headlines.

It’s a concerning misconception because it leads to business risk. Mainframes often hold a corporation’s most sensitive data, and while it’s true that they are the most securable computer system, someone still needs to do the job of protecting it. As it stands, the task of securing the mainframe is often splintered between multiple areas of IT – security, operations and systems programming. CISOs and CIOs, who may not have deep knowledge of mainframe environments, typically take mainframe security for granted, if they even bother to think about the topic in the first place.

Executives at the very top of the food chain – CEOs, boards of directors, legal counsels – are generally concerned about the risks of corporate data breaches. However, they have no idea that their most important IT systems are very likely not receiving the degree of security attention that would protect them from those attacks.

An even bigger risk is what I call the “Conspiracy of Silence,” a phenomenon in which the industry’s top vendors and leaders fail to publicly disclose vulnerabilities, creating a culture that suppresses talk of mainframe vulnerabilities and where there’s no independent research to shed more light on the risks. I wrote about the Conspiracy of Silence in a recent article for HelpNetSecurity.

Fortunately, we’re starting to see a shift in attitudes, with more mainframe experts speaking out about the very real risks to mainframe security. One of these experts is Phil Young, a researcher who speaks frequently on the topic and writes about mainframe security on his blog. Phil was kind enough to offer his thoughts for my article. In this piece, I wanted to share more from our conversation.

Why do you believe that vendors generally don’t disclose vulnerabilities?

Vendors don’t want to look bad. They’re still thinking in terms of the late 1990s paradigm where people would mock them for releasing an unsecure product. But, customers today understand that there are security vulnerabilities in everything – they simply expect vendors to own the issues and fix them. That’s the expectation now. But some vendors, especially smaller vendors, may take it as a personal slight that you have found a security vulnerability and you’re calling their product bad. The reality is, you’re just asking them to fix it.

Have you also observed this “Conspiracy of Silence” concept?

Absolutely. The big vendors perpetuate it because everyone else follows their lead. They drive the discussion. If they say, “We’re not going to tell people about this,” then no one else will.

How do you research mainframe vulnerabilities, and what difficulties do you encounter?

My data source is the Common Vulnerabilities and Exposure (CVE) database, which is a public database for tracking cybersecurity vulnerabilities. If I find a vulnerability in a product, I write it up, prove that it works and create a CVE entry. The entry would tell you that the system is vulnerable to a certain type of attack, and let you know if a fix has been released for it.

What I hear discussed is that people have found and report vulnerabilities, and vendors are either unwilling to fix it or they’ll very quietly address it. They’ll make a fix but not share any details about what the issue was. Or if you can’t do the update, they don’t provide a workaround.

Is there any way we can change this culture? Do we need an industry watchdog of sorts, like an independent group that would address mainframe integrity or security vulnerabilities?

An industry watchdog is a great idea. We also need a statement from big vendors in the space saying that they won’t punish security researchers for discovering security issues or for talking publicly about them. If I find a vulnerability in a vendor product and tell them about it, then try to discuss the problem publicly with other experts, I encounter a lot of hesitance from experts who are worried about backlash against them from the vendor. Changing that would be a huge step forward in this space.