I read a thick dense book called "Future Crimes" and in it the author goes through a vast litany of areas vulnerable to cyber-hacking. Hacking, and the installation of "viruses", "bots" etc...
can range from an act by a nation-state to a low-level criminal hacker out to get some ransom.
The author made an analogy between dealing with a virus in the natural body and viruses in cyber-space.
Just as the USA has formed the Center for Disease Control to investigate and develop cures for natural viruses that threaten society, so now does society need a national clearing house to investigate and develop "cures" for cyber-bugs that are being invented daily to infect our cyber-bodies.
As it is, there is no national coordination: banks, Microsoft, municipalities, utilities, other businesses, etc. are left to defend their own systems. The level of threat and nuisance caused by cyber-crime has eclipsed anything a single entity can resolve on its own.
Our president has failed to do his duty to the country because cyber-threats "require[s] an intensive public review of what is critical to our nation’s survival. President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election. Our politics have gotten in the way of our safety..." to quote the article.
14
Obama was a brilliant President. But like most human, he was too risk aversive. It may have something to do with his lack of real world management experience. No drama Obama was one factor for con Don’s ascendency to the White House. Obama had all the information about Don’s collusion with Vladimir, the worst thug tyrrant in the world. But he did nothing because of his risk aversion character. Now, we have a tyrrant in the White house destroying the basic foundation of our nation- the air we breathe, the water we drink, jobs and education we need. The leader of free world is considered a joke by most citizens. Obama should look at the mirror and see the damage he has done to our nation and the world.
19
Wait - wasn't technology supposed to be our savior? My sincere thanks to all the tech-heads out there (like Mark Zuckerberg) who still preach that gospel, who are driven by short-term personal return, and who act as if technology is above ethical reproach.
They have created an alternative universe, a nightmare that we all must now live in.
To be sure technology has provided great social benefits, but what good are those benefits if they can be undermined so easily?
12
Fascinating that an article about cyber-warfare elicited more comments about the failure of the internet, and its invasion of our lives, to make our lives more secure than about cyber-warfare. As long as technology and increased productivity are sacred cows, we will continue progressing obsessively towards oblivion. The last great technological revolution was the development of fossil fuel driven industrial technology, which made possible the ongoing climate catastrophe, which will worsen exponentially year by year. We evolved to be smart enough to continually develop new technologies (knowledge begets knowledge), but not evolved enough to understand (or care enough?) about the ways in which technology could amplify our destructive impulses, such that we will destroy the (lol). Climate change or cyber-crime-war-destruction, same same. Hate does not care.
6
Of course, the deranged dotard's administration confirmed last week that Cory Louie, the White House’s chief information security officer (CISO) has been fired. The CISO is responsible for ensuring the president and his closest staff are safe from cyber attack.
https://nationalcybersecurity.com/donald-trump-abruptly-fires-white-hous...
That is almost as nuts as hiring a KGB security firm to protect our Moscow embassy.
Oh dear lord, he did that too.
(face palm, head shake, sigh...)
https://www.nytimes.com/2017/11/14/world/europe/embassy-moscow-kgb.html
No collusion. None at all.
Did anyone lock the front door?
16
Good analysis. Less good on prescription. Eat right, watch your weight, take your meds. Not cutting edge. Also: did I miss it? No mention of stuxnet. Lastly surely you know the pre cyber story of Nixon and kissenger at the us embassy in Moscow holding a document up in the air so the Soviet spy cameras could get a good look at it. So what's new?
" Less good on prescription. Eat right,..."
You left out: "I will not provide my email password when requested to do so by an email."
Wonder if the writers for The Simpsons have had a John Podesta character writing that 100 times on the blackboard?
You read the treatment here first on June 17, 2018.
2
Certainly the North Koreans wouldn’t do anything like that again! Not Trump’s best buddy, that stand-up executioner Kim Jong-un! Not would his campaign manager Vlad.
4
What else is new?
Weare incompetent, lazy and irresponsible...I remeber from the dim and distant past when it was different
3
"First, the United States must significantly improve its cyberdefenses." - how does the US improve its cyberdefenses when most of the hardware are made in China?
5
Kind of ignores the fact that Clinton campaign chairman John Podesta receives a phishing email masked as an alert from Google that another user had tried to access his account. It contains a link to a page where Podesta can change his password. So what does he do?
He of course signs into a fake site and gives up his password and they access and download his emails and contacts - you can't fix stupid.
15
We are the pitiful, helpless giant that Richard Nixon blathered about 50 years ago.
2
Let's give credit to where credit is due:
https://www.nytimes.com/2015/06/12/us/politics/senate-rejects-measure-to...
2
When you think you're better than everyone else after awhile you start to believe it and when that happens you get careless, even stupid. However, when you don't just believe you're better than everyone else, and you KNOW you're better than everyone else then you become president where you achieve absolute perfection. Just ask our president. He'll be way more than happy to tell you how perfect he is. He's so perfect he was clever enough to wait until Obama, after 8 years of correcting and making up for all the stupidities of Republicans letting the banks run rampart over everyone and almost bankrupting the country with the help of George W., Obama finally got the economy on a strong upswing, and lo and behold here comes the most perfect president in history (no really, ask him - he'll tell you, over and over again) to claim the credit for it. It is kind of a shame though that since he thinks he's the only perfect creature he has no regard or respect for all the rest of us, and believes that even our children have no value, to the extent that he'll rip them from their parents and then say the Democrats did it.
9
The United States government is too busy spying on Americans to do any of this! As to corporations they don’t care. They won’t even protect their customers from petty cyber crime because they ultimately won’t be held responsible for their customers losses.
As to being the “greatest cyberpower”, that is ridiculous! Americans need to realize that in order to be the greatest you have to be more than BIG, you have to be competent, involved and successful. The fact that this article was written makes it clear that we are not “the greatest”,as Mohammed Ali would say, rather we are an over grown toddler who is bigger than everyone at the day care but still cannot tie his own shoes.
We could do all that is necessary but we won’t because our government doesn’t care and neither do our corporations. They are short sighted and focused on one thing money and right now they have soooooo much money that they’d rather spend it on CEO compensation and other perks just like some of our government officials.
14
Commander Adama may have been onto something.
4
Nothing will happen because the string have been pulled on Putin's puppet to make nothing happen.
3
So your saying for eight years the Obama administration basically did nothing? Great! Thanks Obama...
1
What has happened to the courage that allowed us to break away and form our own country? To help vanquish Hitler?
We've been anesthetized by entertainment, brainwashed by TV - we can't seem to tackle and solve anything of substance. We've become quite pathetic sitting ducks.
As I tell people, the earth will do just fine without we the people. It is we who are enabling our eventual demise in any number of ways. I do hope that human beings 2.0 have some really needed patches and fixes - 1.0 is a pretty flawed beta.
6
Quoting a world leader, “We’ll see what happens.”
6
The only way that I can see some resolve to this matter is to first admit to realizing the cannibalistic toll that unfettered capitalism has on our democracy. It makes American sovereignty susceptible to defenselessness, treason, and indecision.
While many get hung up on costs or the addition of another government agency the danger has not been mitigated, it has only grown more imminent.
It would be asinine to discuss in detail what can be done in retaliation. It is more rational to discuss what is at stake and what we can do to preserve the state. That is the only way we are going to be able to defend against cyberattacks that not only wreak havoc to our way of life but also sow divisive seeds of social incohesiveness.
10
The elites at the top are too gutless to take out our enemies. So what's new? Since WWII, have we ever destroyed an enemy?
2
All this and we have a president who want to make nice with Putin and pretend nothing bad ever happened.
3
Between the Russians and Facebook, I'm going back to a phone with a dial.
9
When the filthy rich start having their money hijacked or their businesses crippled, the cry will go out to do something.
6
Let's hope it affects their off-shore accounts first and foremost.
8
The supposed quote from "one obama national security official" was unnecessary, given the weak kneed obama administration's failures to respond at all to these existential attacks on American security.
1
long term planning is not an American strength.
the Russians, Chinese, iran and north Koreans et al will stay the course while Americans flit from administration to administration--provided trump and his minions don't come up with a plan for him to try to replace fdr as the longest serving potus.
and if people protest, trump's gaggle of goofs will tar them with the worst words unimaginable.....'unamerican!!'
6
Classified programs have it easy. No wires. None. Nothing goes in or out. That is how you avoid cyber attacks if you really need to. Much of what we have needs no connections. Example - my 27 speed biket? Nope. Nothing electronic there. How about my front porch? Or my lawn? Or my toaster? Or my TV? That is connected but its useless. How about my 18 volt drill, or my UV water purifier, my ultra light tent, my back pack, or my hard drives? The list goes on and on of stuff we need not connect. Business is no different. Get that stuff off the 'net if you cant protect it.
4
We don't respect the military global surveillance of cyber terrorism nearly enough.
Brig. Gen Clarence E. Beck, deceased, said "The best offense is a strong Defense"....when I whined about the military!
Senior Defense and Military Officers and strategic leaders live by making sure the DOOMSDAY events do not happen......unless they are constrained and hobbled by administrations and political bodies who ask them to do their job standing on one foot, hopping, on alternate Thursdays, with one hand tied behind their back. Let the cyberforces loose, before the dogs of war.
Fear is not enough to get us ready for Cyberwar.
We need a cohort of trained, cyberintelligent, strategically aligned and deployed CYBERWARRIORS.
There is a whole generation of self taught CyberGeeks at your disposal.
Not to mention many of our Wounded Warriors, who know, and who have paid, the price. Disabled, many of them can adapt to new CyberJOB functions inside the military.
"The price of freedom is eternal vigilance". Jefferson
1
Outstanding article.
Obviously,requires immediate action
"there is no radar"
How can US prevent a cyber Pearl Harbor?
Mr. Sanger and his sources have some answers.
1
The greatest threats come from Russia and North Korea. Trump is infatuated with the despotic leaders of these countries, and will appease them rather than protect us against them.
Trump’s failure to act is clearly the sort of “high crime” that calls for impeachment. Our flaccid Republican congress won’t do that, so we will remain sitting ducks.
2
We almost thought the Internet was the Messiah. Instead, and as happens so often with would-be Messiahs, it turned into a Golem.
Or, to change and mix metaphors, into a colossus with algorithms of clay.
Greed blinded nerds. Greed people who benefited from nerds' inventions. And today we realize we erected mountains of vulnerabilities.
Let us hope the reckoning will not be too costly.
1
Why would hackers be afraid of America? The American President is their best friend and their lapdog. He needs them in order to survive politically. Hackers don't fear America because they own America.
1
Kind of amazing that the "two huge cyberattacks" cited in the lead paragraph DON'T include the 2016 Russian hacking of our political process and very probably our election balloting itself! (That "old news" is related to a mid-article paragraph)
If the Russians -- apparently in cahoots with Trump and his minions -- can hack the US election system with impunity and get away with it, WHY should they (or any black-hat hackers) be "afraid of the consequences"?
They did it and got away with it. QED
1
The US does have some systems that are highly resistant to cyber attack. To describe, much less name them, would expose them and call attention to some novel technology.
They are not systems that scale. So, not solutions that the "user population" (business, individuals, and "public" functions of the government) could employ. Their architecture is an admission that you cannot build systems that are both fully secure and accessible to large numbers of "non-trusted" users.
That said, less technically advanced solutions exist. Are well known, and well tested, but not deployed because of cost. The IT budgets of corporations would need to double, and the cost is beyond the reach of smaller companies to deal with APT, or Advanced Persistent Threat, as it's labelled.
1
Private corporations will not 'double' their IT, ever.
Cuts into their bottom line profits. They don't care.
3
There are some good examples of intelligent systems being put forward in the real world. Compare Apple and Microsoft. Windows was always software junk. Apple is totally solar powered. I live in a state with paper ballots and recounts that work. We need intelligent informed voters to elect people we can trust to protect us from political hacks. We should all be watching as poorly educated voters elect reactionary politicians. We are losing our grip on reality, but this can be corrected by an informed electorate that will help us move into the future. I enjoy new technology like Apple and Netflix and Kindle. All good for my brain.
2
Sounds like the world needs to come to an agreement similar to nuclear and biological weapons.
Back in 2015, Chinese hackers grabbed the sensitive information of thousands of people who worked for the federal government, including social security numbers, fingerprints and the same sensitive info. of their spouses and kids. Don't count on the feds getting much right about this.
2
Missing from this informative piece is that fact that the RepubliCONS will never be convinced to pony up the money it will take to improve our defensive's across the board. They will make their usual whines about Social Security & Medicare plus Medicaid and how unfair it is to ask rich RepubliCONS to make a fair share contribution to the Nations defense. Always party before nation with those guys.
The only way out if this mess is to vote them out all across the board. Especially the now homeless conservatives that will try to write in some candidate of the Never Trump club rather than do the right thing and vote for the Democrat.
Throw the bum's out. They are not only social bores but are very dangerous to all the rest of us. Resist anyway and every way you can.
4
State sponsored hackers will be directed to go after our election system or power grids. With them, a threat of a counter cyber attack or some sort of Geneva convention is worth a try - better than doing nothing!
But how about the criminal hackers who just want you to send some money? Our law enforcement has proved to be ineffective in stopping drug smuggling, it is unlikely they will get these secretive hackers, foreign or domestic. Especially if the foreign police force hates Americans!
Internet started with DARPA, with the goal of making of communications system safe in the event of an enemy attack. The unintended consequence and irony is that it made us more vulnerable!
1
We have become a paralyzed country thanks to GOP and Trump. Can't make any decisions, can't create any strategy for anything. After 9/11 we used to see bumper stickers saying "United We Stand". Now, divided and paralyzed, we began to fall. What 9/11 couldn't do we did it to ourselves. Feel sorry for
4
The idea that we do not engage in cyber warfare should have been discarded at least by 2013 when Snowden revealed what our government has been up to for years.
1
You say, "President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election."
Is this part of the policy to make Make America Last Again?
1
We need to build redundancy. If one system is penetrated, another can take over. Redundancy goes even so far as setting up non-digital operational frameworks in some cases. It also means camouflaging these in-depth defenses. Our goal should be a resilient America.
6
If most of the grid goes down, the USA is toast, in days! Most people have three days of food, and store shelves would be bare in hours as seen when natural disasters hit. Water, lights, Civil order are also gone for most.
People think they can prep for this, well who would want to live in a mad max world?
I call my Congresswoman weekly about paper ballots, weekly. No response.
11
Our election system is at risk. Repeat: Our election system is at risk and has been since the 2000 election. For reasons beyond rationality, more than 129 million Americans cast their votes on insecure voting systems (33 different kinds) built and maintained by private companies using proprietary software that have proven to be hackable. In 2016, even the primary vote tabulation software company got hacked. This is beyond shameful and makes a joke of the ideal that our votes are sacred and we have a representative democracy.
12
Building protections against cyber-warfare (to quote the article) "requires an intensive public review of what is critical to our nation’s survival. President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election. Our politics have gotten in the way of our safety."
The president and his GOP are guilty of something...given the facts of cyber threats.
It is a failure of duty to the constitution to "protect the general welfare" of the country by not doing anything.
Does this failure to act measure up as an act of treason...given what we know occurred during the 2016 election cycle?
The USA was attacked. Our intelligence community has said Russia interfered in the election and President Trump doesn't want to know how or why. On its face, this refusal to investigate is a dereliction of duty. Cause for impeachment.
2
This is why I always chuckle when reader's comments exalt to us to 'get out and vote'. As if our votes are truly counted. Younger, more techno savvy adults know this and this is why they are apathetic and don't bother voting.
2
One simple measure would be to take processes off the grid that don’t need the internet to work. Elections should be run with paper ballots and hand counting. Medical facilities should have entirely local networks with air gaps between diagnostic equipment and computers running email. Sure it will cost, but much lower than the cost of doing nothing.
22
Agreed. Critical secure infrastructure is a national security issue:
ttps://www.usnews.com/news/best-states/texas/articles/2017-03-12/states-scramble-for-funding-to-upgrade-aging-voting-machines
https://www.cnbc.com/2018/02/14/reuters-america-update-2-u-s-democrats-p...
The Insecurity of America's Old and Underfunded Voting Systems www.npr.org/programs/fresh-air/2017/07/20/538312289/fresh-air-for-july-2...
Uncounted: The New Math of American Elections
https://m.youtube.com/watch?v=pisBdNLmo-A
https://boingboing.net/2017/07/30/voter-hacking-village.html
https://en.wikipedia.org/wiki/Premier_Election_Solutions
2
When I worked in an IT department of a software company, we had a picture on the wall with the caption "Network Security Tool." It was a diagonal cutter snipping an ethernet cable.
1
While chilling, this article underestimates the scale of the problem. State actors are a risk, but the greater risk is large, decentralized networks of hackers, operating asymmetrically for small profits. There appears to be very little we can do about this. Trying to make devices secure is a placebo, like making passenger cars secure against roadside bombs: the engineering required would make the devices unusable. The Internet is like the road to Baghdad Airport, except that its much harder to defend. What can America do about this, acting alone? Nothing. It requires a global alliance: a rules-based international system that works multilaterally to plan peace. Shame, that.
8
I would like to comment on this sentence of an otherwise rather well-balanced article which exploits fear to retain the public attention on an important topic:
“One way to start is to make sure no new equipment goes on the market unless it meets basic security requirements.”
As an information security professional who has been working in the field for the last twenty years, I don’t believe a split second that there would be any move to enforce what Mr. Sanger suggests. There are tons of new equipment entering the market on a steady basis and they serve an extremely wide range of needs and businesses. With the advent of Cloud infrastructures and IoT devices, time-to-market is of the essence and comparing a life-and-death device such as a car with say an Internet-connected fridge is a long stretch. But if we ever want to implement Mr. Sanger’s recommendation (which was voiced by our community since 1999–2000 with no success), we need to rethink an important aspect of capitalism and the way to conduct business.
Are we ready for that?
27
The column reads like the US is always the defender . But considering that the US is the most active nation by far in the use of conventional weapons, it hard to believe that we are not active aggressors in the use of cyber weapons.
When the world adopted the internet for virtually all significant communications, it was like building a city in the middle of a flood plain, and giving everyone a key for controlling the flood gate.
12
A Geneva Convention on cyber weapons would be ineffectual as long as the attribution problem cannot be solved in real time.
Look how difficult it is to enforce the convention on biological and chemical weapons in Syria, where it is difficult or impossible for monitoring teams to determine who launched an attack (and Russia had a veto on the Security Council).
6
Flip the logic around. A thief could get into most people's houses in seconds, yet we fret about patching our computers more than our door locks. Similarly, much of our power infrastructure could be damaged far more easily in person than via internet tools. Real word espionage is still a real thing.
With computers, there are economies of scale that do add vulnerabilities. But, as others have said, we have lost too much padding in the quest for efficiency. If a factory can't run without supplies for a few days, if the grocery stores empty too quickly as do your cupboards, or if you can't survive without access to your bank for a couple of weeks, then that's a problem. And, it's not just a cyber-warfare problem, it's a problem with basic preparedness. Sometimes, bad things happen. You don't need to go all "prepper" but there should be a basic amount of common sense in keeping reserves.
No cyber-attack to date has caused significant permanent damage. They are annoying, sometimes even costly, but compared to an actual war they have been pretty insignificant. And, like war, a great deal of money can be wasted in trying to build defences that are easily bypassed. Again, there is common sense. Perhaps money and time is better spent on preparing to deal with the consequences than in trying to prevent them, flexible reserves rather than fixed fortifications. That same preparation for quick recovery also works for a host of other real-world problems. Money much better spent.
6
No significant damage?
Sure, if hospitals continue to pay ransom.
And some of my Democratic friends consider doing anything that helped elect Trump to be significant damage.
5
"Our politics have gotten in the way of our safety."
No kidding.
The US is spending $700 billion a year on its military. The Russians and the Chinese together don't spend $150 billion on theirs. So for geographic reach and for weaponry, they are not our equal: The Chinese have one aircraft carrier, a boat they refurbished out of a Soviet-era carrier they bought from Russia.
But what are the Chinese and the Russians spending on cyber weapons and security? They are our equal or possibly our superiors in that area.
This has echoes of the old saying, while we look back and try to prepare to do a better job of fighting the last war our adversaries are preparing for the war looming in front of us.
29
What you point out is that the Chinese and Russians (and North Koreans) rightly figured out cyber warfare was a much more intelligent investment. And they've been exploiting exposures by conducting test runs here and there. Like the 2016 election.
7
Once again what I find disturbingly significant is how few people -- judging by the number of comments and Recommends and that the article has been on the Home Page all day -- seem to find this extremely important subject worthy of their time. Sadly, it may take an internet connected, explosives-laden drone flying into the Superbowl to get people's attention.
11
This otherwise excellent article ignores the most basic point: the internet not only is insecure, but cannot be made secure, or even transparent and private. Our fundamental problem is not primarily the ill intentions and capabilities of Russia, China, North Korea, and myriad private actors. Rather, it is that we have allowed ourselves to become vulnerable, our leaders and the public in general swallowing the marketing Kool-Aid of "security" espoused by profit-defined corporations with no allegiance to America, their corporate rhetoric notwithstanding.
Our military command-and-control systems, our electric grid, our health networks, and our financial system, as well as all our personal gadgets, are inherently vulnerable, and as long as they are connected to the internet directly or indirectly, will continue to remain so. In addition, inasmuch as almost all our chips are made abroad, we are vulnerable to whatever code foreign governments, adversarial or not, may have embedded within those chips to be activated for military purposes, espionage, or blackmail.
Yes, we certainly need to maximize our capabilities at securing internet-related vulnerabilities. However, unless we begin the enormous task of disconnecting essential functions from the internet, we are merely playing Sisyphus. To do this will require both leadership and popular support America has not seen since the Apollo Program.
Not all technological innovation is progress, as we should have learned from nukes.
15
Don't forget phones and computers made in China.
1
An Internet connected device could be made private at a severe cost in flexibility. Every device on the net has a name called an IP address. IP address is determined by the point where the device connects to the internet. A service provider is allocated a pool of addresses. For some connection types, the IP address is semi-permanent. It remains the same for many days. If a protected device had a list of "friendly" IP addresses, it could ignore traffic from unknown devices.
The main flaw of this scheme is that few IP addresses are truly permanent. If the connection between a device and its service provider is interrupted, the pairing between the device and an IP address is lost. The re-established connection will probably have a new IP address. Privacy is vulnerable until the friends list in the protected device can be updated (probably via long distance voice call).
1
But the potential for escalation caused Mr. Obama and his top aides to reject the plan.
“It was an enormously satisfying response,” a senior American official told me later, “until we began to think about what it would do to the Europeans.”
Bearing in mind that "what it would do to the Europeans" is probably not high on Mr. Trump's list of worries, perhaps this is indeed the best time to implement a strategy and policy of cyber deterrence.
"We need to explain to the world why we have cyberweapons, what they are capable of and, most important, what we will not use them for."
This does not sound like deterrence to me; it sounds like and invitation to hackers to keep on working.
2
OK, so the Russians got into the White House, the State Department, and the Joint Chiefs of staff, but were unable to crack a single vote in our election system? I think our inability to speak of our vulnerabilities goes even deeper than this article discusses. And the consequences may already be upon us, and impossible to undo.
10
Unable to crack a single vote in tne election? You're making a joke, right.
https://www.usnews.com/news/best-states/texas/articles/2017-03-12/states...
https://www.cnbc.com/2018/02/14/reuters-america-update-2-u-s-democrats-p...
The Insecurity of America's Old and Underfunded Voting Systems www.npr.org/programs/fresh-air/2017/07/20/538312289/fresh-air-for-july-2...
Uncounted: The New Math of American Elections
https://m.youtube.com/watch?v=pisBdNLmo-A
https://boingboing.net/2017/07/30/voter-hacking-village.html
https://en.wikipedia.org/wiki/Premier_Election_Solutions
1
This article takes as a given that the US has not been using cyberweapons too, except for the one example against Iran. It further takes as a given that their is a list of targets the US would not hit, that all can agree on.
The attack on Iran was too extreme to ignore. It also was not alone, and that is just with what was admitted in the Western press. We've smiled and "not claimed" similar attacks on North Korea, and more attacks on Iran.
The US runs no intelligence operations via cyberwar on the Chinese or Russians? In the War on Terror against anyone and everyone? We were exposed doing it to the German leader's phone, our "friend."
Cyberweapons are not just developed here, then kept in storage to be stolen. They are used, and when used are delivered to the target in operational form, so that if understood they can be shot back at us like cannon balls or arrows of old.
The problem has us as a large part of it, not just our fears but our actions.
11
I completely agree with your post.
One "large part of it" consists of every internet access router, smart TV and soon-to-be "IoThing" in our private households.
The separation of critical infrastructure communication from "everyone's internet" (physically, not only virtually by cryptographic methods) will be essential to protect critical infrastructure in the near future. Authoritarian countries might have an advantage to do this - unfortunately.
(BTW: if I were trying to post this from such country - NYT's servers would not accept the post, but they'd still let me read the content - Thank you honestly NYT!)
Simple fix: don't connect any vital systems to the internet. Why are they connected anyway, the only reason can be convenience.
10
The grid?
The Grid?
HAH!
It is to laugh.
Forgrt about the cyber.
NO one is worrying about hardening the electrical grid against attack. Proposals are periodically floated in Congress about protecting the grid from either EMP or a coronal mass ejection, which periodically happens already- arguably the most fundamental things we should be worrying about (because if the electricity itself goes down we certainly don't have to worry about the eventuality of cyberattack, because you gots ta have eeelectricity for one of those) and each and every one of those has always been shot down.
so, re: that cyber - good luck with that...
5
' “ 'It was an enormously satisfying response,” a senior American official told me later, 'until we began to think about what it would do to the Europeans.' "
Well we certainly wouldn't want do anything that would harm Europeans. Way to go Obama. That's showing them, just like that red line in the sand.
The hacking of the Democrats' mail servers was very unsophisticated. The spear phishing attack has been around for years. It sounds like the sophisticates at Hillary's campaign didn't get the message.
1
Are you sure about your interpretation of the quote about the effect on (us) Europeans?
1
Let me guess, by extension your crowing about the technological prowess of our Luddite in Chief President Trump. Since the pitiable Democrats are so lame I would expect the Republicans to step up and get the job done. MAGA, MAGA, MAGA Jp
1
@c. brown: "Let me guess, by extension your (sic) crowing about the technological prowess of our Luddite in Chief President ."
Nope, just the incompetence of Obama when it came to keeping our country safe.
All these can't help but reminded me of the trope that was being crowed loudly by liberals - that democracy is essential for innovations. Well, here we are, innovations in cyber-capabilities from all those non-democratic, poor oppressed, freedom-deprived masses yearning to be free! What is there to fear from these people? After all, they don't have democracy, isn't it?
To paraphrase a verse from the Bible, it is the blind worship of democracy, not democracy itself, that is the root of all evil.
1
For a eyeopening read on the attitudes toward the start of hacking, read Clilff Stoll's book "The Cuckoo's Egg" 2006. The attitudes remain in many places.
3
Our federal government is out of commission. Our cyber infrastructure is composed of private and public players that come together for many different reasons, not all of them dependent upon the federal government. It's long past time for the complaining to stop and the problem solving to begin. We have huge problems that affect us all, we are not dependent upon feds alone to fix or define them. There are other players that can be engaged; there is just too much at stake to waste time whining about the feds.
9
read @winthrom for a solution please
No, hackers aren't afraid because the population is technically illiterate. There will always be a path to unauthorized access because people use technology blithely without even the most basic understanding of it.
If you want to make critical systems more secure drastically reduce the sophistication of technology people have access to.
5
A good place to begin is in the private sector by imposing strict liability upon corporate systems that are hacked and cause harm, if it canne shown that there was negligence upon the part of the various corporations.
9
Until Congress passes a law that holds companies and the providers of the software and network equipment involved financially liable for lax/non-existent computer security the U.S. and other countries will continue to have their computer/network systems attacked. What's aggravating about this situation is that computer security is well understood and has been for several decades but implementing it takes action on the part of the companies to do something about it. Unfortunately, until companies feel some serious financial pain as a result of computer breaches they will prioritize this issue low on the totem pole.
15
DCI Bill Casey saw this coming. He spoke of this stuff years before. OSS training helped. SEC exposure was vital.
Securities markets run on software.
Think what would happen if a train tunnel under the East River blew. Water, salt water, wound enter Manhattan’s underground vaults and tunnels
The financial system is as vital as the grid.
2
Hackers are not afraid of us because even our own national security and law enforcement agencies push for and enforce technical back doors to all equipment so that they can access. But hackers can access those doors too.
They criticize Apple and others for hardening their devices and software that would make many more people safer than vulnerable. Makes you wanna cry.
As long as Russian hacking gets trump and Republicans elected, nothing will be done.
19
No its not our politics that got in the way of our safety it is the Republican party. Let's be clear about that.
13
There will come a time in the not so distant future when strategic assets like the power grid, financial systems, government classified assets will have to be taken off the world wide internet and closed off into segregated closed loop networks that are impossible for a foreign actor to penetrate from the internet. It's ironic that the same government that invented the internet will have to be the one to amputate some of its appendages. There is no other known way to make systems invulnerable to unauthorized penetration.
8
Even air-gapped systems can be hacked - it just requires things such as physical access to the equipment.
On a side note - imagine a future where all financial transactions are handled electronically, and all records are stored electronically. Then, imagine a piece of malware set to scramble all that data.
More insidiously, imagine software that could be used to fake illegal payments to a politician that the hacker wanted to compromise - routed through that politician's opponent's prominent supporters' servers. Pretty disruptive - especially if there were also real bribes to that politician.
2
The threat to humanity from these weapons is frightening. Compared to weapons of nuclear terrorism, the threshold for cyber-terrorism is much lower, making them more dangerous for us. Remarkably, humanity is paying through taxes the cost of producing these weapons -- the cruel irony -- with these weapons, the wolves grow stronger, and the sheep weaker.
Of all the governments funding cyber-terrorism, as was the case with Fat Man and Little Boy, I am not surprised the U.S. government is expending the most.
But I am amazed so many commenters want the officials, who developed then lost control of their cyber-terrorism weapons that threaten humanity, to do more, more.
6
Cyberthis, cyberthat. Can't someone come up with another prefix to put into rotation? It gets cybertiresome very cyberquickly.
4
"But the potential for escalation caused Mr. Obama and his top aides to reject the plan..."
Huge mistake. The only protection is credible and effective retaliation. Not only against the hackers but their sponsors, the cities and networks they are operating from. You catch a Russian - shut down and sanction his provider.
1
Fascinating article, but it makes all kinds of fantastic assertions without citing any evidence. That’s the problem with cyberweapons — you can never know whom or what to believe, including many of the statements of “fact” in this article.
4
Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity.
W.B. Yeats
13
We have a Russian plant as president who appreciates the foreign help. Yes, we are in an existential crisis.
14
This piece talks a lot about what other people can do to reduce the risks from cyber attacks (nation-to-nation negotiations, reveal the US’s cyber secrets, etc) but not what individuals can do.
For starters, every citizen who has a computer and an email account should use Multi-factor Authentication(MFA) and should demand that their employer, bank, and all other web properties use MFA. If your bank doesn’t offer MFA, move to one that does.
Second, everyone needs to understand the psychological manipulation that occurs to get an attacker “into a system.” Cyber attackers are first and foremost scam artists, and when they send an email that’s too good to be true or emotionally provocative you should be able to recognize that.
Third, all of us have been trained to beware of physical attacks. How many people leave their car unlocked on a city street or invite a stranger into their home and let them look around. We know how to protect ourselves in the real world and yet for some reason go online and quickly give away just about everything.
Just about every attack on a hospital or government agency or whatever starts as an attack on a person (or a misconfiguration). That’s all of us! Why do we keep waiting for “the system” to save us from a massive cyber attack when we can take steps to protect ourselves as individuals right now?
11
The internet was invented as a survival method of communication in the event of a nuclear war, having the ability to re-route signals in the event that a great many individual routes were destroyed.
That concern has now been superseded by the desire to have the ability to control access in an absolute manner. That is, the ability to destroy the facet of the architecture that makes access possible.
2
So long as a Russian mole inhabits the Oval Office, no serious effort at hardening our cyberinfrastructure will come to fruition.
23
“President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election. Our politics have gotten in the way of our safety.”
Hmmm...now why would he do that? Wouldn’t have anything to do with that collusion he so vehemently denies, would it?
8
We also need different ways to deal with state sponsored vs commercially driven criminal cyberattacks.
2
For far too long, going back to Clinton, Bush, Obama and now Trump, we have ignored the "new nuclear" of cyberwarfare. Our CIA, NSA, NRO, DOD, all our Defense contractors - outmuscled by 20-something brilliant hackers in Russia, China and North Korea. Tragic. You called us incompetent in this area.
I would say our Presidents, and Military and Intelligence agencies have been derelict in their duty to protect the United States of America.
First, keep secret the failures, never brings about the necessary scrutiny required for the American Citizen to get behind a truely large scale Manhatten Project/Man_on the_Moon sized effort.
Secondly, we need to reprioritize: Get all the way out the Middle East. Cut spending to Middle East nations - all of them in half.
Third, we clearly need to merge any and most of the brilliant minds in Software/hacking/cyber:
1. Make DARPA strong again - given them $25 billion dollars.
2. Overcompete with Silicon Valley for brilliance - figure out how to get those smart programmers of Apps and Games, to work to protect America
3. Enagage and take full advantage of what Microsoft, Apple and Google know that helps National Security. - We are as much at WAR as we were in 1941 - when Ford, GE, GM all stepped into the WAR effort.
We can whine, or we can take action.
1
The author writes “because our government has been so incompetent” our secrets have been stolen. Yes, under Obama foreign government agents worked tirelessly with no deterrence to rob our blind. No deterrence. No organized defense. He gave us “Hope”, but no action or defense.
1
The first law of avoiding bad actors is don't be one. But this only spotlights the contradiction in digital technology: open standards, out sourced and off shored manufacturing. And the further contradictions in American enforcement: its your data until your cell phone's sim card is implicated in a crime and then its manufacturer divulges the back door. An internet of things seemed like a good idea, but then someone had to weaponize it.
4
Donald Trump and his operatives gave away the keys to America’s computer networks starting in the middle of President Obama’s first term. He forced President Obama not to respond to any cyber attack. It allowed trump to steal the election. Trump is now ensuring that the Russians, Chinese and North Koreans can divide up and conquer the United States—and there is no way to stop it.
5
On recent evidence, looking to government to develop and action a cybersecurity strategy to deal with this imminent nightmare is almost laughable. The Military-Industrial Complex is only interested in offense as that is where the money is, and realistically the only defense is either Mutually Assured Destruction or complete disengagement with the Internet.
Perhaps Jared can add it to his portfolio of responsibilities.
9
To do what is necessary will require leadership and popular support America has not seen since the Apollo Program.
The article ignores the fundamental point: the internet not only is insecure, but cannot be made secure, or even transparent and private. Our primary problem is not the ill intentions and capabilities of Russia, China, North Korea, and myriad private actors. Rather, it is that we have allowed ourselves to become vulnerable, our leaders and the public swallowing the marketing Kool-Aid of pretend security espoused by profit-driven corporations with no allegiance to America, their rhetoric notwithstanding.
Our military command-and-control systems, our electric grid, our health networks, and our financial system, as well as all our personal gadgets, are inherently vulnerable, and as long as they are connected to the internet directly or indirectly, will continue to remain so. In addition, inasmuch as almost all our chips are made abroad, we are vulnerable to whatever code foreign governments, adversarial or not, may have embedded within those chips to be activated for military purposes, espionage, or blackmail.
Yes, we certainly need to maximize our capabilities at securing internet vulnerabilities. However, unless we begin the huge task of disconnecting essential functions, we are merely playing Sisyphus, the rock destined to eventually roll over us. Again, to do this will require both leadership and popular support America has not seen since the Apollo Program.
3
Articles such as this one always raise a fundamental question for me. Why is essential infrastructure connected to the public internet and thus reachable by anyone from the Chinese government to Russian teenaged hackers? If their function is so critical, surely private networks can be constructed if they do not already exist. In many cases, the internet connection provides little more than the convenience of enabling staff to access the systems from their homes or other remote locations. They might have to come in to work more often, as they have had to in the past.
If it can't be reached, it can't be accessed. I would like to think that nuclear facilities, for example, are more than just a few IP addresses and security locks away. If they are actually secure, then so could our power plants and financial systems if we cared enough.
14
With all due respect this comment does not reflect the difference between an Internet connection and a telephone circuit. One is a direct physical link between two voice devices and the other is the entire theory that created the internet, multiple paths between two connected nodes. To construct what you are suggesting would require hard wiring a separate connection from business to home and a separate connection for everything else. This would be a huge leap backwards in technology. And what happens for those workers that travel? A workable solution is to continue to develop Virtual Private Network technology. Increase our knowledge of network technology to everyone. Create software that is more network alert and easy for everyone to use. The solution is in more transparency and more rapid response when the government detects attacks by notifying the public and by forcing large businesses to make attacks public in real time.
In regards to the electric grid the computers that control the equipment are not connected to the Internet. The enemy continues to use Social Engineering to elicit a response from an engineer.
4
So, around this issue, the problem of the United States isn't its toughness, says the author - it is our lack of strategy.
I'm not so sure. It strikes me that if Trump and the Republicans believe they benefited from previous Russian cyber-interference in our last election and will benefit again, their strategy is simply to maintain the status quo. After all, they're in power all across the board in the federal government. From their point of view, if it ain't broke, why fix it?
9
One does not fight wars in silken gloves. There should be a means of making the hackers' machines explode by remote control. This would probably be -- at least for some time -- an effective deterrent to cyberspace crime.
1
That’s not Due Process! What kind of Justice is that? Everyone must be provided with lawyers and have a free, fair and open trial. To punish someone there must be evidence beyond any doubt whatsoever. 100% certainty of guilt or the accused must go free. It’s our constitutional system.
2
Let's create a cabinet level Department of Cyber Security.
To avoid adding ANOTHER Department to all of the ones we already have, we could devolve other departments to agency status. For example, the agriculture department's functions could be spread among Labor, Commerce and HHS.
Transportation's functions could devolve into agencies with HUD, Labor, Commerce and Interior.
If our nation was attacked with conventional weapons there would be no question the DOD would protect hospitals, public infrastructure, homes, businesses, power plants, ships at harbor.
The creation of a cabinet level Department of Cyber Security would leave no question as to whom the government would protect in a cyber war.
Think about all of the tech savvy millenials who would flock to government for a chance to match wits with a Putin or a Kim, "playing" the biggest "game" of all.
1
There appears to be a fundamental flaw in the approach of the United States towards cybersecurity. First, guys with white hats (e.g. the FBI and NSA) should be able to go through everyone's computer systems and data. Second, the guys with black hats shouldn't be able to. It is necessary, but maybe not sufficient, that the United States support and demand that everyone can have systems that are unbreakable. Until the U.S. can't break systems, one can be quite confident that other countries will be able to break them as well.
4
>>>"First, guys with white hats (e.g. the FBI and NSA) should be able to go through everyone's computer systems and data."
They mostly can and routinely do. It's good that you approve.
>>>"Second, the guys with black hats shouldn't be able to."
Well, I suppose that would be nice, if it were achievable -- and if the good guys and bad guys would just agree to wear their assigned hats.
>>>"It is necessary, but maybe not sufficient, that the United States support and demand that everyone can have systems that are unbreakable."
"Necessary" or not, it is impossible, no matter who "demands" it. Cracking is almost always ahead of the security measures intended to prevent it. That's sort of a given.
It would probably be a good idea to consider other approaches.
The problem is a known exploit will always find its way into the hands of the black hats. We can’t allow the nsa and fbi exploits to even exist.
I believe the claim like this one has become the cause of our many pitfalls. Ever since one can recall, we have been saying we are the richest country in the world. So we started doling out foreign aid indiscriminately and at the same time making concessions on trade and commerce matters. And why not? What's it that the rich cannot afford?
Then we said we are militarily the most powerful country in the world. So we started participating in every war, even in distant civil wars that did not affect us. Or in the internecine conflicts with no international angle to them.
Now, of course, we claim to be the superpower in new technologies, especially in computer software technology. My fear is we can fall asleep on the wheel here, too. If we have the technology to counter or discourage meddlers in our domestic affairs, let's use that to defend ourselves from adversaries who do not wish us well. I hope we are not just deluding ourselves in this area, too.
5
This otherwise excellent article unfortunately ignores the most basic point: the internet not only is insecure, but cannot be made secure, or even transparent and private. Our fundamental problem is not primarily the ill intentions and capabilities of Russia, China, North Korea, and myriad private actors. Rather, it is that we have allowed ourselves to become vulnerable, our leaders and society in general swallowing the marketing Kool-Aid of "security" espoused by profit-driven corporations with no allegiance to America, their rhetoric notwithstanding.
Our military command-and-control systems, our electric grid, our health networks, and our financial system, as well as all our personal gadgets, are inherently vulnerable, and as long as they are connected to the internet directly or indirectly, will continue to remain so. In addition, inasmuch as almost all our chips are made abroad, we are vulnerable to whatever code foreign governments, adversarial or not, may have embedded within those chips to be activated for military purposes, espionage, or blackmail.
Yes, we certainly need to maximize our capabilities at securing internet related vulnerabilities. However, unless we begin the huge task of disconnecting essential functions (at the very least), we are merely playing Sisyphus. Sooner or later the rock will roll over us. To do this will require both leadership and popular support America has not seen since the Apollo Program.
34
You’re right, the article doesn’t explicitly state the heart of the problem - the internet is and will always be insecure. And it connects pretty much everything.
The problem is that businesses and government have built huge systems and databases that have the internet as a common thread. Maybe this requires us to take a step back and do some things the old-fashioned (pre-internet) way - but the best way to firewall a system is to not build a gate in the first place. Yes this claws at the very notion of “the cloud” and all the productivity and cost-savings benefits it provides - yet if it can ultimately be destroyed, what good is it?
I’m not a technician, but firewalls without gates (meaning they don’t touch the internet) may be a partial answer. If it’s even plausible.
Would love to hear any other ideas out there.
2
Hey Joe, thanks for engaging with this. We live in a time when we have been conned into believing that all technological developements are progress. We had a chance to pause and think things through after the developement of nuclear weapons, a period when science went from an essentially international, academic activity to a national corporate and government activity. Unfortunately, we did not avail ourselves of that opportunity. And now most people are perfectly willing to ignore threats to their security and privacy for a little convenience, essentially selling their souls for chump change.
As Mr. Sanger states, the creation of Stuxnet and other 'weapons' simply provided a how-to primer for anyone paying attention. And was DARPA's trunk system laid out in the 80s really designed to be secure by today's standards? Well, we're here now.
1
To win THIS war against nation states we will need to build highly effective and hideously nuanced weapons that can detect who is using similar weapons on us and inflict specific and proportional harm on THEM, while neutralizing their ability to cause us further harm. In the case of individual actors, we may have no choice but to reliably exterminate them once we find them, because they will have no proportional assets we can threaten in a way that offers a sufficient disincentive for them to harm us catastrophically, even in simple revenge.
In Mr. Sanger’s view, this means replacing our electrical grids with one cyber-hardened analogue; hardening endless systems on which we depend, from distribution systems that feed our nation, to power systems, to banking systems to hospital networks – endless systems that allow us to LIVE.
What we’re talking about is many trillions of dollars of expenditure – Sanger himself was too frightened to truly quantify this – and we simply … ain’t got it anymore, if we ever did.
We’re extremely stretched paying for our healthcare and all the elements of our social safety net; and Europeans are far MORE stretched because their own social safety networks are more robust than ours. It’s highly questionable that we can assemble the political will necessary to dedicate such immense resources to a purpose that doesn’t directly feed a person or keep his health tended to – regardless of whom we elect.
1
It could require (far) less net-greater money to fund a single-payer healthcare system that offered robust healthcare to EVERY American and adequately pay every provider for his or her services.
I don’t believe that we can do this, at least not piecemeal, as Mr. Sanger suggests we must.
We need to step out of the box. One way of doing that could be to acknowledge that we cannot afford the freedom that an unrestrained Internet offers, in the teeth of threats that creative INDIVIDUALS can mount, forget about nation states with vast resources. Government may need to take it over, directly protecting not the individual vulnerable systems targets knit together by it, but the medium by which threats are introduced. Doing all that still would be expensive and require political will, but it starts to look manageable this way, while Mr. Sanger’s way does not.
Douglas Adams, who authored the hilariously satirical series of novels based on his “Hitchhikers Guide to the Galaxy”, had much of intergalactic wisdom provided by that useful reference tool – the actual Hitchhiker’s Guide, which told you pretty much everything you really needed to know about anything in the galaxy. He suggested that the Guide was so popular because on its cover were displayed the words “Don’t Panic”.
3
Maybe being a "cyber superpower," as is the case with superpower status in various other areas, is a double-edged sword and not inherently the best possible choice for the welfare of citizens, generally.
Are we permitted to consider such a question, or would that be impermissibly "unpatriotic?"
Also, might we be so bold as to consider the possibility that networking and internetworking everyone and everything conceivable may not be the most brilliant idea humans have ever had?
4
With freedom comes risk. Government's must protect those freedoms. 2016 was significant for Russia's testing of Western resilience to cyber attacks, yet our governments have chosen to deny and hide the scale of what occurred and our current vulnerabilities.
Trump clearly does not help matters but neither does the UK's "behind closed doors" system. Two years after proven Russian influence on our Referendum, we are facing a ghastly EU exit and lonely future. Democracy is failing because the elected run in fear. Both our countries are ruled by the 35%. Older, soon to die off voters, one's who are unthinking, who want yesterday's world but never stood their ground at the time of radical change.
Sure it's dispiriting. Where our respective countries are, is the worst of all worlds. A sort of no man's land for the more liberal and compassionate among us. Do I care about the mining communities in Wales and across the UK that were destroyed? Sure I do. Am I angry? Yes. Where are our shipbuilders and steelworkers? Gone in a Thatcher purge. Have I forgotten? No. Can I change that? No, but I can change the future for the better. I only wish the 35% who voted in 2016 could see that their vote mattered for all our futures.
5
All very good points. What stood out to me is the power that 35% yields. Luddites all who simply can’t face the inescapable nature of change. But they stand together and minority or not, that gives them power if the other 65% fail to coalesce or worse, fail to vote. Because that 35% ALL vote.
3
Are our major ISPs listening? Nope. It would cut into their bottom line if they had to pay for a more secure system.
11
I just finished reading the Bill Clinton/James Patterson book. It was a great read but also a terrifying one because it was completely believable. It makes you wish you'd been born 100 years earlier.
3
In the meanwhile China is manufacturing our hardware, with bugs, tics, spyware and all. We should be making all of our stuff here stateside. Same with our pharmaceuticals. The future is not what it used to be.
12
I wonder if the private love-chat in Singapore between Trump and Kim included Trump’s suggestion that North Korean cyber warriors and hackers help the GOP in 2018 and Trump in 2020? I fear Russian interference was only the beginning.
5
He gave Kim the keys to everything. Trump is an enemy agent
This is the most revealing and disturbing editorial I have ever read on the subject of cyber attacks. This article outlines the entire effects, and with imagination what cyber winter could be. Not unlike a total nuclear attack, a total cyber attack could send the world back to the stone age. (but is it possible) First the worst has all ready happened, we can not act on cyber attackers, nor defend ourselves in the way we should, because a president has already been installed in office to protect our cyber enemies. And what happened in 2016 election was just the beginning. This can't be proved, because that is the modus operandi of cyber weapon use. How sad.
7
One barrier to rational responses is the fact that most (all?) off-the-shelf software is under the seller’s lock. Two things follow from this: potential community fixes to make Windows or Office, just for example, more secure are blocked; for black-hat and terrorist hackers who have the time and tools to look for ways to subvert current commercial consumer protections they are sitting-duck targets. We are sitting duck targets.
And on the hardware side there is the fact that us non-geek, non-hackers have no way to even control access to our machines, as shown by the way many updates to our software occur without our knowledge or control.
This situation has got to be part of the larger problem. In short, my computer is under the functional control of Microsoft and any other manufacturer whose software I have installed, and this is true at all times, whether I’m even using their products, or even, as far as I know, if I have deleted their products.
3
Generals (and Admirals) always fight the last war. Perhaps not as sexy as a new aircraft carrier, but absolutely more essential to protecting the US.
3
Tremendous eye opening article and extremely scary. If we cannot make sure that our election system is safe and not susceptible to hacking or manipulation, we cannot be sure about protecting our democracy.
It amazes me that neither of the parties are forcefully demanding that we abandon the extremely vulnerable electronic voting and go back to paper ballots and open counting, as several European countries have done.
If we cannot have confidence in our election process, none of these discussions will yield anything.
17
If it's connected, it can be hacked. And even if it isn't connected, it can be hacked through a port of entry. We've traded security for convenience and are living in a fool's paradise--until the day comes when it's no longer a paradise, but a nightmare.
I've been doing this stuff for a long time and in all fairness, the innovators probably didn't consider the potential for abuse while they were innovating. But the time has come to take a cold, hard look at whether or not the convenience and efficiency of being connected is worth the risk. Isolation will certainly lessen the risk, but not eliminate it completely. And there's always a chance of a CME wreaking havoc that will last a decade or more. So we're well advised not to put all of our cookies in one connected, digital jar.
5
Friend, its not even whether you're connected. Is your bank connected? Is your Insurance connected? Your credit? Your job?
There are two fundamental problems, which most in the tech industry do not like to acknowledge (nearly 35 years working with the technology informs this opinion). The first deals with the technology itself, which was never intended to be secure against concerted assault. It is a problem generic not just to this industry, but engineering at large, across disciplines: most systems are designed with an assumption that users are benevolent actors. Safeguards are provided to keep people from accidentally ‘breaking things,’ but far less frequently is intentional misuse/abuse/attack considered in design and implementation. Even in the software world, where secure coding standards have become more common, assault on the end-to-end system (hardware, interfaces, infrastructure, as well as firmware/software) with intent to do harm, is almost never considered. Especially in the early years, most users just wanted to make it work – no one worried about bad actors. Yet even then there were trolls and flame wars, people building grudges, and learning hacking techniques to inflict revenge.
Nothing was done to stop this, other than toothless admonitions not to feed the trolls, or not to be evil. Yeah, that stuff stopped working in kindergarten, but wishful, idealistic thinking within the industry was and is rampant. This is the second problem: the inability to accept that we have already waited too long to impose regulations and establish criminal statutes for intentional misdeeds.
9
There is of course a perfectly easy way to stop massive cyber attacks - don’t connect stuff to networks unless absolutely necessary. Want to trust our elections? Use paper ballots, counted by hand. Want to trust your washing machine - wait why is it connected to the internet? Other systems are more crucially reliant on connectivity, but can be made resilient by the simple expediency of redundancy. Want to protect your supply chain - dial down the just in time and have some supplies stockpiled. Want to make sure a simple cyber attack on financial transaction systems won’t cripple the country - keep some cash in circulation.
Unfortunately, on all these things we do the opposite. We discourage cash, we make voting more electronic not less, we remove redundancies (“inefficiencies”) from our systems. If and when things go massively wrong it won’t be for lack of a cyber warfare strategy. It will be because we wanted to squeeze that next cent of profit out of systems whose functioning is crucial.
82
Rather than "net neutrality," we need a separate secure premium internet where all information/financial "packets" are verified to their source. And yes, the government would have a role in coordinating security through an independent agency. Do we want to work on this now or after Pearl Harbor? And yes, there's would be a charge per information packet in addition to a subscription fee.
10
As a senior software developer, this is the sort of thing that keeps me up at night. Our entire economy is built on layers and layers of software that are for the most part, designed to be feature rich often with security as an afterthought, and frequently written by foreign workers susceptible to espionage.
I recommend reading up on the Stuxnet worm that attacked the Iranian nuclear program, how it functioned and exploited vulnerabilities nobody even knew existed. It is really, really frightening.
Now imagine, in a time of war, dozens of these things unleashed against our financial institutions, the cloud servers that host our critical applications, and corporate and government servers. Imagine logging into your bank or 401k and seeing a zero balance (a good reason NOT go paperless), and critical software-driven infrastructure and supply chains ceasing to operate coast-to-coast all at once, social security checks not going out, etc. The chaos that could be unleashed is unimaginable.
85
Scary, indeed.
I annoy all the banks and financial institutions I do business with. Checking, savings, brokerage accounts and all of my credit cards, I still demand paper statements.
38
Sneeral -- I'm with you. I'm going back to paper wherever I can. Having the world go faster and faster via connectivity does nothing good for citizens in the long run. Call me a happy Luddite.
The pdf statements I download every billing period are just as good as paper statements (I can even print them if I'm so inclined). And as insecure as the internet may be, it can't be much more insecure than paper traveling who knows how many miles, always within reach of countless sticky and deviously inquisitive fingers.
Our systems are terribly vulnerable. We excuse it by saying no system is perfectly secure. We blame victims for not being as smart as we are about patching. We add additional security settings, but these are mere security theater because giving an app access gives it access to everything. If Bill Gates had to pay for hacks the way car makers paid for flawed systems, we would have a different world.
20
My god: splendid common sense, rational thinking, wonderful technical knowledge, very clear writing, and a terrific and detailed plan for action!
Sadly, of course, nothing will come of it.
80
Thank you for this sobering article. If there ever were a national security wake-up call, this is it. Cyber war is here and now and is not to be trifled with.
6
The solution is not that difficult, but is blocked by various special interests.
Secure the vote and the financial systems, and everything else, with blockchain technology.
5
Intel will introduce a new generation of chips near the end of the year which will be the last 386 generation.
Intel will subsequently introduce a new architecture which is not 386 based. Surely with the experience that Intel, Microsoft, and Linux developers have over decades a better more robust cyber system can be developed. Intel and system software developers must be required to put that as a first priority.
Declaring norms is an answer when norms have never been respected is a pipe dream. There is a norm of signing the Non Proliferation Treaty that nuclear weapons will not be developed. North Korea signed only to withdraw. Nuclear weapons development is not easily hidden. Cyber Security violation for developing cyber weapons are impossible to detect. Instead protect critical systems such as voting by having paper ballots or other hardened systems. Power stations and critical infrastructure including financial systems should be required to have disaster backup plans and systems that must be regularly reviewed and tested. In a free society we must not compromise the private sector from developing the most secure, unbreakable digital systems that can be conceived. The government cannot be party to the private sector. They must remain an adversary. Apple is right in defending its right for unbreakable security. Secrecy is security is freedom.
37
No disrespect, but your letter would be much easier to read if it were broken into paragraphs. Thank you.
Great article on an issue that affects the entire country regardless of party. If only we had any leaders whatsoever for any side of the aisle or branch of government capable of actually accomplishing anything other than calling their donors.
48
The frustrating thing about this & other issues that should be of universal concern (climate change, anyone?) is that *someone* — could be from either side — always puts making political points above the common good, & finds a way to twist it into a partisan issue.
3
I hate that I have to even think this, but seems like our best hope on this for leadership and demand for action is Corporate America which stands much to lose across the board.
3 days without the capability of pumping gas/diesel at filling stations across our nation would put us into a serious predicament. Our gas pumps alone are vulnerable. Will the oil companies invest in their protections? Doubtful.
48
Well, why not ask the Koch Brothers, or is it now the Koch Brother?!
One response might be to segment the Internet into zones. Cyberattacks originating from a specific zone would result in quarantine of that zone. Inflicting exclusion might be the ultimate deterrent. How to achieve that zonal defense is beyond me though.
20
Brad Smith's proposal for conventions that will organize the Electronic Republic worldwide is certain to run into the same problems of International Maritime Law (the Law of the Seas) and the Geneva Convention itself, which are their enforcement. In the open ocean, just outside territorial boundaries, are pirates of unknown origin. Who will interdict? And when the US itself contravenes the Geneva Conventions against unilateral military action in foreign territory, there is not much credibility to our plea for electronic rules of engagement.
12
In addition to the proposed solutions, there should be a strategy around analog safeguards/backups of our most important information and infrastructure. Yes, I realized this isn't how the world works any more, but some things are important enough to be protected this way. Precisely because analog is cumbersome, inconvenient, and localized, it is harder to hack. This will necessitate paying for it, perhaps even in the form of (gasp) government workers or seemingly redundant safeguards. For a starter example, PAPER BALLOTS.
152
Alameda County CA, where I just voted, uses paper ballots. Voters fill them out and submit them to election officials. They are then counted by machines like the ones that score standardized tests. Ballots can be recounted by hand if necessary. The system is cheap and efficient; returns are available the evening of election day.
4
"Vote by Mail" states such as Oregon and Washington... there are enough drop-off boxes around, so you don't even 'have' to put a stamp on the envelope.
Fantastic article. This is the greatest risk facing our nation. If we can target centrifuges with malware, that means our enemies can target our nukes. Or our power plants. Or our planes, trains, bridges, banks... Cyber weapons will quickly reach the point where they can wreak havoc across our country. We need a plan.
59
Nothing will be done until an attack causes such grievous harm that inaction will no longer suffice. Then we will look for scapegoats and simultaneously launch retaliatory operations that don't distinguish between friends and foes, thus worsening the situation immeasurably, as we have in Iraq, Afghanistan, etc.
69
The grid is easy to protect, no connections to any network that has a link to the internet. Why is there a "dark web"? DOS attacks against the dark web to shut it down. Individual hackers might be identified and eliminated (yes the CIA has killed folks in the past). Shut internet access down from any country that we think might support such. There are things to do, we just are unwilling to do them.
31
Astoundingly uninformed. 'The grid' is not something that can be unplugged at single points of network interface, but a complex infrastructure of disparate components - there is no easily defined boundary delineating the edge of 'the grid,' and hence your 'simple' solution, isn't. The dark web is simply the collective term for web servers which are not advertising their existence to web crawlers and search engines: if you know how to get to them, they are readily available, you just won't find links to them by googling. 'Dark' means out of the spotlight, not evil - the VAST majority of dark web sites are boring and hardly nefarious, and some people aren't concerned with making money off their sites, so keep them dark to deter drive-by attacks by script kiddies - I have many such 'dark web' sites, and none of them are for anything other than personal use. Yes, there are people who hide illegal activities within the dark web, but that is a sliver of what is out there - don't target the wrong thing, because you don't understand the problem. Finally, just so you know, I loathe hackers, and view their actions as criminal. Yet there's a huge gap between holding hackers accountable, by establishing laws/regulations with which to do so and prosecuting them, versus proposing targeted 'hits' on them. Aside from that just being wrong, they could easily turn the tables against you, ‘SWATting’ you for elimination – still like the idea?
19
"Air gaps" -- no connection between the network and the Internet can help, but they are not a guarantee.
The Iranian network that controlled their centrifuges were not connected to the Internet, but the Stuxnet worm penetrated their network via an infected thumb drive.
In the US there are hundreds of thousand of foreign workers working on computer systems, and many of them have physical access to the hardware. It is entirely reasonable to assume that some of them are compromised by foreign intelligence agencies and would be activated during a conflict to infect the systems from within.
5
The computers that controlled the centrifuges in Iran had no internet connection, yet they were attacked...
3
The problem is that there is no sunshine on the software we use. Software from Micro$oft, Apple, Google-Android, Siri, Cisco, etc., are all clothed in corporate secrecy. The entire infrastructure depends on these products and yet has no idea of the vulnerabilities built into the software.
=========================================
Each of these corporate software giants sends out "updates" that almost always fixes the vulnerabilities they themselves can detect. What is most damning is that the bad guys are finding vulnerabilities that the software companies do not yet know about.
=========================================
Open software such as Linux is much safer because every piece of it is available in source code (what the programmers write before it becomes converted to binary bits and bytes) It can be read by humans. Many eyes!
=========================================
As long as corporate secrecy of software remains, all of this cyber terror will run rampant. Cybersecurity folks all know what I have said is true. They work for the government. Unfortunately the government does not work for us, but rather the corporate secrecy guys.
31
The main problem has been that security was a secondary, or tertiary, concern in the development of operating systems and application software. Gates was going for market share, which means shipping beta software in order to be first. And he wasn't the only one. The competitive nature of the industry means that Marketing's insistence on 'ship it', overrules any other concerns about refinements, like security. This mentality is only slowly changing as people get burned, and of course everyone is stuck with all the legacy hardware and software that is full of holes.
10
While we placate a dictator who has made a career out of nuclear blackmail, we are doing very little to update and protect our electric grid, our telecommunications, our banking system, and all the electronic infrastructure we depend on.
Our fear of regulation is our enemy.
National security should dictate the protection, and companies that fail need to be aware that their existence depends on it. The Russians hacked our election; cyber crooks hacked our financial data right out of Equifax; who knows if our grid has been compromised?
And no one is responsible. We are feckless, and our feckless leadership is unlikely to change until a crisis forces them. You'd think election tampering would be a start, but unfortunately the Russians tampered the right way - no one in the GOP wants to give up that advantage.
20
I own a small, boutique web hosting service specializing in small businesses and associations. Nothing I host has any significance on the world stage from a political, economic, or social aspect.
Every day I am hit with thousands of attempts to directly hack web servers, email systems, DNS machines, and list servers. I'm not speaking of idiotic email attachments like phishing schemes; I am referring to direct attempts to hack perceived vulnerabilities.
Most of the attempts involve trying to hack email passwords, code injections into SQL databases, and root exploits. Every computer I control is constantly being hit with portscans. All of them are easy to block.
I have no high value targets. Yet the ability to take over any computer for other purposes makes it worthwhile to continue the attacks.
Most of the attempts originate from Russia, Ukraine, Amsterdam, and India in that order. There are very few from China; they tend to just send emails with viral attachments.
One interesting development has been an increase in spam from China. The emails they send are in Chinese. I had a couple translated just for giggles and they are genuinely spam -- ads for various manufacturers and whatnot. Why they would write them in Chinese to Americans is completely beyond me.
21
If you live in the San Francisco Bay area, which has a large Asian population, you can now expect cellular and landline robocalls, daily, in the Chinese languages. There's a target population here that's significant , and the cost to send spam is close to zero.
3