[Infowarrior] - 3 Reasons Why U.S. Cybersecurity Sucks

Richard Forno rforno at infowarrior.org
Tue Jul 14 19:29:01 UTC 2009 

Danger Room What’s Next in National Security
3 Reasons Why U.S. Cybersecurity Sucks
	• By Michael Tanji
	• July 14, 2009  |
	• 8:44 am  |
	• Categories: Info War
http://www.wired.com/dangerroom/2009/07/three-reasons-why-us-cyber-security-sucks/

Good news, cybersecurity nerds: You ain’t running out of work, anytime  
soon. As last week’s cyber panic about North Korea showed, when there  
isn’t a teenager-simple denial-of-service attack that delays your  
access to a government website, there is a voracious hype machine that  
feeds on the tiniest slivers of data – both significant and trivial –  
and expels massive quantities of fear and misinformation. And where  
there’s cyber fear, there’s cybersecurity work to be done.

It’s sad that this sham is allowed to continue unabated. But worse  
still, it’s dangerous. Despite the expenditure of tens of billions of  
dollars and countless studies on what needs to happen (not to mention  
all the offices, centers and commands, that are supposed to implement  
those reports), we’re still largely screwed when it comes to threats  
of the online variety.

The problem is multifaceted, but can be broken down into three meta- 
categories:

	• Bulls--t. It’s the North Koreans! It’s the Chinese! It’s the  
Ruskies out to steal our essence! The one thing you can be sure of is  
that very few people know who is behind any cyberattack. Code analysis  
helps to a degree (”Hey, there are some Chinese characters in here!”)  
but code-reuse is not exactly an unknown phenomenon online. There is  
no serious attribution methodology, so to some extent everyone is  
guessing.

	• Ineptitude. There are a lot of people working on cybersecurity  
issues, a lot of people “managing” these issues, but not a lot of  
people leading on these issues. Cybersecurity doesn’t lack for  
brainpower; it lacks the vision, the juice and the intestinal  
fortitude to realize the vision. When your focus is billets and  
resources and dollars and org charts (read: management) it’s easy to  
see why cybersecurity fails. Why? Cyber doesn’t kill, it doesn’t maim,  
it rarely has negative impact on any scale and when it does it is  
almost always a readily recoverable event. Managers don’t deal with  
the nebulous, intangible and anything that involves “maybe” very well.

	• Complexity. The people at Verizon look on bemused when the military  
talks of achieving information-space dominance, when with the flick of  
a switch, a technician in overalls and a tool belt can render our  
digital military might inert. Attack and defense tools are built for  
computer-based warfare, but planetwide more people access the net with  
phones than desktops. There has yet to be a study that has looked at  
these problems in a truly comprehensive manner (read: not dominated by  
geezers who have other people read and respond to their e-mail).  
Mostly they’re focused on legacy futures, which is cool if you’re not  
interested in forward progress.
Cybersecurity is a real problem. It has been since computers were  
invented and connected to one another, but we’re no better off today  
than we were then. It is not as if we don’t have any lessons learned  
to draw from. We are in fact worse off because of the extent of our  
inter-connectedness, and that says a lot more about those who purport  
to be about enhancing cybersecurity than it does those who are out to  
subvert it.

More information about the Infowarrior mailing list