Cybersecurity bills aim to prevent ‘digital Pearl Harbor’
http://money.cnn.com/2012/04/23/technology/cybersecurity-bills/index.htm?source=cnn_bin
This is a serious conundrum and one that is difficult to resolve. Our nation’s electronic infrastructure is indeed under constant (largely successful) attack and there is no doubt in my mind that there are several nation states and rogue political elements that have their finger poised over a big red button to shut a lot of our systems down in an instant. That this is the state is due to a huge culture of ignorance and apathy amongst business leaders who totally fail to understand the gravity of the situation and actively work to undermine the authority and enforcement ability of the network security people. I see zero chance of this changing until this so-called Perl Harbor event, and even afterward I see little chance that much will change. People are used to computers (and networks) that don’t work properly, yet are also used to the ability to make changes willy nilly and bypass security measures. These two are interrelated since software (and sometimes hardware) companies are basically required to get something to market immediately, security (and testing in general) will always take a back seat to slamming out code. ‘Slammed out’ code is almost universally crappy and insecure, so our entire nation’s infrastructure is built on crappy, insecure code (and occasionally hardware, but in my experience hardware is better tested (but might be equally insecure, just not very vulnerable to remote attacks)). Since people have to work with crappy software (sometimes maddeningly crappy, like the idiotic Office 2007 interface change) they are constantly trying to find something better so they can do their jobs faster and more efficiently (really: most people like doing good jobs, they are just held back by their organization, culture and tools, so develop a bad attitude). As such, they put constant pressure on the (largely totally clueless) management to implement this or that shiny new solution and never give the IT guys (and gals!) a chance to get in control of things.
Is the solution a huge overarching government program that puts every bit of private information into the hands of our secret agencies? I find it very difficult to champion that idea either. I am not impressed with our government’s ability to do anything important or critical (actually not impressed with our government’s ability to do much of anything, but I believe much of that has to do with crappy management (why, oh why, does everyone think that anyone can be an effective manager?)) so the idea of putting our government in charge is problematic. I am also rather unimpressed with our government’s cyber security skills (and culture) and lack confidence that it would be able to do anything meaningful with such new (authorized) power. So, what I see in giving the government this capability is nothing more than providing it with the tools to more aggressively target citizens for investigation and prosecution and won’t do a damn thing to make our networks more secure.
Is there a solution? I don’t see anything as long as our culture remains unchanged and frankly (why is frank always involved?) I don’t see anything, up to and including a ‘Perl Harbor’ event, changing the culture. Sure there will be exceptions and some companies will have a level of infosec that will, at a minimum, drive the bad guys to pursue easier targets, but given the basic insecurity of any network and the crappy code that runs on top, we have achieved this level of idiocy after decades of diligent effort. I just don’t see our society willing to throw away so many decades of wasted time and effort and instead will continue to band-aid problems (making the situation worse, of course) and lie to themselves. Infosec is very hard in an ideal environment and unless you are going to put a well-written AI system in charge (Skynet anyone? (and is it even possible for humans to write anything well?)) human response times are so glacial as to be meaningless anyway. The only real ‘solution’ is to go back to the digital stone age. Sort of like how to resolve the 50K deaths on US highways each year: go back to horse and buggy.
However, if we (as a society) were to accept the concepts behind risk management and allow that much of our infrastructure is one tiny blip away from becoming worse than useless, then we (as a society) might invest a bit more in beefing of certain parts of our infrastructure and just accept that the rest will fall to the wayside during an attack. Of course, I don’t see that as possible either. I am not sure if it is the human condition or specific to the US, but here in the US people are so fixated on wanting to believe lies (and liars) that they will actively fight being exposed to the truth and will not invest an ounce of effort in researching (thus revealing as lies so much of what they ‘know’) and independently verifying what they learn.
Is there anything someone living in the US can do to prepare for the infosec Perl Harbor? Other than the typical ‘stock up on canned goods and bottled water’ advice I can’t think of much. While it is possible that short-term destruction of our infrastructure can be ‘weathered’ (it ain’t for nothing people talk about ‘weathering’ a storm) just like anything else (we collectively recovered from the likely trillion dollar cost of grounding our entire airline infrastructure for 3 days after 9/11, for instance), the longer it goes on the more likely that society will break down. We aren’t the Japanese who can stoically wait for the functional parts of society can get organized to help, we are the hot-headed punks who start riots and engage in vandalism at the first sign of a societal breakdown and will cheerfully start to dismantle our remaining infrastructure elements to magnify the negative results. As such, those of you who engage in doomsday prepping will find yourself overwhelmed by the ignorant massed intent on ensuring that no one can benefit from your foresight.
