NextGov: Cybersecurity: We’ve deluded ourselves for years

From NextGov: Cybersecurity: We've deluded ourselves for years

Bruce Schneier’s piece ”Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them” implies the debate over exploiting cyber vulnerabilities rather than fixing them is new and unprecedented. It isn’t.

It’s been going on in U.S. government circles for decades, especially since creating the National Security Agency in 1952. It's a practice called SIGINT (signals intelligence) equity in NSA parlance. Bruce accurately describes this in his piece.

We have allowed a preference of offense over defense to affect our cybersecurity by means of neglect and intent. For some, it seems, the Internet just popped up out of nowhere.

Successive administrations in the United States made this debate moot through action. They have consistently taken the position that it's better to know about vulnerabilities and exploit them rather than educate others on how to shore up defenses. Stated differently, our consistent bias has been offense over defense. This notion stems from military and intelligence community influences superimposed, if you will by default, over the commercial Internet.

With the Snowden disclosures, we've lost some SIGINT equity surprise. That's why we're now seeing the indictments of foreign state actors for hacking. Our government could've done this before 2014 if it wanted to. But it didn't, partly because of SIGINT equity-type concerns.

The headline for Bruce’s piece questions whether we should we allow hackers to fix our vulnerabilities. This is a crazy idea. It's one thing to give someone the keys to your home or your business. It's another thing to give them root access to your digital data.

The government will not hire applicants with felony arrest records for sensitive positions. Why in the world would it consider giving known hackers with felony backgrounds, convicted or not, access to our sensitive systems?

But what are some doing today? Hiring hackers with known criminal backgrounds. Some are convicted criminals turned “consultants.” Some are “sources” in the cyber netherworld we think we control.

This notion of using hackers is not new. I say this because I recall flag officers back in the 1990s at the Pentagon talking about cyberattacks, by suggesting we should use hackers to fix vulnerabilities and counterattack other hackers. These folks were then clueless about the realities of cyberspace warfare, terrorism, security and crime. They displayed what I call one of the six classic stages of cybercrime denial.

At the turn of the century, cybercrime and security was the hottest security issue in the United States. But we lost our focus on it by chasing terrorists with withering abandon across the world. The sideswipe effect of our action was we stopped focusing on cybercrimes and the widespread penetration of our networks by foreign state actors and organized crime hacking groups.

And what we have to show for our efforts today? A nation riddled with vulnerabilities shuddering from staggering intellectual property losses.

This problem could have been fixed before we commercialized the Internet. And I know of what I speak. I was on Al Gore’s Reinventing Government team back in 1992. I recommended to all concerned then not to commercialize the Internet until vulnerabilities were fixed. But the political rationale to get the Internet out to the masses outweighed any security concerns.

Let's face it, folks. We have feigned concern about cybersecurity for decades. I think of the famous quip “methinks thou dost protest too much” when I see others cry crocodile tears about the electronic dry cleaning of America. We've known about this problem “forever.” And we've chosen to remain silent about it because of our offensive bias.

The confluence of these problems: the bias of offense over defense, and the mind-numbing, witless denials of cybersecurity vulnerabilities by enterprises in America, highlight a larger problem we’re not at all addressing.

We’re doing nothing to defend publicly against forthcoming novel technology crimes. These are nanotechnology, biotechnology, genomics, robotics, intelligent systems and similar new and hybrid technologies.

Governments run secret programs to develop exploits of these new technologies. And here’s what we’ll see now and throughout the future.

Akin to our implementation of the Internet, we’ll hear about problems only after we suffer public embarrassment over the loss of billions in intellectual property or the loss of lives. And later, of course, we’ll revert to our offensive bias when the uproar calms down.

We consistently display stereotypical Western thinking with our approach to cybercrime and security. Like businesspeople concerned only with quarter-to-quarter profits, we aim for near-term “solutions” rather than address vulnerabilities upfront.

Yes, the old SIGINT equity game is ongoing. All governments do it. But today, we apply this approach to the Internet and novel technologies — not just traditional communication systems. And we seem bent on not taking action about cyber and future, novel technology crimes until our technologies start exploiting us.

Tom Talleur is a retired federal law enforcement executive from NASA, forensic technologist, futurist and technology writer.