by Stephen Bryen
The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster.
Today there is a huge cyber security industry organized to try and stop cyber intrusions, information theft, and crippling attacks on the critical infrastructure including our defense systems. The American government has spent hundreds of billions since the 1980’s to try and build defenses against cyber attacks. But despite the effort, and the tens of thousands of experts who have worked hard to try and protect information systems, there is a record of failure for all to see. If anything, Americans are less secure today than last year; and less secure last years then ten years ago. When it comes to protecting cyber systems, we are in an exponential failure mode. Why?
Here are the reasons why cyber security fails:
1. Today’s systems are hugely complex and rapidly changing and adapting. Such complexity means that even with the best of intentions it is extremely difficult to cover all, or even most, of the potential vulnerabilities in operating systems, software, communications and networks. Virtually every modern system has been hacked successfully and repeatedly.
2. Modern hardware and software evolves and as new features, capabilities and functions are added, the old features, capabilities and functions generally are dragged along and remain built into the newest products. Thus old weaknesses persist and remain lurking even while new vulnerabilities are added to the risk equation.
3. Most software and firmware contains a certain amount of community-developed open source code. This has led to some notable system disasters such as the Heartbleed bug. Community developed code may be very good, and most of it is free thereby attracting companies to make use of it. Often it also forms the de facto standard for functions such as communications and security, making it hard to avoid because of the need for compatibility across different platforms including different vintages of applications. There is no formal policing system for community developed code efforts. While the people involved often are well meaning, their operations are an easy target for a professional intelligence organization to penetrate.
4. Most operating systems and computer software, even custom built, are commercial or contain commercial elements. While all large computer software design teams take into account security, it is never their first priority because it is not their customer’s priority. The customer wants the solution and wants to spend as little as possible in many cases. The customer also wants ease of use and minimal restrictions placed on any application, network or operating system. Plug and Play today has a much broader meaning than originally intended: it is the ability to load and use a program with minimal learning curve and maximum payback in terms of achieving functionality. It is not surprising, therefore, that software companies often are providing patches and updates to try and fix a long list of vulnerabilities in the code they have sold commercially. All updates and patches usually come well after the vulnerability has already been exploited by the bad guys. Worse yet, not everyone implements the changes needed in a timely manner, or even at all.
5. Most software companies are globalized. This means that maintaining anything resembling internal security is extremely difficult. Only the biggest players can afford to put in place security mechanisms and background checks to try and prevent a hostile organization from penetrating their development centers. Once you drop below the level of the big guys, personnel security, compartmentalization and other techniques (such as protecting operating code by encrypting core elements) are rarely implemented. Thus hostile organizations, foreign intelligence services, even rogue hackers find it very easy to penetrate development centers.
6. The US government among others has requested firms specializing in software, web based applications, mobile systems and encryption to create so-called back doors and other weaknesses that are supposedly only known to the US government and the company. Unfortunately there are people such as Edward Snowden who expose these government efforts from time to time. Even without a Snowden, it is reasonable to assume that well financed foreign intelligence services will figure out where these back doors and gaps exist, meaning that they can join outfits like the NSA in exploiting them.
7. Nation states are investing billions to harvest information from IT systems and use it for improving their own defense systems, finding ways to weaken their adversaries, or simply to get rich. Banks have been ripped off to the tune of billions, and mostly don’t report it. Patents and trademarks, legal processes, confidential documents all have been stolen and used either to generate cash, duplicate the effort of the victims, or to create secret funds that can be used for nefarious purposes. There is a huge criminal enterprise underneath government-run programs in different parts of the world, creating a new class of cyber rich government officials and hackers in a perfect storm of criminal activity, profiteering and use of information to intimidate or destroy rivals or competitors. It is virtually impossible to stop well financed cyber hacking because it is persistent, deniable and has no consequences to the perpetrator. Almost no one goes to jail for cyber exploits except a few braggarts who get caught. Then the government who arrests them makes deals so they can benefit from the know how in their knowledge base.
8. The response to most intrusions and hacking is passive defense. Wars can never be won with passive defense. The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster. All the adversary has to do is to keep trying. The costs are small, risks are few and mostly non-existent, and rewards are great. While the Pentagon has put together what it calls Plan X to go after hackers, there is no evidence to suggest we are doing that, the rule of engagement are secret (and it isn’t sure the rules exist), and the idea itself is flawed because it is based on the notion that you can successfully reverse cyber attack the source, Unfortunately the source of the attack is the foreign government or organized crime network. It is not the individual hacker or even hacker organization. These can be replaced, reconfigured, relaunched and they can do their damage from their home country or elsewhere almost as easily. Thus trying to smash them is a furtive game with few tangible rewards. An attacking organization that can reconstitute itself on demand is not the right target. The target must be the real source -namely the sponsors. The sponsors can be got at in only one way– by causing damage to them. This means that if, for example, a cyber organization in China steals F-35 fighter jet information from Lockheed, the answer is not to hit back and attack the cyber organization. The answer is to attack China’s aerospace industry and disrupt it severely. Maybe this can be done through a cyber mechanism; but the mechanism is not so important as the deed. Swift retribution is the only way to let the adversary know that he will pay each and every time he causes harm. Indeed it is utterly galling and a mark of failure that China is showing off its stealth jet –the Chengdu J-20–which is clearly a rip off of the F-35, and we are sitting on our hands. World leaders and politicians, as well as military people, understand immediately. Either China has bested America by stealing her secrets, or they suspect a conspiracy between the US and China since it is unbelievable that the US would permit China to steal our technology. But there it is, staring us in the face, and eroding our national security and out prestige. How much prestige can the US surrender and not be regarded as the global chump, instead of the global peace keeper?
These are the reasons cyber security fails. It cannot work as it is done today. No amount of political blarney can keep covering up the escalating failure and the harm it is causing to our security, eroding our global markets, and putting our businesses, government, infrastructure and personal privacy at great risk. We have to shed the Maginot Line mentality and change the game if we want to win the war.