How much do front row seats to a train wreck cost? About $6 billion.
I've been ruminating about a story that appeared around February 2008, and it's bugging me to no end. What is the story? This one:
Bush Looks to Beef Up Protection Against Cyber Attacks
To quote:
President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.
Administration officials and lawmakers say that the prospect of cyberterrorists hacking into a nuclear-power plant or paralyzing Wall Street is becoming possible, and that the U.S. isn't prepared. This is "one area where we have significant work to do," Homeland Security Secretary Michael Chertoff said in a recent interview.
In essence, President Bush's "beef up" is to allow the National Security Agency, Central Intelligence Agency, and the Cyber Division of the FBI to conduct domestic intrusion detection; that is, look for the cyber foot prints of bad guys breaking into US networks which seems to be a considerable problem of late (see Byzantine Foothold). This position by the White House is concurrent to a report released by U.S. Intelligence:
The Intelligence Community Tells the American Public All About Cyberwar
To quote:
The US information infrastructure-including telecommunications and computer networks and systems, and the data that reside on them-is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.
Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries- increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious.
And under current US policy, it will likely get worse.
So what's bugging me? It certainly isn't the privacy issues that seem to be the major source of protest regarding President Bush's "beef up." What is bugging me is that a majority of US cyber defenses center around monitoring and reacting to malicious activities and tend to define "protection" (at least in my eyes) as preventative measures such as configuration and network defenses (like firewalls and intrusion protection systems). It makes us nothing more than targets. This also bothers others.
To quote the Director of US National Intelligence, Michael McConnnell in his testimony to the Senate Selecct Committee on Intelligence:
It is no longer sufficient for the US government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.
What I believe Director McConnell is referring to is "active" measures against our cyber adversaries; that is, instead of hiding behind firewalls, instead of merely detecting attacks...you know, the passive stuff...go after the bad guys. Really go after them, whatever that might actually mean in the cyber realm. It's a tempting thought. It's also probably doomed to fail. Why?
What I would like to focus on within McConnell's comment is the phrase "whatever source." In the Art of Statecraft, "whatever source" is a roundabout way of stating your adversaries' name without actually saying it (China, Russia, ahem...).
"Whatever source," in this case, is indeed interesting because it includes our adversaries except, of course, the actual source of our problems in cyber space: software manufacturers...which are the source. Not of cyber attacks, of course, which is what McConnell is talking about, but of the raw materials that enable and invite highly foreseeable cyber attacks, which is what I am talking about and would argue the U.S. Senate should be talking about also.
What are the raw materials of cyber attacks? Software defects. Specifically, software vulnerabilities.
Carnegie Mellon's Software Engineering Institute (SEI) estimates that more than 90 percent of reported security incidents are the result of exploits against software vulnerabilities. With a constant stream of latent software vulnerabilities released by software manufacturers every single day (it still gripes me Vista is a "work in progress" and Apple is getting its ass handed to them by aspiring hackers), $6 billion is a ridiculous sum to pay for state-of-the-art front row seats to "monitor" the results of the disaster that are current software manufacturing practices. "Active" measures are probably just as misguided.
Cyber attackers may be the source of cyber exploits (the nasty software that hijacks your machine without your knowledge), but software manufacturers are the source of vulnerabilities which cyber attackers exploit in the first place. Software exploits do not exist in a vacuum. There is a direct relationship between a given software vulnerability and a particular software exploit. In fact, they are inextricably joined together: an exploit is dependent upon the existence of a software vulnerability.
Let me put it another way: you can't write a software exploit without a corresponding software vulnerability.
Or, at least, its incredibly hard to do so. That's why the religious war over vulnerability disclosure practices is such a, well, religious war. By openly reporting software vulnerabilities to the public you give potential cyber attackers knowledge of what to exploit. By not openly reporting software vulnerabilities you can take away this ability. That's good. But you also potentially shield software manufacturers from public shame regarding their blunders and thus delay the creation of a patch to fix the problem. That's not so good.
What to do about open reporting? Not sure. But so far, it can argued that cyber attackers have benefited far more from open reporting than anyone else. Shame doesn't appear to be a strong enough disincentive for software manufacturers to discover vulnerabilities in their products before researchers/attackers do because we still have a relentless stream of new software vulnerabilites discovered to this day. And we spend more than ever before on cyber-security and have few successes to show for it (otherwise we wouldn't sound so frantic). That's a kicker. Anyway, my point is that software vulnerabilities are the raw material of exploitation and are the key element in allowing software exploits to impact our economic and national security in the first place.
So, we can certainly spend billions on detecting software exploits in the wild, we could even "go after the bad guys" but I would strongly argue these activites won't change the playing field in any significant manner because reducing and detecting the number of exploits or even finding the bad guys isn't the issue; it's reducing the number of vulnerabilities that is critical...vulnerabilities that could have been detected by the manufacturer, but were discovered by someone else.
We don't know who the bad guys might be. We might never know. But we do know the names of our software manufacturers that create the software these attackers exploit.
Does it really make sense to have every government, corporation, and computer user in the world spend time, energy, and money defending themselves from new software vulnerabilities discovered on a daily basis or does it make more sense to focus on the much smaller number of software manufacturers that fail to sufficiently detect their own product's vulnerabilities before releasing it?
The raw materials of exploitation are injected into the software market and thus our global infrastructure every day by software manufacturers, not cyber attackers. By drastically reducing the number of software vulnerabilities you take away the raw materials attackers leverage to create exploits. But software manufacturers are not accountable for failing to detect these vulnerabilities before releasing their products. If individuals other than software manufacturers can discover vulnerabilities (like security researchers and hackers), why don't software manufacturers?
Because software manufacturers do not have strong enough incentives to do so.
That US policy makers, heck, that policy makers in general do not address this issue is worrying. Let me reiterate: More than 90 percent of reported security incidents are the result of exploits against software vulnerabilities.
We spend billions on cyber security gymnastics every year, but not a single penny as far as I can tell on pushing software manufacturers with meaningful incentives to change their manufacturing practices. Cyber attackers are merely leveraging what software manufacturers give them. We are paying both for the eager attention of cyber attackers and the inattention of software manufacturers. That is a shame...and incredibly expensive.
In the end, the proposed "monitoring" focuses on the wrong players. If we want to take "proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage," strongly disincentivize the creation of vulnerabilities at the source. Make software manufacturers accountable for their defects just as every other industry that affects public health, safety, and welfare has ultimately had to do.
It won't address every aspect of cyber security, but it is a strong policy stance for national security that is likely to help and cost much less in the long run.
Comments