Cybersecurity castles in the sky ('The National Interest', USA)
Any computer in the world can be hacked. Not a single computer, be it a personal computer in your home or a workstation of the director of the CIA in his office, can be completely protected from cyber penetration. Despite all the talk about cyber defense and the billions of dollars allocated to improving security in the public and private sectors (only the Pentagon allocated 2012 billion dollars in the 3,2 year), the PIN of your bank account and secret documents in President Obama’s computer remain vulnerable. The main difference between these objects is the number of people with the necessary skills, time and money to defeat these potential targets.
There is a common misconception that you can ensure perfect cybersecurity if you invest in the protection of sufficient funds and reasonably use access restriction procedures. The harsh truth is that we live in an era of superiority of offensive potential in cyber attacks. For example, experts who test the stability of a computer system in our country say in private conversations that they successfully crack it in 99 percent of cases, and that the remaining amount of time and money is decisive in the remaining 1 percent. There was such a famous and rather controversial principle of the air force: "the bomber always breaks through." The sobering fact of the present state of cyber security is that "a hacker will always break through." And in the foreseeable future, a cyber attack will have no equal.
According to some reports, one of our most protected national secrets - advanced technology for the multipurpose F-35 stealth bomber may have already been stolen by hackers from China. Available data show that they did not overcome the Pentagon’s defense, but extracted information through the penetration of nine defense contractors into computers at once. As a result, we can spend hundreds of billions of dollars and put the future of our air force on a plane, the drawings of which our opponents have apparently already stolen.
A defense contractor should be a highly protected target that is most likely impossible to crack. Unfortunately, the number of companies that cyberspies have successfully penetrated is alarming. BAE Systems, Verisign, Citi, Booz Allen, Google and NASDAQ topped the list of victims, and all this only in the past two years. And since most companies and government agencies are silent about successful cyber attacks, the true number of victims is probably much higher.
The recent disclosure of details of the origin of Stuxnet and its penetration into the highly secure Iranian nuclear center in Natanz provides a clear example of the current superiority of offensive cyber operations. The US examples mentioned above should also serve as a sobering reminder that Iran is not the only country whose sophisticated cyber defense system is vulnerable to a well-equipped and highly motivated state opponent.
In the light of this state of affairs, does cyber defense make any sense at all? Yes, cyber defense, even if it cannot provide us with absolute security, plays an important role. According to information from Verizon, 96 percent of hacks are successful due to the fact that poor protection makes penetration very easy. In fact, most cyber threats create low-level bots, Internet probes that have flooded the Internet in search of promising objects. As President Obama warned recently, too many companies are poorly protected, and some are deprived of “even the most basic protection: a good password. It endangers our public and national security. ” Improving security will improve the degree of reflection of such primitive attacks, freeing up time for defenders to focus on more sophisticated threats to their expensive assets.
Such attention to basic security will reduce the number of successful cyber-attackers from millions of smart hackers to a handful of suspects with the resources and desire to attack cyber-resistant systems. The stronger the defense, the more money, time and skills needed to overcome it.
Politicians must understand the difference: absolute cyber security is a myth, but cyber resistance is achievable and useful.
Information