There are easy and hard solutions for cybersecurity.
The easy solution applies to hackers who operate in democratic or quasi democratic countries. The solution itself is very simple –put them in jail. Social and ideological hacking by individuals and disruptive groups can be stopped because these people are just trouble makers who are socially irresponsible. Whether these hackers steal data from the government, the military, from banks or private companies -they can be, and should be, prosecuted and judges should throw the book at them. When a dozen or more of these characters are in the slammer, doing hard time, their ranks will thin.
The hard problem is government-sponsored intrusions into computer systems and wireless networks. From what we know, most governments try not to do the intrusions using government facilities and government employees. They use seemingly “outside” groups that they pay to do the dirty work.
The operative word is “plausible deniability.” As the McAfee assessment shows, the targets selected by the hackers reveal the character and originator of the cyber attacker. Plausability has faded and only countries such as the U.S. continue to refuse to say the truth about who is carrying out the cyber attacks. If you owned billions, if not trillions, of US Treasury bonds, you as a customer get special treatment. So the United States never says it is China that is stealing our technology or undermining our security. The result: as I have said elsewhere, the United States has two defense budgets -one for us and one for them, because they are using our R&D money, our design information, our IP (intellectual property), and our manufacturing know-how and, of course, they are getting all this free of charge. Take a look at their new stealth fighter if you want to see what is going on.
This is a hard problem.
There are many things we can do, some defensive and others offensive. It takes a plan and discipline but it is far from impossible.
Here are a few suggestions:
1. do not put any sensitive information on line. It is inconvenient, but it is necessary to keep our intellectual property secure.
2. do not put any sensitive information on computers that can be accessed by wireless means, or that have USB, Firewire or other input capabilities. (Our government should disable these features on machines used in sensitive government agencies. Defense companies should do the same.) Use encoded CD’s for putting in and taking out information and store the encoded CD’s in safes, like we used to do so for secure documents.
3. put bad, corrupted, wrong information on on-line computers so what is stolen will be misleading, full of errors, and will backfire on the thieves. Make sure these kinds of “lure” information are full of malware so those who take them are immediately confronted with insurmountable computer and network problems.
4. banking and critical infrastructure systems, to the extent possible, should separate their “inputs” from their “outputs” –in other words only the information you want to transfer can transfer, and nothing can come back into the system from outside except through a separate authorized channel. This will make it very hard to use cyber attacks to disable key parts of the infrastructure such as communications, power and energy, transportation, water supply, first responders, etc.
5. steal the adversary’s information every time there is a recorded intrusion. Make absolutely sure the adversary knows the policy is tit for tat. Never, never, never fail to counterattack and make counterattacks as public as possible. It is unacceptable just to be a victim. Adversaries understand the language of reciprocity.
6. don’t bother attacking or counterattacking or even wasting time on an obscure hacker from a lost hamlet in the middle of Freedonia. That is not the problem; the hacker is a paid employee of a government. Counterattack the government.
7. for important stuff, use real encryption (not public key encryption which is vulnerable to man in the middle attacks and, as already proven, has been compromised and used to exploit government and industry computers). Instead, use heavy, traditional, encryption with key distribution managed by hand, not by internet. Heavy encryption is needed because our adversaries now have supercomputers. We sold China supercomputers so most of the encrypted files we are now depending on is vulnerable to these supercomputers. Keep in mind that one of the modern scandals is that so little of our vital national information is encrypted at all.
8. punish governments who engage in cyber hacking by holding up technology licenses and making it really hard for hacking-prone governments to develop their legisitmate business with the United States. Export controls can be a real benefit –it is just that we don’t use them properly and everyone complains about them (mostly defense companies that are exporting nearly $40 billion annually). If China cannot grow its industry because everything is tied up in Export Control red tape, China’s leaders will seriously think about the wisdom of hacking America’s computer systems. They can do cost-benefit analysis if we give them some trade offs they must consider.
9. complain, complain, complain. We should make it clear we are mad. We should stop inviting Chinese scientists, engineers and businessmen to conferences and absolutely exclude them from any convention or meeting that has government participation or sponsorship. They will get the message.
10. stop government to government scientific exchanges on any technology until the hacking stops. No more nice shopping trips to America for state-sponsored scientists.
These are just a few ways we can deal with the “hard” cyber security problem. If you can think of more, add them to the list.
Our government needs to wake up and get its act together. All the running in circles claiming they are doing something about cyber attacks is unproductive because there is no political leadership and a massive lack of courage.