recommended reading

Cybersecurity: We’ve Deluded Ourselves for Years

Image via Tom Talleur


By Tom Talleur June 12, 2014

recent posts

Bruce Schneier’s piece ”Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them” implies the debate over exploiting cyber vulnerabilities rather than fixing them is new and unprecedented. It isn’t. 

It’s been going on in U.S. government circles for decades, especially since creating the National Security Agency in 1952. It's a practice called SIGINT (signals intelligence) equity in NSA parlance. Bruce accurately describes this in his piece. 

We have allowed a preference of offense over defense to affect our cybersecurity by means of neglect and intent. For some, it seems, the Internet just popped up out of nowhere.

Successive administrations in the United States made this debate moot through action. They have consistently taken the position that it's better to know about vulnerabilities and exploit them rather than educate others on how to shore up defenses. Stated differently, our consistent bias has been offense over defense. This notion stems from military and intelligence community influences superimposed, if you will by default, over the commercial Internet.

With the Snowden disclosures, we've lost some SIGINT equity surprise. That's why we're now seeing the indictments of foreign state actors for hacking. Our government could've done this before 2014 if it wanted to. But it didn't, partly because of SIGINT equity-type concerns.

The headline for Bruce’s piece questions whether we should we allow hackers to fix our vulnerabilities. This is a crazy idea. It's one thing to give someone the keys to your home or your business. It's another thing to give them root access to your digital data. 

The government will not hire applicants with felony arrest records for sensitive positions. Why in the world would it consider giving known hackers with felony backgrounds, convicted or not, access to our sensitive systems?

But what are some doing today? Hiring hackers with known criminal backgrounds. Some are convicted criminals turned “consultants.” Some are “sources” in the cyber netherworld we think we control.

This notion of using hackers is not new. I say this because I recall flag officers back in the 1990s at the Pentagon talking about cyberattacks, by suggesting we should use hackers to fix vulnerabilities and counterattack other hackers. These folks were then clueless about the realities of cyberspace warfare, terrorism, security and crime. They displayed what I call one of the six classic stages of cybercrime denial.

At the turn of the century, cybercrime and security was the hottest security issue in the United States. But we lost our focus on it by chasing terrorists with withering abandon across the world. The sideswipe effect of our action was we stopped focusing on cybercrimes and the widespread penetration of our networks by foreign state actors and organized crime hacking groups.

And what we have to show for our efforts today? A nation riddled with vulnerabilities shuddering from staggering intellectual property losses. 

This problem could have been fixed before we commercialized the Internet. And I know of what I speak. I was on Al Gore’s Reinventing Government team back in 1992. I recommended to all concerned then not to commercialize the Internet until vulnerabilities were fixed. But the political rationale to get the Internet out to the masses outweighed any security concerns.

Let's face it, folks. We have feigned concern about cybersecurity for decades. I think of the famous quip "methinks thou dost protest too much" when I see others cry crocodile tears about the electronic dry cleaning of America. We've known about this problem “forever.” And we've chosen to remain silent about it because of our offensive bias.

The confluence of these problems: the bias of offense over defense, and the mind-numbing, witless denials of cybersecurity vulnerabilities by enterprises in America, highlight a larger problem we’re not at all addressing.

We’re doing nothing to defend publicly against forthcoming novel technology crimes. These are nanotechnology, biotechnology, genomics, robotics, intelligent systems and similar new and hybrid technologies.

Governments run secret programs to develop exploits of these new technologies. And here’s what we’ll see now and throughout the future. 

Akin to our implementation of the Internet, we’ll hear about problems only after we suffer public embarrassment over the loss of billions in intellectual property or the loss of lives. And later, of course, we’ll revert to our offensive bias when the uproar calms down.

We consistently display stereotypical Western thinking with our approach to cybercrime and security. Like businesspeople concerned only with quarter-to-quarter profits, we aim for near-term “solutions” rather than address vulnerabilities upfront.

Yes, the old SIGINT equity game is ongoing. All governments do it. But today, we apply this approach to the Internet and novel technologies -- not just traditional communication systems. And we seem bent on not taking action about cyber and future, novel technology crimes until our technologies start exploiting us.

Tom Talleur is a retired federal law enforcement executive from NASA, forensic technologist, futurist and technology writer.


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.