The Willie Suttons of the Cyberage
Can we stop bad guys from getting into U.S. networks?
Criminal mastermind Willie Sutton famously quipped that he robbed banks because "that’s where the money is." Modern-day cyber-Suttons follow the same basic logic; the problem is that the "money" is everywhere. The Internet that we rely on to casually IM, order books, and video-chat is the same one that synchronizes power generation, enables collaborative design of fighter jets, and transmits electronic medical records. And while consumer banks have evolved to limit their exposure to gun-wielding bandits, there are billions of highly valuable and highly vulnerable nodes on the Internet that are not yet adapted to the new cyber-realities.
In the real world, federal authorities are massively outnumbered by professional hackers — both freelance and state-sponsored — who have the time and skill to penetrate our electronic perimeter. Meanwhile, the high-speed optical lines that carry data under seas and across continents allow adversaries to virtually stand on — or in — their targets long enough to find digital cracks and exploit them. In a cat-and-mouse game like this, patience is richly rewarded, and America’s enemies can easily afford to wait.
Cybercriminals also enjoy three other advantages. First, they operate outside the jurisdiction of U.S. courts, making it virtually impossible for federal authorities to prosecute aggressors. Even if they can sometimes pinpoint the source of cyberattacks amidst the storm of digital data, there are few legal options available. As a result, America’s best hope for protection is from the inside out, not the outside in: ferociously guard data and be more operationally tolerant of intruders in our midst. Indeed, we should assume that they are there already.
Second, the tools hackers use to find holes in U.S. networks are now automated. The days of pocket-protected nerds breaking into high security networks for kicks or glory are over. Today, highly trained professionals, sometimes employed by nation-states, work nine-to-five jobs to infiltrate networks — both governmental and corporate — and exfiltrate plans, intellectual property, and data. The United States needs a coherent program that attracts the best minds to guard the country’s digital secrets; America’s adversaries do a much better job of recruiting and training their human resources than the United States does at the moment.
Third, cyberattacks can be many orders of magnitude more profitable than robbing a bank. Launching them is essentially free, and the rewards in terms of cash and disruption can be astronomical. Just three months ago, a man working alone with a laptop and ordinary network access nearly brought down the global Internet with a so-called "distributed denial of service" attack on the web filtering service Spamhaus. Meanwhile, the average "zero day" attack — a breach that occurs from a previously unknown vulnerability — is embedded for 300 days prior to detection, according to a recent research report by the network security company Symantec. Latent infections and undetected holes can result in sensational escapades like the diversion in the year 2000 of 800,000 liters of raw sewage into a public park in Australia, and wickedly clever intrusions that siphon off credit card numbers from banks and clearinghouses, as has happened on numerous occasions.
According to Dan Geer of In-Q-Tel, a non-profit that invests on behalf of the intelligence community, the basic problem is that "detection alone is insufficient unless you have total surveillance of your network, which in reality no one does." That’s correct, but we could have "total surveillance" of the software that runs at the network’s endpoints. But better visibility would require a policy change, because both the public and private sectors are widely dependent on closed, proprietary, monolithic software systems that make true endpoint surveillance impossible. The federal government is especially stuck in this strategic trap, in part because the incumbent merchants and system integrators play off the fears of procurement officers about the make-believe risks and inflated transition costs of modernizing their enterprise systems.
But such fears are unfounded. Many federal systems — and practically all new ones — could easily migrate to open source and standards-based software that is license free and costs about the same to configure, install, and operate. In addition to the cost advantages and performance benefits associated with open source software, it is also measurably — even if counterintuitively — more secure. Entrenched bureaucracies and heavily lobbied staffers are often confused about open source or open standard solutions, hindering progress toward their adoption and implementation. But it’s not just a question of money anymore; the United States is compromised by customized and proprietary electronic infrastructure for the simple reason that closed solutions are closed to inspection. Open solutions, in contrast, attract constructive critiques and faster fixes.
The United States also needs to devote more resources to protecting assets that are irreplaceable if breached and irretrievable if stolen: data and personal identity. Inside-out approaches to cybersecurity — driven simultaneously by advances in cloud computing and strict European privacy regulations — are emerging with advances that enable service delivery without exposing data, even to the service provider. The government should accelerate this approach by re-allocating investments into technical solutions that "harden" the data core, making it much less vulnerable to infiltration, exfiltration, and eavesdropping. This, coupled to policy-driven mandates for openly architected, standards-based systems that are more resistant to breach and less expensive to maintain would transform America’s cybersecurity posture from defensive and reactive to stable and confident.
Cyberthreats are real and growing. While we can’t stop the bad guys from getting into U.S. networks, we can prevent them from being able to steal, corrupt, or destroy what matters most. The U.S. government — and its partners around the world — can and should incentivize nascent efforts to better protect data and personal identity from the inside out. Until it does, the litany of recent sensational cyberattacks — from the infiltration of the New York Times‘ networks, to the breach of renowned security company RSA, to a growing list of compromised federal websites — will grow more serious, and U.S. national security more vulnerable.