Some of this is adapted from my notes of a few panels I closely watched at ISA, as well as other papers and sources I have read. I don't claim to be an expert on the subject, but from a high concept, logical standpoint, all of the following items make sense to me, and I have added my own thoughts and analysis when appropriate.
As we all know, cyberspace has seen huge growth in the last, say, 15 years. But until recently, cybersecurity was not seen as an important issue. In 2000, no one really talked about it, but now it's the top of every government's agenda. A few things changed to make this the case, but mainly, there just became a critical mass of people and tools to suddenly make it possible. More and more people have gotten access to the internet, and with those people have come criminals to take advantage of them. With the advances in communications technology, these hackers have increased in skill, shared techniques and software.
None of this would really be a problem, except for the fact that nearly all aspects of the internet were designed with "access", not "security", in mind. Consider most modern software advances. The goal is to let you connect from anywhere, at any time. Google stores your data, but gives you nearly instant access to your e-mail, files stored on their drives, and countless other things, from basically any device with an internet connection. Of course, it's not just Google. The money-making power of the web is to connect huge numbers of people together. But the easier they make it for people to connect, and the more people connected, the less secure everything is. There are huge vulnerabilities, and once the tools to exploit them were figured out, we see the problems we have today.
This is NOT an easy problem to solve, for multiple reasons. For one, the pace of internet access and innovation has only increased, and continues to do so at a far faster rate than people can keep secure. Think about the size of the internet 10 years ago compared to today, and the levels of growth. Cyber is exploding as more and more technology is connected together, but each new connection is a new vulnerability. Let me give you an example. People are waiting for "smart appliances" and "smart grids", in effect internet connected everything. We already have computers, phones, TVs, video game systems, etc. But soon enough, we will have, as a standard practice, internet connected lights, heating and AC, and other basic things around the home. Each of these things is a potential vulnerability for hacking. It might not sound like much, but imagine if someone discovered a vulnerability in a common internet-connected light fixture, and put out a virus that broke them all. How many thousands, millions of dollars in damage could be done? Heating and AC are even worse. Server farms take huge amounts of cooling or else they will overheat. Internet connected AC units could be attacked, which would then shut down the server farms inside those buildings. Thus, the servers are shut down even if the servers themselves are protected against hacking.
Why else is security so difficult? Consider the beginning of the internet, back when it was just ARPAnet. The idea was to create a highly decentralized network that could not be destroyed by enemy nukes, so communications could reroute around any destroyed node. That original idea continues in the basic infrastructure of cyberspace today. There isn't a central location that all information routes through, it goes through servers and hubs all over the world. Though this is very resilient to physical destruction and makes it very easy to add and connect to (thus the growth of the net as we know it today) this lack of central control also prevents any centralized security measures. There are huge amounts of overlapping ISPs, telecoms companies, utilities, to say nothing of individual networks, that could each be attacked individually. An ISP in san francisco could take many measures to secure their data, but the company that actually runs the cables (say Cisco) could be hacked, or a company that uses that ISP could be taken down. Or another ISP nearby could be attacked. The idea is that rather than one central point that could be hardened against any hacking attempt, every individual point of access needs security.
Let's use Microsoft as an example. Microsoft's servers are a point of vulnerability. The ISP Microsoft uses for their traffic is a vulnerability. Any user terminal that can connect to that server is a vulnerability. Any mobile device (phone, tablet, whatever) that can connect to a terminal, or server, is yet another vulnerability. To prevent a hacking attack, virus, etc. from stealing their data, how many things does Microsoft need to secure?
So, we have determined that defense is extremely difficult due to the basic nature of cyberspace today. What about going after the people who actually commit these attacks, be they for economic (cybercrime) intelligence (cyberespionage) or military (cyberwar) reasons? This, as it stands, has its own set of problems. One is proximity. Unlike most ACTUAL thefts, cyber theft can be done from nearly anywhere. Hackers in China can attack servers in the US. There is far more to it than that, though. As far as we can tell, the attacks originated from China. But connections can be routed through all sorts of places. What appears to come from China could actually just be the beginning of a trail of bouncing connections all over the world, making it nearly impossible to track the end user.
Even if one does manage to track down this hacker, how can one bring him to justice? If a company in the US is attacked, and the attack appears to come from, say, North Korea, what can the US do about it? We don't have any authority to investigate who the perpetrator might be. All we have is an IP address. It could have been nearly anyone on the other side of the screen, and the likelihood of the local North Korean authorities to come to our aid is low, to say the least.
Part Two will discuss the theoretical implications of this as well as my personal ideas on cybersecurity theory.
No comments:
Post a Comment