Wednesday, July 15, 2009

3 Reasons Why U.S. Cybersecurity Sucks


Good news, cybersecurity nerds: You ain’t running out of work, anytime soon. As last week’s cyber panic about North Korea showed, when there isn’t a teenager-simple denial-of-service attack that delays your access to a government website, there is a voracious hype machine that feeds on the tiniest slivers of data – both significant and trivial – and expels massive quantities of fear and misinformation. And where there’s cyber fear, there’s cybersecurity work to be done.
It’s sad that this sham is allowed to continue unabated. But worse still, it’s dangerous. Despite the expenditure of tens of billions of dollars and countless studies on what needs to happen (not to mention all the offices, centers and commands, that are supposed to implement those reports), we’re still largely screwed when it comes to threats of the online variety.
The problem is multifaceted, but can be broken down into three meta-categories:
Bullshit. It’s the North Koreans! It’s the Chinese! It’s the Ruskies out to steal our essence! The one thing you can be sure of is that very few people know who is behind any cyberattack. Code analysis helps to a degree (”Hey, there are some Chinese characters in here!”) but code-reuse is not exactly an unknown phenomenon online. There is no serious attribution methodology, so to some extent everyone is guessing.
Ineptitude. There are a lot of people working on cybersecurity issues, a lot of people “managing” these issues, but not a lot of people leading on these issues. Cybersecurity doesn’t lack for brainpower; it lacks the vision, the juice and the intestinal fortitude to realize the vision. When your focus is billets and resources and dollars and org charts (read: management) it’s easy to see why cybersecurity fails. Why? Cyber doesn’t kill, it doesn’t maim, it rarely has negative impact on any scale and when it does it is almost always a readily recoverable event. Managers don’t deal with the nebulous, intangible and anything that involves “maybe” very well.
Complexity. The people at Verizon look on bemused when the military talks of achieving information-space dominance, when with the flick of a switch, a technician in overalls and a tool belt can render our digital military might inert. Attack and defense tools are built for computer-based warfare, but planetwide more people access the net with phones than desktops. There has yet to be a study that has looked at these problems in a truly comprehensive manner (read: not dominated by geezers who have other people read and respond to their e-mail). Mostly they’re focused on legacy futures, which is cool if you’re not interested in forward progress.
Cybersecurity is a real problem. It has been since computers were invented and connected to one another, but we’re no better off today than we were then. It is not as if we don’t have any lessons learned to draw from. We are in fact worse off because of the extent of our inter-connectedness, and that says a lot more about those who purport to be about enhancing cybersecurity than it does those who are out to subvert it.
[Photo: USAF]

No comments: