Guess what, I am an idiot. At least when roofing a house is concerned. Unfortunately, this makes me susceptible to less than scrupulous roofing contractors. They tell me that if I try to do it myself, I will nail my hand to the boards, fall off the roof or crush myself under a pile of shingles. My work will be shoddy, the roof will leak, catch on fire and allow bugs to infest my home.
In other words, I am an uninformed roof buyer who can be easily manipulated with fear, uncertainty and doubt. Or as we security people say – FUD.
Guess what? When it comes to information security, politicians are also (mostly) idiots. Since people in politics and the government know almost nothing about information security (or “cybersecurity” in political parlance), they naturally assume that hackers can make things explode, destroy the economy, wipe out our freedoms and resurrect dragons. However, nothing is too incredulous that a nice, insanely crafted piece of legislation cannot resolve.
It does not help that some security practitioners will feed these politicians FUD to further their agenda. Reading some of the ludicrous things these self-appointed security gurus say to Congress it is depressing. I am reminded of McAfee’s revolting demonstration at RSA this year where they hacked an insulin pump. While the audience ooh’ed and ahh’ed, all I saw was emotional manipulation. (I wrote about that here: http://bit.ly/yeKttw)
Politicians are uninformed buyers when it comes to information security. They are easily manipulated into buying things they do not need and focusing on issues that are not important.
And now we have CISPA or the Cyber Intelligence Sharing and Protection Act, which will, in essence allow the government to spy on anybody, for anything, anywhere, at any time. I am not going to perform a deep analysis of the law. Techdirt did a great breakdown on this here (http://bit.ly/J0966v) and there is a good analysis here at Business Insider (http://read.bi/Jrrff5)
With broad easily abused powers and limited oversight, CISPA is like handing a big bag of money to a meth addict. They are not going to wisely invest that money. They are going to blow it on meth. Congress is not going to use CISPA to help the country. These powers will get abused for selfish interests, you can count on it.
Government needs to basically stop listening to security gurus and start listening to some common sense about information security. Some of the messages they need to hear include:
1. Hacking Is Not as Dangerous as You Think
Despite what movies and some gurus suggest, hacking systems and causing serious, long-term damage is actually difficult to do. What is more likely is that people will steal information and then use that for either financial or personal gain. This behavior, while illegal and annoying, does not rise to the level of deadly or destructive.
Hacking power systems, for example, has very little benefit to the attacker. First, it is difficult to do since you must figure out a way into the environment and exploit vulnerabilities. That takes time, effort and expense. Second, what is the benefit to the attacker? If I could turn off the power in a Seattle neighborhood for a few hours, what would I gain? Moreover, if the power does go off, it is not like the power company is going to throw up their hands to say “oh well, we’re owned.” They are going to reboot the affected systems, reconnect the power and get things back to normal. This is not to suggest hacking power systems is a minor issue, but it is not as easy or deadly as politicians believe it is.
I do not want to downplay the importance of good information security, but there is a limit to what hacking or malware can accomplish.
2. Cyberwar Is a Joke
Marcus Ranum had a great analogy about the problems with cyberwar when he spoke at RSA this year. To paraphrase Ranum, imagine you offered the Army a gun that was absolutely accurate, very deadly and easy to use. However, at any moment, that gun could disappear and you could never use it again. Such is the challenge with the weapons of a cyberwar. At any moment, your arsenal of exploits and attacks can become useless.
The dynamic, volatile nature of information systems makes it very hard to target them. And even if you are able to shut them down for a moment, simple responses (like rebooting the switch) can resolve the problem and effectively end the war. Imagine if some Army Sergeant could have simply unplugged Hawaii on December 7th 1941 for a while, and made all the Japanese planes get lost and have to abort their attack. Attacks, intended to hurt a country, undergo a lot of planning, preparation and testing. You do not want to commit your forces to a costly battle, if that battle can be thwarted with the single push of button.
Moreover, the effort and expense involved in crafting an offensive cyberattack are significant. You need people who are very intelligent and skilled. Those people are not cheap. Moreover, a lot of them are going to gravitate to the private sector, where pay is good and the work does not have the moral ambiguities of attacking foreign nations.
Lastly, the impact of cyberwar is dubious. The chances of a cyberattack resulting in deaths is astronomically unlikely. Economic harm is the only real threat, and the scope of that threat is murky at best. Any serious effort would most likely be directed at industrial espionage, which would be localized and limited in its overall impact.
3. If You Do Not Trust People, They Will Not Trust You
Trust is hard to come by these days. However, if you want trust, you have to give it first. This is not some insane, touchy-feely new-age idea, it basic diplomacy. Trust requires mutual assurance. However if a relationship is imbalanced, then the more powerful player must offer trust first. Then the less powerful player can feel assured to offer trust in return.
However, when you act in a suspicious and accusatory manner, people will not trust you.
Government is no different here. If the government continues to behave in a manner that seems suspicious and untrustworthy, then people will not trust them? There is a reason satisfaction with Congress is at an all-time low. Congress behaves in an untrustworthy manner.
The government has got to show more respect for information security and privacy. There needs to be a rational, common sense balance between the needs of law enforcement and the privacy rights of people. That balance should originate with intelligent, reasoned, and educated analysis – not think tanks, SuperPACs and self-appointed security gurus.
4. If You Are Outraged, You Are Making Bad Decisions
Emotional manipulation has become the hot skill set of the 21st century. From marketing to politics, technology to health care, getting people outraged, terrified or indignant is the only way anything gets done.
Getting people addicted to fear is now a highly profitable industry. 24 hour news channels pump out non-stop sensationalism to keep the masses jacked up on a steady diet of outrage. Politicians use the language of fear all the time, feeding constituents that warm, enraged feeling they so desperately want. The information security industry also has a huge addiction to fear. Art Covellio sprayed a non-stop torrent of fear language on the audience at RSA this year.
Fear gives purpose to those who lack meaning.
Here is the thing about fear, it turns you into an idiot. Fear causes you, at a biological level, to make short-sighted, poorly reasoned decisions. Fear really is the mind-killer. It hinders your ability to reason.
CISPA is no different here. The supporters of this bill have framed it as something that protects children. Of course, anybody against the bill will now be cast as waging a “War on Children.” Cue the talking heads for the attack, ramp up the talking points, and before you know it people are outraged and demanding CISPA be enacted without knowing what it does.
It is time to stop being outraged, and start being curious. Rather than be indignant about Anonymous, why not start asking “why?” Why not look at what it is they want to accomplish, and figure out if there is way to derail their efforts, without resorting to spying on every citizen in the country. Moreover, rather than stripping away privacy and rights, how about thinking about ways to thwart attacks in a more sophisticated manner. Or here is a novel idea: ignore Anonymous. They are a bunch of kids who want attention. And the best defense against immaturity is to ignore it.
Moreover, everybody needs to break their addiction to outrage. That includes information security professionals.
What Should Government Do?
So, the natural next step in this discussion is – what should government do in regard to information security? I have some ideas about that…
1. Encourage Responsible Behavior
Programs and initiatives should compel and encourage businesses to implement sound security practices. Leverage the skills of NIST, US-CERT and other agencies to continue to encourage and promote good security practices. Collaborate with existing standards bodies like ISO, ISC2, PCI Council and NERC to focus this encouragement. Get out of the enforcement mindset, and into an encouragement mindset.
2. Coordinate, Communicate and Collaborate
One of government’s most effective powers is the ability to bring multiple parties together to talk. Where the government has succeeded in information security is when they get businesses and other parties working together toward a mutual goal. Groups like InfraGARD and StaySafeOnline are good examples. Keep pushing an agenda of getting businesses to collaborate and communication security issues. Security information exchanges or coordination groups can help organizations pool knowledge and best practices.
3. Fight Crime, Not Pre-Crime
It is one thing to deter crime with secure protection measures, it is a whole different story to start targeting people before they have ever done anything wrong.
The problem with current security thinking around Washington is this misguided obsession with finding hackers before they have done any hacking.
CISPA is a good example of this obsession with pre-crime. It grants wide ranging powers to target anything. CISPA is the tool of tyrants. It grants overly broad powers to detect crime before it ever becomes a crime. The lack of oversight in CISPA is merely the icing on the police state cake.
It is time to stop obsessing over what could be, and get back to focusing on what actually is. Information security presents some unique challenges to detecting and reporting criminal behavior. However, CISPA (and similar legislation) is not the answer. CISPA is like using a flamethrower to weed your yard.
A more reasonable answer is to stick to a traditional role for law enforcement and augment their incident handling abilities. Consider how local police function in a community. When they are not investigating crimes, officers help organizations with good security practices and guidance. But once somebody calls 911, they spring into action. They have the tools, equipment and training to respond quickly and protect citizens.
The “cyberpolice” need to work exactly the same way. Prior to a hack, they should stick to advising people and organizations on good information security practices. But once somebody calls the “cyberpolice,” they should have the tools, equipment and training to spring into action.
If Washington really wants to help law enforcement, then fund better incident handling. Invest in tools, training and partnerships that let law enforcement respond quickly, determine root cause, track down the attacker and get an arrest.
Hackers are not going to set off nuclear bombs or release toxic clouds. That scenario may sound terrifying, but the chances of that happening are astronomically low. Moreover, law enforcement has already demonstrated it can track and ferret out terrorists without resorting to reading everybody’s email.
The good news is that as of the time of this post, it looks like CISPA is going to fail like its predecessors CIPA and SOPA did. However, this will not be the end of this type of legislation. There are a lot of hucksters selling lies to Washington and a lot of politicians who will use those lies to justify tyrannical control over citizens.
Its time Washington educate themselves and stop treating information security like magic. Information security works best when it works like science; when sound, rational reasoning is used instead of fear and politicking. Information security policy should be coming from experienced, educated and rational professionals who practice risk-based analysis methodologies. The think-tanks, SuperPACs, lobbyists and self-appointed gurus need to be removed from the equation.
The security community has a responsibility to be honest to Washington as well. The sensational hacks and ludicrous scenarios need to stop. This is putting resources in the wrong places and making matters worse.