Unhelpful responses to cyberwarfare

This post is more than 3 years old.

State of the art blender powerA number of mainstream magazines and newspapers have recently published reports on the increasing threat of "cyberwarfare," the significant resources being devoted to fighting that "war" and what we're doing to protect the critical national asset that is our digital infrastructure.

Unfortunately, most of the responses (and the ones favored by the Obama administration) are focused on paying insanely large amounts of money to private contractors to create and deploy complex technological solutions in hopes of addressing the threat.

What advocates of this approach fail to appreciate is that (A) most of the actual threat comes from uneducated human operators of the technology in question, and (B) deploying homogeneous, technologically complex solutions often makes us more vulnerable, not less.

Once you get past the flashy headlines and attention-grabbing introductory stories in these articles, meant to scare us into believing how real the threat is (basically, bloodthirsty hacker terrorists are trying to kill us all), each of them seems to come back to one of two recurring themes behind these threats.   Either a human being messed something up, or a piece of technology wasn't secure enough and is now being exploited.

For the first case, it's usually things like "so and so unknowingly downloaded a virus onto their USB flash drive and then plugged into a secure government network - things exploded!" or "an e-mail user clicked on a phishing scam link and had their password stolen."  For the second case, it's usually "Windows machines are insecure, and so they get taken over and absorbed into botnets, which can then wreak havoc through denial of service attacks" or "a security hole is found in a product made by a brand that everyone was supposed to trust, and so it's running EVERYWHERE and OMG we're all going to die."

But in throwing hundreds of millions of dollars at cyberwarfare defense we will most likely see only minimal resources devoted to end-user education and training to defend against social engineering, poor personal security practices, and the related actual vulnerabilities.  The funding will also not include programs to hold hardware and software vendors more accountable for selling more secure products and services to end users.  Instead, it will go toward funding secret surveillance and the further shifting control of the Internet into military hands.

With this approach, in the end we'll be back to where we are right now.  End-users will continue the insecure personal practices that lead to security breaches, and the continued homogenization of hardware and software will amplify the potential impact of every security hole discovered.   This is not helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *