Opinion: America is under cyber attack, so what should we do?

Filed Under: Data loss, Denial of Service, Featured, Law & order, Malware

crisis imageYesterday, the US House of Representatives announced “cybersecurity week,” kicking it off with a Subcommittee Hearing entitled "America is Under Cyber Attack: Why Urgent Action is Needed".

As you might imagine, they didn't hold back, launching the week with a Hollywood-blockbuster style introduction, rallying citizens to fight off evilness.

(The only problem is that we have yet to identify our masked, caped, and brightly underpanted cybersecurity star who'll whoosh in and lead us to peace-and-harmony ville.)

If only for entertainment purposes, I would urge you to watch or read the opening statement [PDF].

Here are a few snippets:

America’s computers and Internet infrastructure are under attack and every American is at risk.

...this is not a science fiction scenario. There are no shells exploding or foreign militaries on our shores. But make no mistake: America is under attack by digital bombs.

...it is not a matter of if, but when a cyber Pearl Harbor will occur.

They even bring up the horrors of 9/11 to really drive their point home.

What really ticks me off about this kind of hyperbolic rhetoric is that it is ridiculously emotive, designed to spread fear and doubt to everyone in earshot, and via the power of the internet, dribble down to the rest of us.

Do we really want our leaders whipping themselves into a frenzy of blind panic before they decide on their next steps? A subcommittee hearing is surely not the place for popcorn-munching dramatics. Am I nuts to want logical concerns brought to the table in a calm, orderly fashion, so they can be studied, analysed, debated and prioritised?

So, why all this drama? Are they trying to soften us up for something?

According to the EFF, this approach might be used to convince us that in order to keep us safe, government needs to pick away at our dwindling privacy.

While we think an increased focus on catching criminals using existing tools is a fine tactic that could be used by law enforcement, we fear the temptation for law enforcement to increase their surveillance capabilities in order to successfully go on the offensive in the context of computer crimes. This could mean things like breaking into people's computers without warrants, or disrupting privacy-enhancing tools like Tor.

The EFF raise a really good counterpoint: rather than just go all Steven Seagal on online baddies, perhaps we should look really, really closely at our current infrastructure.

Vulnerabilities, by their very name, are weaknesses in our defences. Why not focus on resolving these first?

Yes, it is painful to go back over already-written code, but combining the skills of penetration testers, white hats, forensic analysts and coders, we could review and strengthen today's infrastructures. We could also all do our bit to educate general users on why it is important to practice safe computing and how to do it.

The thing is, while there are charlatans in every industry, the security market is rich with clever experts who know how to problem solve quickly and laterally. These are the people we should rally together to review, and where necessary rethink, our current defence mechanisms and strategies.

But, it is much easier to pass laws to force everyone to divulge who they are, where they are, what they are doing, when they are doing it, etc etc. And don't worry about this information ever getting into the wrong hands, as we have our existing defences in place to protect the government databases housing all your information.

Oh, wait a minute....

Crisis image courtesy of Shutterstock

, , ,

You might like

21 Responses to Opinion: America is under cyber attack, so what should we do?

  1. Even if the fear mongering dorks know every one of us and everything we do, there are billions of us and only a few of them. Security needs to be more than being able to snoop.

  2. Sean · 825 days ago

    Vulnerabilities? Sure. So all we need to do is produce perfectly secure code.

    Perfectly secure code. Which means no more jailbreaking iPhones… which the EFF supports. Oh. Damn. But then, perfectly secure code is probably impossible in a market economy anyway. But sure, let's just focus on reducing vulnerabilities.

    The EFF seems like a rather naive bunch sometimes.

    True, the US Congress is full of windbags. But that doesn't mean there aren't real threats out there. (Aurora, RSA Hack, et cetera.)

    • Michael · 825 days ago

      On the other hand, if you don't jailbreak your iPhone, you're stuck with the vulnerabilities in the 'perfectly secure code', and perhaps the odd vendor-installed rootkit broadcasting your sensitive data (unencrypted) for anyone to intercept. Decisions...

  3. Steve · 825 days ago

    Its the oldest trick in the book, make people afraid by presenting a new threat and then promise protection if they will just sign over their freedoms.

    Worked for Hitler after all.

    • Freida Gray · 825 days ago

      It also worked for the Mafia a few decades ago.The government does get behind the times on some things.

  4. Michael · 825 days ago

    Well, since 'cyber' is a kind of slang for God only knows what, their opinions are basically incoherent rambling. Does it refer to the Internet, applications, layer 2 stuff, infrastructure, or what? Nobody knows, because 'cyber' is used by those with absolutely no idea what they're talking about.
    Can a given 'cyber attack' scenario happen? We simply don't know, because they haven't produced supporting evidence that [bad guy] has both intent and capability, or fully explained how the attack could be carried out.

    • Anonymous · 825 days ago

      "Cyber" is used for an overarching term to cover everything. Sure, the word might be overused, but doesn't make it less valid. I think the point is that it's a blanket term, because to your point, there are SO many vulnerabilities, points of infection, entry points, so on and so forth, that listing them all would be a run on sentence like this one.....

      The reality (back to the article) is that cyber warfare and espionage is real - plain and simple. The deadly attack to the US (ala 9/11) hasn't happened yet - but it will - it's only a matter of time. And, like typical US government, we'll be behind the 8 ball and cleaning up the mess after it happens. Now don't get me wrong, I am NOT a proponent of handing over my freedoms to the government or giving in to their power regime, but I also understand the severity of the next potential attack. (see "Operation Shady Rat" or "Stuxnet"). The Chinese government is FUNDING departments to deliver these type of attacks to opposing governments - you think they won't have some "cyber-threat" that takes down an oil refinery or water treatment plant affecting (ie killing) US citizens? Most of our controls are automated and CAN be compromised with the right intelligence and intent. Cyber-warfare is the next phase in combat evolution - and the people late to see this will be the ones to pay. But, please keep in mind, I'm not trying to cause public panic....

      • Michael · 825 days ago

        You mean the 'magical cyber Pearl Harbour apocalypse second coming of Jesus Christ' politicians were telling us was imminent for the last 20 years? I also noticed the STUXNET attack more or less happened independently of the Internet - the intelligence was most likely gathered through physical infiltration, as was the entry method for the virus. STUXNET was also developed by some group with a level of expertise far beyond that of political or religious extremist groups.

        It is widely believed Chinese and Russian groups, possibly state-sponsored, have infiltrated networks, but their methodology is roughly the same as any criminal hacker conducting routine network penetration. The difference here is the Chinese/Russian groups are more skilled in concealing their activity. Politicians are getting this mixed up with science fiction scenarios.

      • Sean · 825 days ago

        Umm... Probably not.
        "cyber war will not take place"
        By Thomas Rid, published in the journal of strategic studies. http://www.tandfonline.com/doi/full/10.1080/01402...

        Espionage maybe, but "cyber war" not so much.

        Enjoy.

  5. Andrew · 825 days ago

    If they were living in Iran, then they would certainly have a case. Not just cyber threats like StuxNet, but also assassinations. Methinks some people need to take a good strong look in the mirror. This is not an endorsement of the system of government of Iran, by the way, nor a general condemnation of the good ol' US of A.

  6. Vito · 825 days ago

    "Am I nuts to want logical concerns brought to the table in a calm, orderly fashion, so they can be studied, analysed, debated and prioritised?"

    No, Carol...you're just nuts to expect that kind of behavior from the kind of flim-flam men (and women) who crave political power.

    They've been doing this since the concept of political democracy by public vote became an institution. It's so transparent that the rational mind reels in incredulity that everyone doesn't see it for what it is---another attempt to pass even more laws that strip us of even more freedom.

    These are people whose purpose is to maintain the public perception that we need them to protect us from the boogeyman. They don't protect us from anything. What we really need is protection from them.

  7. David · 825 days ago

    Bottom line is awareness to the general public. Their target is not so much those of us in the IS Security field but those that never think about basic consequences; and that's a bunch of us. As a whole, we tend to be kind of dumb about certain things that are not good for us (e.g. cigarettes, junk food, seat belts, etc.), in this case, IT Security. Awareness people, don't read too much into it; no conspiracies, hidden plots or us versus them scenarios. Is there a problem? Yes. Quick or easy fix? No. Can we minimize risk? Yes, with awareness.

  8. abeastwood · 825 days ago

    Can anyone name more than two members of the House of Representatives who would recognize a "cyber attack" if it hit their laptop?

  9. AAA · 825 days ago

    What really gets me is that they have the nerve to reference (and take advanage of) a real tragedy (pearl harbor).
    "And every american is at risk" - Yes, if this bill passes that is.

  10. Walt · 824 days ago

    This sounds like another TSA boondoggle. A lot of show, people inconvenienced, but no real results.

  11. LOL.
    I bet It is because of skype users ip reveal. Political ass-es fear of revenge. http://skype-ip-finder.tk/ http://skype-open-source.blogspot.se/2012/04/skyp...

  12. Alexander Peter Kowalski · 824 days ago

    Start EDUCATING END USERS & not just on security sites - only those interested in the field generally frequent them (such as your site, & you do a decent job of it, as I love your mails actually). I've been doing it for years since 1997, & current using guides posted on Windows users' forums (that are not "technical security gurus") such as this last round I did in 2007 that use the actually FUN TO USE & highly esteemed CIS Tool which is multiplatform:

    http://www.bing.com/search?q=%22HOW+TO+SECURE+Win...

    It actually makes it FUN TO DO (almost like running a PC performance benchmark, albeit this is for security "above & beyond" the std. fare like firewalls, antivirus/antispyware, etc.)... & most importantly? IT ACTUALLY WORKS (as well as the best thing we have going for us currently, & that's the concept of "layered-security"/"defense-in-depth").

    There's no "magical single solution" but you can make it EXTREMELY DIFFICULT on attackers, & especially by "spreading around YOUR SECURITY KNOW-HOW" to others. Especially those that are NOT as "into it" as folks are say, around here.

    APK

    P.S.=> After all, imo @ least? The "weakest link" IS the ignorant or rather unenlightened to security in computing END USERS, & malware makers KNOW IT.. hence, why they go after the most used platforms like Windows on PC's & ANDROID on smartphones (better "ROI" for them, & especially w/ typically non-security conscious end users)...

    To the security folks around here especially: YES - the community "takes care of its own" & constantly is enlightening itself & its members to threats... time to do more of the same for "regular folks" because THEY ARE THE ONES "TARGETTED FOR TERMINATION"... apk

  13. Alexander Peter Kowalski · 824 days ago

    My ENTIRE link was cut off by the forums engine here http://nakedsecurity.sophos.com/2012/04/27/americ... and, now that "mangled link" (@ least in Opera which is the browser I use) leads to something completely irrelevant unfortunately.

    However, but you can simply search "HOW TO SECURE Windows 2000/XP" on BING or GOOGLE to get the links & guides for it.

    APK

    P.S.=> That's the kind of material to put up for folks less "technically proficient" than many are say, around here for example. It also again uses a tool that is FREE (or was) for Windows 2000/XP/Server 2003 (& even *NIX variants) called CIS Tool that is highly esteemed for securing an end-user's system... it has FREE trials (30 days, more than sufficient) for Windows 7/Server 2008 R2 etc. also...

    The tool, once more, makes securing a system based on "best practices" actually "FUN-TO-DO" in a "nerdy kind of way" (much like running a PC performance benchmark) & yes, the makers of it even take feedback when you disagree with some of their recommendations (they took 3-4 of mine in fact) & in what conditions + why you feel they need amendments in... that's the mark of a GOOD set of software engineers/programmers (been one myself professionally since 1995 in fact, but I'm just a guy that can "get the job done", nothing more)...

    In any event? I thought I would point that out, as the guide uses "Layered-Security"/"Defense-In-Depth" TO-THE-MAX for Windows users, and again, yes it points to an excellent tool that even a "NOOB" would appreciate & very possibly LEARN MORE FROM too... apk

    • Jim · 807 days ago

      Still sporting those ALLCAPS and ranting like a lunatic I see.
      You go girl!

  14. APK · 694 days ago

    @Jim the troll - is THAT the "best you've got", troll? Illogical off-topic failing weak ad hominem attack attempts don't cut it - you FAIL, troll, simple as that!

    APK

    P.S.=> You have issues... apk

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .