The simple answer is because it’s impossible to “get a grip” on cybersecurity.
Recently, I was asked (*in a mild tone of irritation*), “Why is it that our government can’t seem to deal with this?” ‘This’ being the inability to secure our country’s information. Although my response was that intangible things in themselves tend to be problematic, here are 5 things to keep in mind when it comes to the relationship between our government and information security.
1.) Good luck trying to put a finger on it
People like being able to point a finger at something. This is why we’re not used to the lack of direct responsibility in the cyber world.
An example of this dilemma, which isn’t just a cyber problem, is the United States’ attempts to stop China’s cyberspies. Although Beijing’s hackers cost the United States an estimated $250 billion a year in intellectual property theft, the U.S. is still unsuccessful in stopping it. What’s more, when the United States government points to China as a suspect, like in the Office of Personnel Management breach in June, “China, of course, denies that its cyberspies turn over the secrets they uncover to Chinese companies, claiming that private hackers are to blame”, writes Jonathan Broder in Newsweek Article: Why The U.S. Can’t Stop China’s Cyberspies.
Again, not just a cyber problem. There are numerous ways China successfully spies on America, and they’re not alone in doing so. Espionage approaches include: the purchase of trade secrets, physically stealing information, employee poaching, classified ads, and the cyber theft of secrets. Other Chinese counterintelligence efforts embrace long-term devotions of manpower, such as Chinese citizens studying at U.S. universities, among other integration tactics that make it difficult to determine which visitors are in fact an intelligence threat within the United States. Although this article is an older one, Technology Acquisition and the Chinese Threat highlights more details relevant to Chinese counterintelligence.
Stopping criminals is already difficult, but cybercrime has the dual challenge of, not only finding out what the bad guys are doing, but proving they (the elusive “they”) are to blame. Even leads turn out to be IP spoofing or some other form of deception.
2.) Listen to politicians with a grain of salt
Let’s face it…
- Many politicians don’t understand the technologies behind information security defenses. (Now, this isn’t saying a lot, considering politicians haven’t understood technologies for missiles or frankly even telephones, and laws have still been passed for these things).
- What compounds the struggle even further is that politicians can’t simply fall into partisan lines because cyber issues don’t line up neatly.
When adversities occur, such as those in Paris and San Bernardino, politicians (along with the rest of us) are left scrambling for clarity and answers. Again, keeping in mind that most politicians don’t understand things like encryption, they still continue to orate with false confidence, or avoid the issue completely due to their lack of persuasive capabilities on this topic.
Just so we can get this out of the way, the webopedia.com definition of encryption is, “Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text”. Knowing the definition is one thing, understanding its nuances is another.
The headache from the technical perspective is a three-pronged issue:
- Politicians often lack an understanding of anything from general infosec practices, to more specific concepts, such as encryption. If our politicians don’t know how to protect their own information, how could they be expected to know what solutions to implement for our nation? Find out more from Wired’s article: Let’s School the Presidential Hopefuls on Cybersecurity.
- When it comes to encryption, it may be one of the best ways to achieve data security; however, the term isn’t interchangeable with total security (because nothing is totally secure). It’s important to understand that encryption in itself isn’t security.
- It’s a nice thought that we can have encryption and simply hide away the key… somewhere… and leave access to it with… someone. The problem is, if we have a place that’s open (the “backdoor”) and a person that has access to it (whoever they are), it’s just as vulnerable as any other hole-filled solution. An article from The Verge called Mossberg: An encryption backdoor is a bad idea does a good job of explaining further.
It has been suggested that the government should assign a group(s) to solve cyber issues with a variety of tailored solutions – no differently than how the government solves other issues (and I mean “solves other issues” very loosely). The problem is obtaining the experienced individuals needed to handle these issues – who are often either not available or don’t come cheap.
3.) Its hard to walk a blurred line
Those who have paid attention can acknowledge the looming “cyberwar” issue at hand, and that there are many lines in this area that are extremely blurry. Again, it’s difficult to put boundaries on something you can’t point a finger at.
Danny Vinik in his article America’s Secret Arsenal expounds upon this, stating, “The line between a military attack and an espionage operation is far blurrier in the cyber realm. A cyberattack generally doesn’t involve the movement of physical objects and does not put the attackers soldiers at risk. ‘All of the potential red flags that would pop up and get congressional attention don’t'”. (Keep in mind, the part about the absence of physical objects is true until the attacker gains access to water treatment plants, electrical grids, missile controllers, or some other ‘supposedly’ locked down controls, in order to perform a physical strike).
There are impending cyber threats that will certainly impact our nation physically, it’s only a matter of time. Tim Starks says it right in his article Why politicians can’t handle cyber, stating, “Maybe it will take a catastrophic cyberattack for Americans to notice”.
Another dichotomy that needs to be acknowledged (thanks to one of my coworkers for pointing this out) is the issue of cyber security walking a line between being a national (eg. Federal) issue and/or a criminal issue. States have largely been left to be entities responsible for criminal proceedings except when the origin is outside of the United States. And, most states and local municipalities lack the resources to properly investigate a cyber incident.
In terms of cyberwar policies, it has been suggested to have a living document to change as tech changes. This is an interesting concept; however, it’s going to be difficult to create by an organizational structure that has an issue with rigidity. I will be interested to see if a living document, that would supposedly encompass the blurred lines, will ever exist successfully.
4.) What’s secure today, won’t be tomorrow
In the cyber realm things are constantly changing. This means defense for one thing today will be useless against something else tomorrow. Technologies are developing, attacker methods are evolving, and the attack landscape and environment right alongside it have grown immensely and become much more complex.
For much less agile structures, such as the government, thinking through the larger strategic plan – when it comes to resources, budget, etc. – becomes quite cumbersome. An unnamed source elaborates on this point by saying, “Governments think in decades (mostly). So, this is a completely foreign concept to most of our politicians. Technology has ALWAYS moved faster than laws (we still have telecom laws from last century)”.
Predictions and comprehensive strategies become major obstacles when the government or other businesses are trying to deal with constantly moving targets. The mixture of the unknown in what’s going on and what’s coming our way, gives little guidance as to what to do in both the present or the future.
5.) The “silver bullet” still doesn’t exist
No matter how hard people try, whether it’s politicians or business people, the complex processes for securing critical data cannot be simplified. The “silver bullet” offerings, which are presented as simplified solutions to complex problems, sure look great coming out of their boxes. The problem is they usually don’t cover the the necessary elements required for effective security.
*Interjection* It was brought to my attention, by someone far above my pay grade, that “there is no silver bullet for anything and this is not unique to infosec — the rockstars would just like you to believe it so they can keep selling their snake oil”.
Unfortunately, our organizational (and psychological) structures lean up against these “silver bullet” solutions for support. When it comes to governments, businesses, and individual people, the structures we have in place aren’t built for agility and resiliency. As said eloquently by one of my coworkers here at Hurricane Labs, “Our adversary (for lack of a better term) is human. So, for every countermeasure there is an equal and opposite exploit.”
The answer is that one simple answer simply doesn’t exist.