recommended reading

Cybersecurity: We’ve Deluded Ourselves for Years

Image via Tom Talleur

ARCHIVES

By Tom Talleur June 12, 2014

recent posts

Bruce Schneier’s piece ”Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them” implies the debate over exploiting cyber vulnerabilities rather than fixing them is new and unprecedented. It isn’t. 

It’s been going on in U.S. government circles for decades, especially since creating the National Security Agency in 1952. It's a practice called SIGINT (signals intelligence) equity in NSA parlance. Bruce accurately describes this in his piece. 

We have allowed a preference of offense over defense to affect our cybersecurity by means of neglect and intent. For some, it seems, the Internet just popped up out of nowhere.

Successive administrations in the United States made this debate moot through action. They have consistently taken the position that it's better to know about vulnerabilities and exploit them rather than educate others on how to shore up defenses. Stated differently, our consistent bias has been offense over defense. This notion stems from military and intelligence community influences superimposed, if you will by default, over the commercial Internet.

With the Snowden disclosures, we've lost some SIGINT equity surprise. That's why we're now seeing the indictments of foreign state actors for hacking. Our government could've done this before 2014 if it wanted to. But it didn't, partly because of SIGINT equity-type concerns.

The headline for Bruce’s piece questions whether we should we allow hackers to fix our vulnerabilities. This is a crazy idea. It's one thing to give someone the keys to your home or your business. It's another thing to give them root access to your digital data. 

The government will not hire applicants with felony arrest records for sensitive positions. Why in the world would it consider giving known hackers with felony backgrounds, convicted or not, access to our sensitive systems?

But what are some doing today? Hiring hackers with known criminal backgrounds. Some are convicted criminals turned “consultants.” Some are “sources” in the cyber netherworld we think we control.

This notion of using hackers is not new. I say this because I recall flag officers back in the 1990s at the Pentagon talking about cyberattacks, by suggesting we should use hackers to fix vulnerabilities and counterattack other hackers. These folks were then clueless about the realities of cyberspace warfare, terrorism, security and crime. They displayed what I call one of the six classic stages of cybercrime denial.

At the turn of the century, cybercrime and security was the hottest security issue in the United States. But we lost our focus on it by chasing terrorists with withering abandon across the world. The sideswipe effect of our action was we stopped focusing on cybercrimes and the widespread penetration of our networks by foreign state actors and organized crime hacking groups.

And what we have to show for our efforts today? A nation riddled with vulnerabilities shuddering from staggering intellectual property losses. 

This problem could have been fixed before we commercialized the Internet. And I know of what I speak. I was on Al Gore’s Reinventing Government team back in 1992. I recommended to all concerned then not to commercialize the Internet until vulnerabilities were fixed. But the political rationale to get the Internet out to the masses outweighed any security concerns.

Let's face it, folks. We have feigned concern about cybersecurity for decades. I think of the famous quip "methinks thou dost protest too much" when I see others cry crocodile tears about the electronic dry cleaning of America. We've known about this problem “forever.” And we've chosen to remain silent about it because of our offensive bias.

The confluence of these problems: the bias of offense over defense, and the mind-numbing, witless denials of cybersecurity vulnerabilities by enterprises in America, highlight a larger problem we’re not at all addressing.

We’re doing nothing to defend publicly against forthcoming novel technology crimes. These are nanotechnology, biotechnology, genomics, robotics, intelligent systems and similar new and hybrid technologies.

Governments run secret programs to develop exploits of these new technologies. And here’s what we’ll see now and throughout the future. 

Akin to our implementation of the Internet, we’ll hear about problems only after we suffer public embarrassment over the loss of billions in intellectual property or the loss of lives. And later, of course, we’ll revert to our offensive bias when the uproar calms down.

We consistently display stereotypical Western thinking with our approach to cybercrime and security. Like businesspeople concerned only with quarter-to-quarter profits, we aim for near-term “solutions” rather than address vulnerabilities upfront.

Yes, the old SIGINT equity game is ongoing. All governments do it. But today, we apply this approach to the Internet and novel technologies -- not just traditional communication systems. And we seem bent on not taking action about cyber and future, novel technology crimes until our technologies start exploiting us.

Tom Talleur is a retired federal law enforcement executive from NASA, forensic technologist, futurist and technology writer.

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.