The ominous-sounding "Cyber Disrupt 2017" gathering at the Center for Strategic and International Studies, fittingly held on the Ides of March, featured a speech by Tom Bossert, President Trump's Assistant for Homeland Security and Counterterrorism. He also holds the portfolio for cyber matters, and his remarks focused upon this area of concern. Briefly, Bossert articulated three goals: improving the security of federal government networks; coping with the rising threat from botnets; and figuring out how to deter cyber attacks.
Left unsaid were details about the various ways in which these goals might be pursued. Perhaps that's because, given the current policy trajectories, all three are going to prove quite difficult to achieve. All too many government networks are poorly engineered for purposes of meeting today's cybersecurity challenges. Botnets are seeing a sharp rise, particularly in this era of the Internet of Things, when toasters, refrigerators, and many other smart appliances —numbering in the billions—can be conscripted into zombie armies. Last, deterrence is going to be problematic when attackers can still hide behind a veil of anonymity, or at least of "deniability."
Compounding these problems is the fixation on shoring up defenses with ever-better firewalls and anti-virals. This paradigm has worked relatively poorly, not only in the governmental area of responsibility, but also in the private sector, which bleeds out intellectual property worth hundreds of millions each year. And how do we put a number to the costs associated with having 500 million Yahoo accounts hacked? It is high time to consider a new paradigm. Or an old one. Anything but what we have been relying upon.
Over the years, I have been an advocate for the widespread use of strong encryption—even when the government I work for has opposed allowing the diffusion of this technology to the average American. Well, thanks to the early efforts of "code rebels" like Whit Diffie and others, strong crypto is far more available today than in years past. Still, I find it both curious and ironic that government actors, who know the strength and value of crypto, have left so much data in their systems so easily reachable and readable. The iconic example being the Office of Personnel Management, which saw over 20 million files hacked—including mine.
Aside from government using strong encryption religiously—and hopefully moving data around in the Cloud and/or the Fog—there is a regulatory role that may help, at least at the margin, in dealing with botnets. The "things" of the Internet of Things should be required to come with better security from the factory. This does not absolve consumers from the responsibility to be good about setting passwords and such, but too-simple default passwords from the manufacturer have made the task of assembling robot armies too easy.
And when it comes to deterrence, as I have noted in earlier columns—see "Deterrence After Stuxnet" and "Stop Trying to Deter Cyber Attacks"—this is simply the wrong way to think about cybersecurity. Offense in cyberspace is just too easy, too low-cost and low-risk to hope that forms of deterrence are going to work. As I have also observed previously, deterrence in the physical world has a mixed record. Deterrence is going to have an even worse record in cyberspace. So it's high time simply to focus on defense, through strong encryption, by moving data around and, as my dear colleague Dorothy Denning regularly reminds me, by making authentication and monitoring the other legs of a cyber defensive triad, along with crypto.
President Trump ran for office as a populist; but the early signs are that he is trying to govern as a classic conservative. For purposes of cybersecurity, we might assume this to mean that he intends to encourage a lot of self-help efforts in the private sector to make it safe from hackers. This goes for commercial firms and individuals as well. One can only hope that some of this spirit, so much in tune with a defense-oriented paradigm based on encryption, authentication, and monitoring, spills over into the public sector. Government networks would become far more secure, the power of botnets somewhat muted, and the deterrence mirage would be dispelled by the clarity of a shift to sound, robust cyberdefenses. May it be so.
John Arquilla is professor and chair of defense analysis at the U.S. Naval Postgraduate School. The views expressed are his alone.
No entries found