June 27, 2013

The Willie Suttons of the Cyberage

By Michele Flournoy

Criminal mastermind Willie Sutton famously quipped that he robbed banks because “that’s where the money is.” Modern-day cyber-Suttons follow the same basic logic; the problem is that the “money” is everywhere. The Internet that we rely on to casually IM, order books, and video-chat is the same one that synchronizes power generation, enables collaborative design of fighter jets, and transmits electronic medical records. And while consumer banks have evolved to limit their exposure to gun-wielding bandits, there are billionsof highly valuable and highly vulnerable nodes on the Internet that are not yet adapted to the new cyber realities.

In the real world, federal authorities are massively outnumbered by professional hackers -- both freelance and state-sponsored -- who have the time and skill to penetrate our electronic perimeter. Meanwhile, the high speed optical lines that carry data under seas and across continents allow adversaries to virtually stand on -- or in -- their targets long enough to find digital cracks and exploit them. In a cat-and-mouse game like this, patience is richly rewarded -- and America’s enemies can easily afford to wait.Cyber criminals also enjoy three other advantages. First, they operate outside the jurisdiction of U.S. courts, making it virtually impossible for federal authorities to prosecute aggressors.

Even if they sometimes can pinpoint the source of cyber attacks amidst the storm of digital data there are few legal options available. Our best hope of protection is from the inside out, not the outside in:  ferociously guard data as the primary asset, and be more operationally tolerant of intruders in our midst.  Indeed, we should assume that they are there already.Second, the tools hackers use to find holes in U.S. networks are now automated. The days of pocket-protected nerds breaking into high security networks for kicks or glory are over. Today, highly trained professionals, sometimes employed by nation states, work nine-to-five jobs to infiltrate networks -- both governmental and corporate -- and exfiltrate plans, intellectual property, and data.  

The US needs a coherent program that attracts the best minds to guard our nation’s digital secrets; our adversaries do a much better job of recruiting and training their human resources than we do at the moment.Third, cyber attacks can be many orders of magnitude more profitable than robbing a bank. Launching them is essentially free, and the rewards in terms of cash and disruption can be astronomical.  Just three months ago a man working alone with a laptop and ordinary network access nearly brought down the global internet with a so-called “distributed denial of service” attack on the webfiltering service Spamhaus.  

And the average “zero day” attack – one of the most pernicious and dangerous kinds of digital vulnerability – is embedded for 300 days prior to detection, according to a recent research report from Symantec, a well-regarded network security company.  Latent infections and undetected holes result in sensational escapades like the diversion of 800,000 liters of raw sewage into a public park in Austrialia and wickedly clever intrusions that siphon off credit card numbers from banks and clearinghouses.According to Dan Geer of In-Q-Tel the basic problem is that “detection alone is insufficient unless you have total surveillance of your network, which in reality no one does”.  That’s correct, but we could have “total surveillance” of the software that runs at its endponts.  

Better visibility would require a policy change, because both the public and private sectors are widely dependent on closed, proprietary, monolithic software systems.  The federal government is especially stuck in this strategic trap, in part because the incumbent merchants and system integrators unleash untold fear, uncertainty, and doubt on procurement officers about the make-believe risks and inflated transition costs of modernizing  their enterprise systems.  It’s a false argument, because many federal systems and practically all new ones could easily migrate to “open source” software that is license free and costs about the same to configure, install, and operate. In addition to the enormous cost and performance benefits associated with open source software,it is also measurably -- even if counterintuitively -- more secure. Entrenched bureaucracies and heavily lobbied staffers are often confused about open source solutions, hindering progress toward their adoption and implementation.

But it’s not just a question of money anymore; the United States has compromised itself with customized and proprietary electronic infrastructure, for the simple reason that closed solutions are closed to inspection, and open solutions attract useful comment, constructive critique, and faster fixes.The United States also needs to align its focus and place strategic resources on protecting assets that are irreplaceable if breached and irretrievable if stolen: data and personal identity. Inside-out approaches to cyber security -- driven simultaneously by advances in cloud computing and strict European privacy regulations -- are emerging with advances that enable service delivery without exposing data, even to the service provider.  

The government should accelerate this approach by re-allocating investments into technical solutions that “harden” the data core, making it much less vulnerable to infiltration, exfiltration, and eves dropping.  This, coupled to policy-driven mandates for openly architected, standards-based systems that are more resistant to breach and less expensive to maintain would substantially change the nation’s cybersecurity posture from defensive and reactive to stable and confident.   Cyber threats are real and growing. While we can’t stop the bad guys from getting into U.S. networks, we can prevent them from being able to steal, corrupt or destroy what matters most. The U.S. government -- and its partners around the world -- can and should incentivize nascent efforts to better protect data and personal identity from the inside out. The recent litany of sensational cyber attacks -- from the infiltration of the New York Times’ networks to the breach of renown security company RSA  to a growing list of compromised federal websites  -- will grow more serious, and U.S. national security more vulnerable, until it does.