> Everything worth taking has already been intercepted: Our personal data, intellectual property, voter rolls, medical records, even our own cyberweaponry.
> [N.S.A] had held onto a critical vulnerability in Microsoft for more than five years, turning it over to Microsoft only after the N.S.A. was hacked.
N.S.A is gonna scare boomers into giving it more money again.
Actually securing systems would require a massive rethink of systems architecture and replacing many hundreds of millions or billions of lines of existing code.
MAD doesn't work with non-state actors, and it only works with state actors if you're actually willing to go to the mat, which I don't think the US is.
So what does that leave? Hope? Not much of a strategy.
> So what does that leave? Hope? Not much of a strategy.
Open Source everything that is IT in government - from the basic design specifications to actual infrastructure configuration - and pay sizeable bug bounties (to the tune of at least 100k per bug) to incentivize third party experts is a very valid strategy.
It is also a great way to get contributions/feedback for improvement ideas from actual experts in the field instead of from some random freshly graduated junior that's sold as a senior consultant by the contractor.
It's ridiculous that many billions of dollars of taxpayer money are spent every year for proprietary software or, worse, hardware that cannot even be audited by independent third parties.
A side effect of a full OSS strategy would also be that waste (e.g. ridiculous/incomplete specs, "deliverables" that don't match these specifications, unrealistic timetables) can get uncovered and tracked by the public.
Given enough eyeballs and sunlight, all issues will eventually be found out. As citizens, we should demand transparency from our respective governments instead of knowing that there are issues and hope our enemies don't discover them.
Bug bounties might work if one could be sure that the availability of the bounties was not a significant incentive for creation of the bugs. Demand finds more ways to drive supply than you or I can imagine.
We can't even get the NSA, an agency of our own government, to meaningfully contribute to cyberdefense, because they're too focused on offense. (See TFA)
I don't see how paying $100k bug bounties and requiring open source can even make a dent when the same government is paying $millions on cyber offense.
Most security flaws that I have seen seems to fall into two separate groups: trusting user input and leaking timing information.
If we worked on a system to whitelist proven safe input, then we would be a lot safer.
What interests me is that we are essentially in an opposite of WWI: attacking is extremely easy, defense is very hard. I am not sure that this helps, but perhaps that can give some suggestions.
Perfect cyber defence is impossible. Getting rid of password protected backdoors is possible, applying security patches in timely manner is even more possible. There, two biggest hacks in the last few years just became impossible. People are not doing their jobs and hide behind the “impossible”
I'd argue that it has nothing to do with people not doing their jobs but rather the companies are accepting the risk of these breaches instead of providing the necessary resources to protect themselves.
It could be argued we're saying the same thing, but your statement has subtle undertones of "IT is failing to do what they're paid to do" instead of the reality of "executives and board members are focused on absolute profit and don't have any legal or financial consequences to being hacked".
Most C-levels that have left "as a result of a breach" for the incidents in the past decade do so with a massive golden parachute. Then after a vacation go work for another company with no consequences. They're actively rewarded for this behavior right now.
This discussion has been ongoing in security for a couple of decades. The reason we didn't get traction on fixing it was because our approach to mitigating risk interfered with opportunity and growth. Imo, the U.S. is losing its place in the world because it can't assert itself the way it used to, as a direct consequence of there being zero-cost to an adversary retaliating by creating domestic civil unrest using metro area power outages and water system compromises from cyber attacks. Think Texas power outages last month, but longer, and in LA, NYC, Chicago, Baltimore, or a version of last years riot season with blackouts.
It's harder to mobilize an army, let alone a draft, when your people are rioting and looting for lack of basic services. The good news is we won't see another personnel heavy gulf war or vietnam again, but the terrible news is adversaries know it's almost democratically impossible for the U.S. to fight a total ground war anymore and this will embolden regional border conflicts where raw numbers of infantry soldiers are an advantage. See China's current aggression in international waters and on its border with India as an example where there is a hard ceiling on the level of U.S. intervention because cyber has unbalanced the risk/reward.
Perhaps its only option is to keep escalating aggression and putting pressure on adversaries so they don't have the attention to devote to their regional ambitions, where the role changes from global cop, to a global "broken windows" and "stop and frisk" policing policy.
I'm fairly certain that if China did to the US what they did to India last year[0], we would strike back, and strike back hard. If China/Russia got to the point where they're causing power outages and rioting/looting, Chinese/Russian cities wouldn't be left unscathed. In a future conflict with a peer enemy I assume all Internet services will cease to exist and we'll be back to WWII era of technology.
The answer: a huge number of foreign citizens, possibly agents, nobody knows, working in the US tech sector, and several domestic agencies that each separately and secretly compel those companies to pay those employees to install back doors, and then kick them out of the country in exchange for a new batch of younger and cheaper employees.
I remember when I used to think that hackers ‘found’ bugs. Silly.
Foreign governments don’t need to pay employees to install back doors. Highly-paid software engineers are perfectly capable of inserting security bugs into their own code without prompting. Writing secure code is insanely difficult and has only become harder now that vast swaths of the code that is written is directly exposed to the Internet, or just one small step away from it.
29 comments
[ 2.9 ms ] story [ 79.5 ms ] thread> Everything worth taking has already been intercepted: Our personal data, intellectual property, voter rolls, medical records, even our own cyberweaponry.
> [N.S.A] had held onto a critical vulnerability in Microsoft for more than five years, turning it over to Microsoft only after the N.S.A. was hacked.
N.S.A is gonna scare boomers into giving it more money again.
Actually securing systems would require a massive rethink of systems architecture and replacing many hundreds of millions or billions of lines of existing code.
MAD doesn't work with non-state actors, and it only works with state actors if you're actually willing to go to the mat, which I don't think the US is.
So what does that leave? Hope? Not much of a strategy.
Open Source everything that is IT in government - from the basic design specifications to actual infrastructure configuration - and pay sizeable bug bounties (to the tune of at least 100k per bug) to incentivize third party experts is a very valid strategy.
It is also a great way to get contributions/feedback for improvement ideas from actual experts in the field instead of from some random freshly graduated junior that's sold as a senior consultant by the contractor.
It's ridiculous that many billions of dollars of taxpayer money are spent every year for proprietary software or, worse, hardware that cannot even be audited by independent third parties.
A side effect of a full OSS strategy would also be that waste (e.g. ridiculous/incomplete specs, "deliverables" that don't match these specifications, unrealistic timetables) can get uncovered and tracked by the public.
Given enough eyeballs and sunlight, all issues will eventually be found out. As citizens, we should demand transparency from our respective governments instead of knowing that there are issues and hope our enemies don't discover them.
https://software.af.mil/dsop/services/
Bug bounties might work if one could be sure that the availability of the bounties was not a significant incentive for creation of the bugs. Demand finds more ways to drive supply than you or I can imagine.
I don't see how paying $100k bug bounties and requiring open source can even make a dent when the same government is paying $millions on cyber offense.
If we worked on a system to whitelist proven safe input, then we would be a lot safer.
What interests me is that we are essentially in an opposite of WWI: attacking is extremely easy, defense is very hard. I am not sure that this helps, but perhaps that can give some suggestions.
It could be argued we're saying the same thing, but your statement has subtle undertones of "IT is failing to do what they're paid to do" instead of the reality of "executives and board members are focused on absolute profit and don't have any legal or financial consequences to being hacked".
Most C-levels that have left "as a result of a breach" for the incidents in the past decade do so with a massive golden parachute. Then after a vacation go work for another company with no consequences. They're actively rewarded for this behavior right now.
Certainly none of our big C++ platform software has really made any headway on completely removing memory security bugs.
It's harder to mobilize an army, let alone a draft, when your people are rioting and looting for lack of basic services. The good news is we won't see another personnel heavy gulf war or vietnam again, but the terrible news is adversaries know it's almost democratically impossible for the U.S. to fight a total ground war anymore and this will embolden regional border conflicts where raw numbers of infantry soldiers are an advantage. See China's current aggression in international waters and on its border with India as an example where there is a hard ceiling on the level of U.S. intervention because cyber has unbalanced the risk/reward.
Perhaps its only option is to keep escalating aggression and putting pressure on adversaries so they don't have the attention to devote to their regional ambitions, where the role changes from global cop, to a global "broken windows" and "stop and frisk" policing policy.
https://www.nytimes.com/2021/02/28/us/politics/china-india-h...
The answer: a huge number of foreign citizens, possibly agents, nobody knows, working in the US tech sector, and several domestic agencies that each separately and secretly compel those companies to pay those employees to install back doors, and then kick them out of the country in exchange for a new batch of younger and cheaper employees.
I remember when I used to think that hackers ‘found’ bugs. Silly.