Why is it that the United Sates, the world’s clear military and economic heavyweight, is highly vulnerable when it comes to cyberwarfare?
After 9/11, many people feared that the United States would suffer infrastructure-crippling cyberattacks by terrorist organizations such as Al Qaeda. But I have been (and remain) far more concerned with the digital risks posed to our national security by rapidly developing non-democratic nations and by our failure to counter these threats.
Over the past month, we have heard stories of a virus on the U.S. military’s drone-control systems, U.S. satellites being successfully breached and a U.S. warning issued regarding Chinese and Russian hacking. Of course, the more dangerous threats are the ones about which do not hear — or even know.
While people sometimes point to the availability of Internet connectivity in regions in which people lacked basic computers just a few years ago, the proliferation of Internet access on its own does not explain why we became vulnerable.
There are, however, several factors that contribute to the phenomenon of US weakness, three of which I discuss in this article: A transfer of knowledge away from the United States, strong incentives and opportunity to identify and exploit US vulnerabilities, and government and corporate attitudes toward innovative startups.
A transfer of knowledge away from the United States
When I attended NYU’s graduate program in computer science in the mid-1990s, the majority of the students in many of my classes were non-Americans, with a great number of them from China. Most Americans did not (and still do not) regard computer science as a glamorous profession; they did not ascribe to it the prestige that they did to fields such as business, law, medicine or the performing arts.
This phenomenon was not unique to NYU, and grew worse nationally as the IT outsourcing trend of the late 1990s and early 2000s incented American university students to avoid the computer science major and profession at the same time that it motivated their Chinese counterparts to become computer science experts.
At the time, various government policies related to cybersecurity were nonsensical. It was illegal to export certain encryption technology overseas, for example. But citizens of the same non-friendly nations to which it was illegal to export the technology could study it in our schools or from our books and then easily recreate it once back home.
While our top universities were educating foreigners, few Americans were studying computer science at any universities of note in other countries. We were transferring knowledge in one direction: out.
Likewise, when IT jobs moved overseas, and those of us in the field sounded the alarm over a decade ago, we were told that outsourcing was a healthy factor of capitalism. But capitalism does not concern itself with security or borders. We do not outsource our national defense to foreign powers — even to one that might offer the best service at the lowest cost — for just that reason.
If we want to regain technical superiority, we must incent Americans to study computer science. There is no substitute for knowledge.
Strong incentives & opportunity to identify & exploit U.S. vulnerabilities
State-sponsored hacking is a highly effective way for governments to improve militaries, infrastructure and national superiority; and it is far less expensive than research and development or classic espionage.
Besides costing far less than espionage achieved through human spies, spying via computer systems also poses far fewer risks than its physical-world counterpart. Deniability is always an option; no highly trained people are at risk; and there is far less of a threat of agents defecting, betraying their sponsor or becoming double agents.
Often the theft of information will never even be detected.
Furthermore, it is far cleaner to take out an enemy’s defense capabilities through a virus than with bombs, and the virus approach ensures plausible deniability that an air force cannot. The damage inflicted by Stuxnet on Iran’s nuclear facilities (an attack that many ascribe to the Israelis and/or our own military, but for which no one has assumed responsibility) provides a clear example.
Many people who understand dangers in the real world are oblivious to risks in the online world, and they create opportunities for cyberspying and hacking. Basic cybersecurity principles are often overlooked, principles such as allowing access to sensitive data only on a need-to-know basis, something that would likely have prevented the entire embarrassing WikiLeaks situation.
If we want to successfully defend ourselves in the 21st century, we must focus on educating our public on the basics of cybersecurity.
We must also leverage security technologies that are simple and human-friendly, systems that work the way that people think are not only more likely to be used but are less likely to lead to confusion that produces errors and vulnerabilities as sought after by those who are motivated to hack us.
Government & corporate attitudes toward innovative startups
Aggravating the matter is a general trend by which large firms and the federal government obtain their technology from big firms with big marketing and lobbying budgets.
Standards are set by committees in which large firms or their lobbyists and lobbied officials are often overrepresented, while more innovative but younger companies are often missing.
While it was true a couple decades ago that “nobody gets fired for buying IBM,” when it comes to security, criminals and foreign powers do not care what brand of countermeasures a large firm or the US government uses: If a security technology is vulnerable, criminals/spies/etc. will breach it.
The RSA SecurID scandal of earlier this year, in which a who’s-who of large firms are believed to have been vulnerable and in which a treasure-trove of sensitive data is believed to have leaked, was an example.
When one considers that such a great percentage of major technological developments over the past decade have come from startups, the use of an outdated and politically tainted technology-selection system is downright scary.
Furthermore, in some government departments, only offerings from “preferred providers” can be purchased. In others, time-consuming and expensive certification processes are necessary in order to have a product approved for use.
These requirements effectively preclude the government from using innovative technologies and services created by smaller and younger firms, even if such offerings are the best suited for a specific purpose.
We must eliminate policies that force us to use bows and arrows, and only those from specific suppliers, to defend ourselves when our enemy approaches with machine guns.
The Department of Homeland Security notes on its website, “America’s economic prosperity and competitiveness in the 21st century depends on effective cybersecurity.”
The same holds true of our national security. Furthermore, if we do not regain top-notch cybersecurity, our policy decisions in all areas of foreign policy will ultimately be compromised by our fear of cyberthreats. We would be subject to economic blackmail, unable to assist in humanitarian crises in troubled regions where otherwise relatively insignificant warlord militias have the ability to carry out devastating infrastructure-crippling attacks on our homeland from a computer halfway around the world, and certainly unable to wage war against rogue nations threatening out stability.
If we want to remain a superpower and enjoy continued economic success and national security, we must start making changes.
Joseph Steinberg, CISSP, ISSAP, ISSMP, CSSLP, is a respected cybersecurity expert consultant and the CEO of Green Armor Solutions, a leading provider of information security software. An industry veteran with 20 years of experience, Joseph is sought after by businesses, the government and other organizations to assist them with their digital security needs. He is the inventor of several computer and data security technologies, the author of a book and many articles on cybersecurity-related matters and a frequent lecturer on topics related to IT security, technology and business. For more information, or to contact him, please visit www.JosephSteinberg.com or email firstname.lastname@example.org.