The Wall Street Journal just ran a cover story with the title called “U.S. Outgunned in Hacker War”.
Run for the hills!
No, wait, let’s take a closer look. My first reaction was to look for details on who is out gunning the U.S.. My second reaction was to look for definition of a “Hacker War.” Unfortunately, the story comes up short on both accounts.
The reader is left without clarity who is shooting or what was meant by the term war. That is unfortunate because it is not hard for them to write a more balanced (e.g. include a counter-point) and substantive (e.g. include some data) story. Here is how I tried to make some sense of this story using a few simple steps.
The WSJ uses a quote from the FBI to start their story.
The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.
Could this be in terms of U.S. criminals who are plundering U.S. assets? Why would I ask that? Let’s jump right past all the glaringly obvious examples of Bernard Madoff, Kenneth Lay, Jeffrey Skilling, Andrew Fastow, Bernard Ebbers, Scott Sullivan…and look at some of the latest data on IT threats from a security solution vendor.
- More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
- Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
- On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week…
Also, as I explained in my presentation on breach data at the RSA SF 2012 conference, the U.S. shows up in many reports as the #1 source of threats. Sophos lists America as the top Spam producing country (China is the most attacked, according to them), while McAfee says 73% of malicious online content is hosted in the U.S. In other words, the U.S. currently is allowing attackers to attack the U.S.. So, if we add in this detail to the story, can we conclude the U.S. is out gunned by the U.S.?
Before I answer that, you may say this data is from vendors and of course they are stoking fear. That is true but it at least gives us some quantitative detail to assess on our own and verify. The Wall Street Journal mentions no data at all.
More to the point we could make a similar argument about the Wall Street Journal source that starts their story. The perspective they cite actually is from a person leaving to a private sector consulting practice. Clearly Henry stands to profit more, and help his consulting firm win clients, when he stokes generic security fear.
Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.
…operators at Mr. Henry’s firm are standing by to sign you up for a new service. You can have all the major change he says you need for the low, low price of just $$$K/month.
So the first technique I recommend when reading these scare stories is to seek transparency; get to the data and verify the analysis. Always factor and account for bias. We should not be satisfied with stories of a threat mired in sophisticated or advanced details, especially from those who stand to profit with obfuscated services. As Einstein once said “if you can’t explain it simply, you don’t understand it well enough.”
Now back to the question of the U.S. out gunning the U.S.. The Wall Street Journal suddenly and without explanation brings up China.
Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them.
As Richard Bejtlich must know a vast majority of companies don’t realize they are breached until someone else told them, full stop. The new Verizon DBIR says 92% of incidents were discovered by a third party. That data point has nothing to do with China or the Chinese.
I have commented before on errors from those with an anti-Sino fixation. It is not clear to me why the Wall Street Journal is so eager to follow their fixation without question.
Breach data, referenced above, shows that the Chinese are not the most likely source of attack. That is not to mention that when I read Bejtlich’s latest opines I ponder how the person who names his book The Tao of Network Security Monitoring, his company Tao Security, and his twitter handle @taosecurity (using the yin-yang symbol as his company logo) has become the person trying to convince us that the Chinese are stealing ideas from America.
I’m not saying the U.S. should not accuse the Chinese of copying ideas, since obviously attacks can come from anywhere and a Bernie Madoff could be born in any country; but those in the U.S. who worry about transfer of knowledge should be careful to put their accusations in perspective. Noodles, gunpowder…so many things popularised as American are obviously not from America. The issue of “who” is complicated but focusing on outsiders may be a distraction from more likely threats. We should be careful before we de-emphasise or fail to account for the risk from insiders.
The answer to my first question about the WSJ title, I would argue, is that the U.S. is actually out gunned by the U.S.. This includes outsiders granted insider access. It also includes threats from trusted insiders — those supposed to be protecting other insiders.
The second technique I recommend when reading these scare stories is to seek details on the vulnerabilities. Once we identify who is involved we also need some idea of their capability to cause actual damage. Ironically, I can’t think of a better example than China to illustrate this point.
News has been flaring up that there has been a crackdown in China on expression. The Chinese are upset about the Chinese and restricting speech they consider harmful.
Authorities also closed 16 websites and detained six people, Xinhua reported, for allegedly spreading rumors of “military vehicles entering Beijing and something wrong going on in Beijing,” a spokesperson for the State Internet Information Office told Xinhua.
This is a case where an authority sees a threat so great that they take action to reduce risk. As Americans we most likely disagree with the Chinese government’s assessment of vulnerability. We live in a country where freedom of speech is said to make us stronger (still with some exceptions).
However, if you look past the question of who is the threat and on to the question of capability then the Wall Street Journal story really comes down to the FBI calling for more “guns” to fight a “Hacker War” so they can increase their capabilities, perhaps to the level that the Chinese are demonstrating with their latest crackdown.
Americans reading the Wall Street Journal story might be distracted by the Chinese tangent and think this is an us versus them war. But the reader is wise to think much more carefully about whether and when they trust an increase of power in authority to crack down on threats that may actually be on the inside.
Alas, we’re now back to the question of what they mean by “Hacker War”. If we try to define war without any notion of internal threats then it becomes more of a discussion of whether and where the U.S. is working on ways to undermine or bypass sovereignty again. But it should hopefully be clear now that the threat is not just external.
Perhaps the best way to look at this is with regard to healthcare risk news. If the Wall Street Journal ran a story on the latest data on eating well they probably would have titled it “U.S. Outgunned in Sugar War.” So the question becomes why are we allowing ourselves to do so much damage to ourselves? Or maybe the question, in terms of Bruce Schneier’s new book, is how much damage is acceptable before we are willing to give more fire power to authorities if we know how much it can reduce our freedom.