Why Cyber Security Fails

by Stephen Bryen

 

The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster.

Today there is a huge cyber security industry organized to try and stop cyber intrusions, information theft, and crippling attacks on the critical infrastructure including our defense systems.  The American government has spent hundreds of billions since the 1980’s to try and build defenses against cyber attacks.  But despite the effort, and the tens of thousands of experts who have worked hard to try and protect information systems, there is a record of failure for all to see.  If anything, Americans are less secure today than last year; and less secure last years then ten years ago.  When it comes to protecting cyber systems, we are in an exponential failure mode.  Why?

Here are the reasons why cyber security fails:

1. Today’s systems are hugely complex and rapidly changing and adapting.  Such complexity means that even with the best of intentions it is extremely difficult to cover all, or even most, of the potential vulnerabilities in operating systems, software, communications and networks. Virtually every modern system has been hacked successfully and repeatedly.

2. Modern hardware and software evolves and as new features, capabilities and functions are added, the old features, capabilities and functions generally are dragged along and remain built into the newest products.  Thus old weaknesses persist and remain lurking even while new vulnerabilities are added to the risk equation.

3. Most software and firmware contains a certain amount of community-developed open source code.  This has led to some notable system disasters such as the Heartbleed bug.  Community developed code may be very good, and most of it is free thereby attracting companies to make use of it. Often it also forms the de facto standard for functions such as communications and security, making it hard to avoid because of the need for compatibility across different platforms including different vintages of applications.  There is no formal policing system for community developed code efforts.  While the people involved often are well meaning, their operations are an easy target for a professional intelligence organization to penetrate.

4. Most operating systems and computer software, even custom built, are commercial or contain commercial elements.  While all large computer software design teams take into account security, it is never their first priority because it is not their customer’s priority.  The customer wants the solution and wants to spend as little as possible in many cases.  The customer also wants ease of use and minimal restrictions placed on any application, network or operating system.  Plug and Play today has a much broader meaning than originally intended: it is the ability to load and use a program with minimal learning curve and maximum payback in terms of achieving functionality.  It is not surprising, therefore, that software companies often are providing patches and updates to try and fix a long list of vulnerabilities in the code they have sold commercially.  All updates and patches usually come well after the vulnerability has already been exploited by the bad guys.  Worse yet, not everyone implements the changes needed in a timely manner, or even at all.

5. Most software companies are globalized.  This means that maintaining anything resembling internal security is extremely difficult.  Only the biggest players can afford to put in place security mechanisms and background checks to try and prevent a hostile organization from penetrating their development centers.  Once you drop below the level of the big guys, personnel security, compartmentalization and other techniques (such as protecting operating code by encrypting core elements) are rarely implemented.  Thus hostile organizations, foreign intelligence services, even rogue hackers find it very easy to penetrate development centers.

6. The US government among others has requested firms specializing in software, web based applications, mobile systems and encryption to create so-called back doors and other weaknesses that are supposedly only known to the US government and the company. Unfortunately there are people such as Edward Snowden who expose these government efforts from time to time.  Even without a Snowden, it is reasonable to assume that well financed foreign intelligence services will figure out where these back doors and gaps exist, meaning that they can join outfits like the NSA in exploiting them.

7. Nation states are investing billions to harvest information from IT systems and use it for improving their own defense systems, finding ways to weaken their adversaries, or simply to get rich.  Banks have been ripped off to the tune of billions, and mostly don’t report it.  Patents and trademarks, legal processes, confidential documents all have been stolen and used either to generate cash, duplicate the effort of the victims, or to create secret funds that can be used for nefarious purposes.  There is a huge criminal enterprise underneath government-run programs in different parts of the world, creating a new class of cyber rich government officials and hackers in a perfect storm of criminal activity, profiteering and use of information to intimidate or destroy rivals or competitors.  It is virtually impossible to stop well financed cyber hacking because it is persistent, deniable and has no consequences to the perpetrator.  Almost no one goes to jail for cyber exploits except a few braggarts who get caught.  Then the government who arrests them makes deals so they can benefit from the know how in their knowledge base.

8. The response to most intrusions and hacking is passive defense.  Wars can never be won with passive defense.  The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster.  All the adversary has to do is to keep trying.  The costs are small, risks are few and mostly non-existent, and rewards are great.  While the Pentagon has put together what it calls Plan X to go after hackers, there is no evidence to suggest we are doing that, the rule of engagement are secret (and it isn’t sure the rules exist), and the idea itself is flawed because it is based on the notion that you can successfully reverse cyber attack the source,  Unfortunately the source of the attack is the foreign government or organized crime network.  It is not the individual hacker or even hacker organization.  These can be replaced, reconfigured, relaunched and they can do their damage from their home country or elsewhere almost as easily. Thus trying to smash them is a furtive game with few tangible rewards.  An attacking organization that can reconstitute itself on demand is not the right target.  The target must be the real source -namely the sponsors.  The sponsors can be got at in only one way– by causing damage to them. This means that if, for example, a cyber organization in China steals F-35 fighter jet information from Lockheed, the answer is not to hit back and attack the cyber organization.  The answer is to attack China’s aerospace industry and disrupt it severely.  Maybe this can be done through a cyber mechanism; but the mechanism is not so important as the deed.  Swift retribution is the only way to let the adversary know that he will pay  each and every time he causes harm. Indeed it is utterly galling and a mark of failure that China is showing off its stealth jet –the Chengdu J-20–which is clearly a rip off of the F-35, and we are sitting on our hands.  World leaders and politicians, as well as military people, understand immediately. Either China has bested America by stealing her secrets, or they suspect a conspiracy between the US and China since it is unbelievable that the US would permit China to steal our technology.  But there it is, staring us in the face, and eroding our national security and out prestige.  How much prestige can the US surrender and not be regarded as the global chump, instead of the global peace keeper?

These are the reasons cyber security fails.  It cannot work as it is done today.  No amount of political blarney can keep covering up the escalating failure and the harm it is causing to our security, eroding our global markets, and putting our businesses, government, infrastructure and personal privacy at great risk.  We have to shed the Maginot Line mentality and change the game if we want to win the war.

Advertisements
Tagged , , ,

4 thoughts on “Why Cyber Security Fails

  1. This would seem to suggest that USG secrets on Hillary Clinton’s bathroom server didn’t stand a chance of remaining secret. But it also suggests that USG secrets on USG servers are only marginally better protected. Yes, its best to have the best security available (State Department cyberguys vs toilet paper) with the caveat that it still isn’t very good.
    Interesting and important article, thank you.

    • I would agree but with an exception. All State Department cables are transmitted encrypted. So one would think they are somewhat more secure. The problem for the State Department is that there are thousands of users who can decrypt the transmitted information. Furthermore, although I am not sure, but the case of Chelsea Manning (originally Bradley Manning) shows that a wide range of cables were available to him while sitting in Iraq, suggesting there is little compartmentalization or need to know practiced by the State Department. In any case, in these instances it is not the server that is vulnerable but the vulnerability is caused (a) by the behavior of the user and (b) by the lack of compartmentalization and need to know discipline. On balance, then, the State Department’s servers would have been technically secure and not directly accessible by foreign governments or hackers. It would have required a Manning type person or a spy to do the job.

  2. Thomas R. Goldberg says:

    Well done, and thorough, although I’d make one correction. The J-20 is actually a mimic of the YF-23, the Northrop Grumman entry in the competition with the Lockheed Martin YF-22. The J-20’s plan form incorporates many of the Northrop design features, and is a long-range fighter, in keeping with that design. It is vexing in two ways, (1) it is stolen technology that moved China’s air forces from 3rd gen. to 5th gen. in eight short years; and (2) along with its anti-ship missile arsenal has forced US Naval forces to plan operations further from targets than our equipment (FA-18E/F; F-35) are capable of doing. This makes our current combat posture untenable, and requires that we expose support forces to attack without the benefit of near-field cover.

    U.S. planners are currently executing strategies to employ exotic new weaponry in response to the rapid obsolescence China’s cyber thefts have foisted upon our inventory of weaponry.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: