The Cyber Security Delusion
By Stephen Bryen and Rachel Ehrenfeld
Wednesday, August 10th, 2016 @ 10:12AM
Left: The Maginot Defense Line along the French border with Germany, (built 1929-1938; named after Andre Maginot, the French Minister of War, 1915–1920s).
Twenty-five years of fast evolving cyber communication had made us more efficient. But as Houston T. Hawkins, Los Alamos National Lab Senior Scientist points out, “The greater the efficiency, the greater the vulnerability.” Indeed, cyber vulnerability is turning our world into a tinderbox. Every day, everywhere, hacking into the Internet puts our lives, finances, communications and security in grave danger. Twenty-five years of expanding Internet use generated a thriving cybersecurity industry, which despite its efforts has not succeeded in protecting vital assets. Moreover, best practices have not been followed by government or industry.
The huge cyber security industry today is organized to try to stop cyber intrusions, information theft, and crippling attacks on the critical infrastructure including our defense systems. The United States government has spent hundreds of billions since the 1980’s (before the Internet) to try to build defenses against cyber attacks. But most of what the spending and efforts of tens of thousands of experts who have worked hard, trying to protect our information systems have to show for is a staggering record of failure. If anything, Americans are less secure today than last year; and less secure last year then the year before. When it comes to protecting cyber systems, we are in an exponential failure mode. Why?
Here are a few reasons why cyber security fails:
1. Today’s systems are hugely complex and rapidly changing and adapting. Such complexity means that even with the best of intentions it is extremely difficult to cover all, or even most, of the potential vulnerabilities in operating systems, software, communications, and networks. Virtually every modern system has been hacked successfully and repeatedly.
2. Modern hardware and software evolve and as new features, capabilities and functions are added, the old features, capabilities, and functions are dragged along and remain built into the newest products. Thus, old weaknesses persist and remain lurking even while new vulnerabilities are added to the risk equation.
3. Most software and firmware contains a certain amount of community-developed open source code. This has led to some notable system disasters such as the Heartbleed bug. Community developed code may be very good, and most of it is free thereby attracting companies to make use of it. Often it also forms the de facto standard for functions such as communications and security, making it hard to avoid because of the need for compatibility across different platforms and applications. There is no formal policing system for community developed code efforts. While the people involved often are well-meaning, their operations are an easy target for a professional intelligence organization to penetrate.
4. Most operating systems and computer software, even custom built, are commercial or contain commercial elements. While all large computer software design teams take into account security, it is never their priority because it is not their customer’s priority. The customer wants the solution and wants to spend as little as possible in many cases. The customer also wants ease of use and minimal restrictions placed on any application, network or operating system. Plug and Play today has a much broader meaning than originally intended: it is the ability to load and use a program with minimal learning curve and maximum payback in terms of achieving functionality. It is not surprising, therefore, that software companies often are providing patches and updates to try to fix a long list of vulnerabilities in the code they have sold commercially and vulnerabilities and security errors they discovered belatedly. All updates and patches usually come well after the vulnerability has already been exploited by the bad guys. Worse yet, not everyone implements the changes promptly, and some neglect to update their systems, or lose track of what they fixed and what they failed to fix.
5. Most software companies are globalized. This means that maintaining anything resembling internal security is extremely difficult. Only the biggest players can afford to put in place security mechanisms and background checks to help prevent a hostile organization from penetrating their development centers. Once you drop below the level of the big guys, personnel security, compartmentalization and other techniques (such as protecting operating code by encrypting core elements) are rarely implemented. Thus, hostile organizations, foreign intelligence services, even rogue hackers find it very easy to penetrate development centers.
6. The US government among others has requested firms specializing in software, web based applications, mobile systems and encryption to create so-called back doors and other weaknesses that are supposedly only known to the US government and the originating company. Unfortunately, there are people such as Edward Snowden who expose these government efforts from time to time. Even without a Snowden (the balance of opinion is he is not dead!), it is reasonable to assume that well-financed foreign intelligence services will figure out where these back doors and gaps exist, meaning that they can join outfits like the NSA in exploiting them.
7. Nation states are investing billions to harvest information from IT systems and use it for improving their defense systems, finding ways to weaken their adversaries, or simply to get rich. Banks have been ripped off to the tune of billions, and mostly don’t report it. Patents and trademarks, legal processes, confidential documents all have been stolen and used either to generate cash, duplicate the products or know-how of the victims, or to create secret funds that can be used for nefarious purposes. Vast criminal enterprises have been established underneath government-run programs in different parts of the world where intelligence services and hackers become joined at the hip. These are creating a new class of “cyber-rich” government officials and hackers in a perfect storm of criminal activity, profiteering and use of information to intimidate or destroy rivals or competitors. It is virtually impossible to stop well financed cyber hacking because it is persistent, deniable and has no consequences to the perpetrator. Almost no one goes to jail for cyber exploits except a few braggarts who get caught. Then the government that arrests them makes deals so they can benefit from their know-how, tipping all the other freelance hackers to just another potential profit center.
8. Wars can never be won with a Maginot Line defense. Using only defense as Cyber Security is an invitation for disaster. All the adversary has to do is to keep trying. The costs are small, risks are few and mostly non-existent, and rewards are great. While the Pentagon has put together what it calls Plan X to go after hackers, there is no evidence to suggest we are doing that, the rules of engagement are secret (and it isn’t sure the rules exist), and the idea itself is flawed because it is based on the notion that you can successfully reverse cyber attack the source. Most often, major attacks are the work of a foreign government or organized crime networks using individuals or a group of hackers. These can be replaced, reconfigured, relaunched and they can do their damage from their home country or elsewhere almost as easily. Trying to smash them could at best yield few tangible rewards. Thus, an attack-organization that can reconstitute itself on demand is not the right target. The target must be the real source -namely the sponsors. The sponsors can be got at in only one way– by causing damage to them. This means that if, for example, a cyber organization in China steals F-35 fighter jet information from Lockheed, the answer is not to hit back and attack the cyber organization. The answer is to attack China’s aerospace industry and disrupt it severely. Maybe this can be done through a cyber mechanism, but the mechanism is not so important as the deed.
Swift retribution is the only way to let the adversary know that he will pay each and every time he causes harm. It is utterly galling and a mark of failure that China is showing off its stealth jet –the Chengdu J-20–which is clearly a rip-off of the F-35, and we are sitting on our hands. World leaders and politicians, as well as military people, understand immediately. Either China has bested America by stealing her secrets, or they suspect a conspiracy between the US and China since it is unbelievable that the US would permit China to steal our technology, especially where there is no serious protest from America’s leaders and certainly no action. But there it is, staring us in the face, and eroding our national security and out prestige. How much prestige can the US surrender and not be regarded as the global chump, instead of the global peace keeper?
Cyber- security, as done today, is as effective as the Maginot Line was against the Nazi invasion in 1940, It is a smoke screen that fails to hide our vulnerabilities. No amount of political blarney can keep covering up the escalating failure and the harm it is causing to our security, economy, and freedoms. To win, we must replace the Maginot Line mentality with new offensive strategies that would help us win the war and keep us ahead of our competitors and enemies.