How the Experts Would Fix Cyber Security
Cyber crime is increasing in frequency and severity. What can be done to reduce the risk to individuals, businesses, and governments? In this installment of our quarterly series, that’s the question Bloomberg Businessweek Chairman Norman Pearlstine put to an all-star cast of security experts: Barrett Brown, author and activist, formerly associated with the hacktivist group Anonymous; Jason Brvenik, vice president of security strategy at Sourcefire; Joseph V. DeMarco, partner at technology law firm DeVore & DeMarco; Alan Paller, director of research at cyber training school SANS Institute; and Robert Rodriguez, chairman of the Security Innovation Network and senior adviser to the Chertoff Group. Their conversation has been condensed and edited.
Pearlstine: How big an issue is cyber security at this point? What are we really talking about? Is this an annoyance for business, or is it profoundly important?
Rodriguez: Our nation is going through the greatest transfer of wealth in the history of mankind. And it’s because of the increasing vulnerabilities within our systems.
Paller: There is a lot of intellectual property going abroad. But that’s not really the big issue. The big issue is: When you send out a weapon, you want to have control of it. The great risk to the nation is the predators aren’t owned by us, the satellites aren’t owned by us, the missiles aren’t owned by us. That keeps me up at night.
Barrett, does that resonate with you?
Brown: We can divide the risk that we’re facing into two different categories. One is the conventional conflicts we’ll have with nonstate actors outside of the U.S. and with other nations. The other risk is the externalities that always come from any new enterprise. And within the cyber industrial complex, as some of us now call it, we have a great deal of externalities that are not getting attention from the media in a sufficient fashion, and they’re not getting any degree of attention from Congress. Even when a few congressmen do raise questions about it, such as when they ask the NSA, “How many Americans are being spied upon in your wireless wiretap program?” and they get denied an answer… As is always the case, there’s more concern among those calling the shots with external threats than there is with their own behavior.
Jason, can you distinguish between different kinds of threats, in terms of where we might be succeeding or not?
Brvenik: Financials are very strong with security. That’s where the money is, right? But you look at an organization that farms peanuts, and they probably don’t have any security. It’s very different. So I’m much more practical. You need security that’s relative to the risks that you reasonably face. If we were [led] to believe that tomorrow there could be an attack that cripples our infrastructure—I think that would be, well, slightly overblown. What we’re really dealing with in today’s world is a criminal element and intellectual-property element.
Is it important to determine who’s responsible for security? Is it the seller of the computer, the way that a seller of an automobile is responsible for a level of safety?
DeMarco: What we’ve seen so far in the law as it’s evolved are increasing responsibilities being put not so much on the makers of computer hardware or software, but rather on the entities and organizations that are buying the hardware and buying that software, but may not have in place the policies, protocols, and procedures to protect the information that sits behind those protective measures.
Paller: We call it blame the user. We sell ’em a piece of hardware you can’t protect, and then we blame ’em for not protecting it. It’s just crazy.
What’s the alternative?
Paller: Contract clauses. The Air Force did this extraordinarily well, where they sort of forced the vendors to sell them systems that were configured safely. Big procurement can have a profound effect.
Brvenik: We can make it harder, we can make it more expensive for the adversary, but they still have entry points. In order to truly solve this problem, we have to educate everybody from the start. Elementary schools should be teaching children before they’re ever online about the risks of it, and safe behaviors and how to identify bad things.
Rodriguez: I totally agree with you. Education, increasing awareness, and starting with a national ad campaign, almost like Nancy Reagan did with “Just Say No to Drugs.” It sounded silly to people in the beginning, but it was highly impactful.
Right now we worry a lot about whether Iran will get a bomb, yet one of the things that has undercut some of our moral authority is that the one country that’s ever used a bomb is the U.S. By analogy, assuming the reports are correct that there was U.S. involvement in Stuxnet, does that in any way undercut the U.S.’s ability to criticize other governments?
Paller: Normally, when you shoot a weapon at somebody, you do damage. When you shoot a weapon in cyberspace, you may do damage—but [then] the weapon is out there. And when the weapon is out there, it can be transformed, and it will probably come back. So it’s not just that we’ve allowed people to think it’s OK to do this—we’ve also empowered them with pretty sophisticated tools to do it. And the key is: We’re much more connected than they are. We’re much more vulnerable.
Brvenik: Let’s play it out for a minute that we launch a cyber attack at somebody and achieve our goal. We took no lives, risked no lives, and we are no longer worried about a weapon that can take many lives. I call that a win. And if the downside to that is that they can turn it around on us because they discover it and use it, our mitigation can be just as simple as raising the flag and exposing it, and forcing manufacturers to distribute patches. So their window of opportunity is so much smaller than ours.
If we are more vulnerable because we are more connected, are we also more vulnerable because we don’t have as many people engaged in cyber security as other nations? There’s a general presumption that both China and Russia have more people involved.
Paller: The people who do the work that you’re talking about are very skilled people. We’re not producing them. There is no pipeline for them right now. The last book on this, Joel Brenner’s book [America the Vulnerable], said 30,000 in the PLA, 150,000 in the militia available. Our best numbers at that skill level are 1,000.
DeMarco: Part of that is precisely because of America’s economic success when it comes to the Internet. Our best talent and brains may not be going into security because they’re going into e-commerce.
Has mobility made this game geometrically more difficult than it was before?
Rodriguez: It’s the proliferation of apps—because of all things connected, everything from platform servers to toasters and everything in between. There are more vulnerabilities, more things to protect.
Paller: Let’s say you’re a small business. You’ve got everything to worry about and almost nobody in your security shop. If we start laying on them, “Now worry about security of your mobile,” we’re just making the whole thing complex. If you look at how small organizations lose money, it’s that somebody gets in their computer and moves the money—it’s called ACH [Automated Clearing House] fraud—and moves the money out of their account into somebody else’s account. And because they’re a business rather than a person, the bank does not cover them.
Brvenik: In your example, we can stop this business fraud by having one computer that handles the money, and you don’t do anything else on that. It’s very much how I do things, and how I advocate my parents do things. Here’s the problem: convenience. They forget. They sit down. “Oh, I’ll just check the website real quick.”
For years it was said that if you want to be secure, don’t use a PC, go to Apple. With the proliferation of iPhones, iPads, iPods, is it still safer?
Brvenik: Until Apple has the absolute market share that Microsoft does on machines, I don’t think it’ll ever be as attractive [to attackers]. It wasn’t because of security that [Apple] made it hard to jailbreak your phone—it was economics. They wanted to have full control over the content on your device. And now an iPhone is incredibly difficult to get into. And Apple is very responsive when you jailbreak an iPhone. As opposed to an open ecosystem like an Android, where I can create my own version from any device.
In terms of cyber crime, do we need to distinguish between the armed robbery of a local bank that gets a few hundred bucks and the Brink’s truck that nets several million dollars?
DeMarco: There’s a limited analogy. One of the things, though, to keep in mind is, what’s going to drive the debate, what’s going to drive the law, is not just the raw economic numbers. It’s also going to be the human stories. Go back to our small business owner of a few moments ago. He or she may be worried about losing money, but even apart from any economics involved in a loss of an employee’s tablet, they’re gonna be worried about the loss of customer lists, the loss of their identity through identity theft. And again, even if the banks and credit-card companies stand behind their economic losses, the hassle that they’re going to have to go through to make their credit right again is going to be a powerful incentive for them to worry—even if at the end of the day they’re only going to be losing a few hundred [dollars]. So the human stories are where you get into questions about loss of intellectual property, loss of time, loss of intellectual capital, and secret confidential information, even if it’s not the formula to Coke. ’Cause all those things will drive policy as well as economics and technology.
Rodriguez: Pain drives change. And until the pain reaches a certain threshold, the policies, the regulations, the whole environment will move at the course that it’s taking.
How much does social media aggravate the issues regarding cyber security?
Paller: If you believe that most of the sophisticated attacks use social engineering as one element of their attack chain, meaning they persuade you to go to a website that affects you or to open an attachment, then social media is very powerful. But there are better ways they can tap you. Any businessperson who uses a Bluetooth headset can be heard at lunch having a conversation two blocks away. And then you can use what he said to only one person in the e-mail that you get him to open. So there are a lot better ways than social media, but for lazy people social media’s great.
Is wireless in a hotel equally dangerous?
Paller: If you’re in one of the hotels where a bunch of security guys are having conferences, it’s really dangerous (laughter).
Brvenik: I think we need to separate some bits here. Social media enabling scammers is no different than the telephone-enabled scammers. It’s no different than any criminal element trying to get one over on you. It’s no different than the guy that drives around in a truck and says “I’ll treat your driveway” and just sprays your lawn. It perhaps gives them a broader audience, though I would say that the most susceptible people to those types of socially engineered attacks for general population aren’t even on social media. They’re my mother, right?
Let’s talk about the cloud. Does the concentration of information and remote servers create greater security? Greater risk? Or both?
Paller: I’m on the side of much greater security. Because I know what happens when you spread that information around or try to get effective security in a hundred places. You just don’t have the bodies. Do you provide a big target? Does it become worthwhile for people to break in? Yes. But on balance, you’re safer on the cloud.
Brvenik: I’ll agree that it provides an opportunity for more security. We’re not there, though, because we’re not demanding that [it] be provided in our contracts. We’re not demanding that these controls be created and audited.
DeMarco: In theory, robust cloud computing provides certain potential advantages. The real joker in the deck, if you will, is even with robust contractual security provisions, what the law is going to look like in this area. So for example, if you’re the state of Texas and you want to increase your efficiency by putting all of your state Medicare and Medicaid data in a cloud service based in Canada, you might be fine with that from a cost point of view. But from a legal point of view, what is the process, the legal process that is going to be necessary for, let’s say, the Canadian government, or a plaintiff in a Canadian lawsuit, to be able to get that data? Is it going to be simply based on a request? And if the provider provides that, is your only remedy going to be breach of some contract?
Paller: Your view of it is the general businessperson’s view, which is, “If I have control of it, it’s a little safer at least than if it’s somewhere I don’t.”
Brvenik: Well, at least I have some idea how susceptible my own employees are to bribery or to fall asleep at the switch. I don’t know about their employees.
If you look out four years from now, will we be more secure or less secure?
Brown: I’m very pessimistic. The NSA, for instance, has been caught a few years ago having conducted this wireless surveillance program that we only know about because a Justice Department official went forward and then got raided by the FBI for it and told the New York Times. Several companies—AT&T and Verizon—were bound to be complicit in that, and then Congress gave them immunity. The media can obviously report these things when they happen, but it’s never gonna make it into the debates between Romney and Obama. I just see us losing a great deal of what we’ve protected at great cost. I don’t see a very good outcome from the standpoint of civil libertarians, for example.
DeMarco: Four years from now, regardless of who becomes president, we’ll be more secure in some respects, less secure in other respects. And what could change that? One thing would be any type of major legislation relating to cyber security. I think a digital 9/11 could change it—hopefully unlikely. And finally, human stories—real cases that move people’s hearts and emotions involving digital privacy, cyber security, cyber espionage, cyber extortion. That’s the most likely.
Brvenik: We’re going to keep moving this forward. How far we get or how far our adversary gets very much depends on how much attention and diligence we put into it and how well we consider the problem to be a threat to us as a nation.
Rodriguez: There’s an opportunity here. I’ve heard there’s 1 percent unemployment in the cyber security domain, maybe even zero. There’s a great opportunity to drive awareness to the challenge, and with corporate captains starting to pay more attention to the theft of intellectual property, to not lose the innovative, competitive advantage that we have as a nation.
Paller: I’ll defer to my friends here. I honestly don’t know.
Well, if you don’t know, that’s the scariest thing I’ve heard tonight.