Cybersecurity experts will tell you there are two kinds of organizations: those that have been hit by cybercriminals, and those who do not know they have been hit. This is not a joke. Cyberattacks will continue to grow in volume and sophistication. Anyone or anything that is connected to the Internet is vulnerable. When your customers’ data is compromised, you are responsible. If your physical building is compromised or your IT infrastructure is destroyed, your company may be out of business. No masked man on a white horse nor the Seventh Calvary will come riding over the ridge to save you.
Why can’t the government do something about this? One would expect that the natural reaction of governments to national security, financial and privacy attacks would be to militarize cyberspace and police the Internet with centralized bureaucracies and secret agencies to protect us and themselves.
That won’t work, and we unfortunately have an example of this: the War on Terror. The United States government vowed in 2001 to destroy the responsible terrorist organization, long before it had a clue what the enemy really was. Other powerful nations have joined the fight. Where are we after more than a dozen years? We have proven that the most powerful military force in the world can clear out terrorists from a specific physical area at unreasonable cost in dollars and lives, only to have the terrorists return as soon as the US forces leave. But they cannot stop an attack in Europe, the Middle East, or the US.
The bottom line: governments have demonstrated that they cannot win the War on Terror. They cannot even define “winning.”
If the US, or UN, tried to apply the same logic to the Internet, they would of necessity fail, but as Keren Elazari’s TED talk and Scientific American article demonstrate, just trying could actually make things worse.
One of the problems with the War on Terror is that there is no single entity that controls “the other side.” There is no geographic definition of a “front line.” The terrorist organizations keep morphing, recombining and dividing, with new ones appearing in the news with disturbing frequency.
Wait, that sounds like the Internet. The Internet is not like a public highway, or even international waters or a wilderness area. It is not even a collection of territories that governments could control, or even locate. Most of the physical components of the Internet are owned and operated by hundreds of multinational for-profit companies. The number of components is growing at an incredible rate. Cisco systems forecasts that by 2020 over 50,000,000,000 devices will be connected to the Internet. Every one of those devices is a target, and many of these are part of industry, military, and utility operations. The more devices that are interconnected, the more ways there are to gain access. For example, in 2011 an employee at RSA’s parent company EMC opened an innocuous-looking Excel file in an email. The resulting malware compromised RSA systems, enabling hackers to steal Lockheed Martin’s security tokens, thus giving access to the defense contract’s data including highly sensitive product information. The hackers were part of the Chinese government. RSA has been in the encryption business since 1982, and was acquired by EMC Corporation in 2006. Since 1979, EMC has been a global leader in IT and business transformation. Both of these companies take security very seriously, yet still had a serious breach that impacted one of their customers and sensitive national security data.
Which brings up another reason why governments can’t fix the problem: they are conflicted on whether they should. Organizations like the Department of Homeland security have a real interest in protecting US companies and individuals from cyber attacks. That part of the government recognizes the serious national threat a successful attack against the electric grid or the financial infrastructure could be more disastrous than Pearl Harbor and the 9/11 attacks combined. No one on the attacking side even needs to be in he US.
However, other components of the US government, like the National Security Administration and certain other defense organizations, have a vested interest in using the Internet as a weapon, and invest millions of dollars in finding, managing, and perhaps creating flaws that they could use. Remember Stuxnnet, a deliberate and successful physical attack against Iran’s nuclear weapon program done entirely with malware? That was a government attack, probably with US assistance if not direction. Governments, including the US government, participate in the worldwide hacker market, buying and selling information about security flaws. Edward Snowden believes the NSA spends more money on offensive cyber research than on defensive cyber research.
To further complicate the problem, new vulnerabilities are introduced every day. Intense market pressures push technology companies to produce new products and new features at an increasing rate. As these products become more intertwined and interdependent, the probability of introducing flaws increases. “Time to market” pressures reduce the testing that companies feel they can afford to do. As one company executive told me, “that’s what beta testers are for.”
Cybersecurity is like public health. The Centers for Disease Control and Prevention have a very important role to play, but they cannot stop the spread the disease by themselves.
Who can help? According to Ms. Elazari, hackers can help and have been helping. Back in 1995, Netscape Communications created a bug bounty program. It paid independent researches to report security vulnerabilities. If you are trying to remember why “Netscape” sounds familiar, it was the name of the web browser introduced in 1994 that was giving Microsoft’s Internet Explorer a real run for market share.
Largely spurred by significant leaks like those of Edward Snowden, the technology industry and the hacking community are actively working together. Hundreds of companies now have similar bug bounty programs, and are finding it to be a cost-effective way to reduce security vulnerabilities. In addition, private and public communities of security professionals now share information about malware, threats and vulnerabilities. The goal is to create a distributed immune system for the Internet.
What should you do?
- Expect things to get worse over the next few years, with more targeted attacks, more breaches, and attacks that do physical damage initiated by other governments or terrorist groups.
- Demand that companies make the software and hardware products your company depends on more secure. Yes, hardware products, too. There is more processing power in the average new car then in a multi-million dollar computer 20 years ago. As recently demonstrated, most if not all of these systems are vulnerable to cyber attack with the possibility of injury or death to the vehicle occupants and others nearby. I suspect a cyberterrorist attack that took over 100 cars scattered on LA freeways in rush hour would be interesting.
- Demand that the penalties for failing to report a data breach involving personal or proprietary data are increased substantially, with jail time for executives who fail to consistently use best practices to secure that data.
- Protect yourself and your company. Wash your hands and get vaccinated. If you don’t take care of yourself, you cannot expect anyone else to be able to help.
The last word:
My wife and I met Jim Murray and his wife on a dance floor in Valparaiso, Chile, in 2008. Since then we have managed to get together on a dance floor somewhere about once a year. Jim Murray writes a blog about the intersection of murder and medicine, which I have referenced before. He has just published Lethal Medicine, a thrilling tale of international intrigue, murder and deceit. The hero, Jon Masters, is a well-established pharmacist in San Antonio with a growing statewide company that provides medicinal injection services for people in their homes as they recover from illness or injury, or are under hospice care. When he discovers that the investigational drug study he is managing is a cleverly disguised scam, he finds himself in trouble with both local and federal authorities. One step ahead of the law, he races to Mexico and China to uncover the international conspiracy that threatens to destroy his business, his reputation, and his life.
Early on, Jim told us a scary story about one rainy night when he worked as the midnight shift pharmacist in a mid-city pharmacy. That story is now a short story “Cuffed” which is available in a collection of short stories Unforeseeable Consequences. The collection includes another story by Jim and a story Jim edited from each of five other authors.
I recommend both books, and they are available in Kindle editions on Amazon at the links with each book title above.
Keep your sense of humor.