Don’t Bother Changing Your Password

The news of the day is the Heartbleed bug. The mainstream media is full of the headline “Change your password. Hurry”.

Don’t. Just don’t bother. This is one of the daily occurrences of “major” cybersecurity breaches. The reality is that with this bug or the next one, the issue is not the bug, the issue is the password, as a concept. Any password can be hacked by a serious hacker with a decent computer in minutes if not seconds. How many times do we have to be hacked to get the message across  that we need to develop an effective cybersecurity technology instead of stitching patches on the constantly punctured bubble of the firewall?

Doing the same thing and hoping for a different result is not exactly the definition of intelligence. We’ve been doing that every day for a quarter century and calling ourselves cybersecurity experts. It doesn’t  seem that qualification is deserved.

Fake Defenses

The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.

Instead, we engaged in a series of four nontechnical solutions:

  • Defense by marketing
  • Defense by politics
  • Defense by deterrence
  • Defense by semantics

Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.

Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.

Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.

Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.

Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.

Cyber Bombs

Victor Sheymov’s Blog on Cyber Security and Intelligence

An important and often overlooked aspect is that many computers are infected by malware well before this malware is triggered. It means that many of our critical infrastructure computers already contain “cyber bombs” that are waiting to be triggered at the time chosen by the attacker to maximize the damage. This malware is extremely difficult to detect, and on a large scale such detection is a practical impossibility. Furthermore, disconnecting computers from the Internet in most cases would be ineffective, since malware can easily reconnect the computer to the Internet if a proper hardware and a wireless access are present, and they usually are. So we are sitting on multiple bombs embedded in our critical infrastructure at the mercy of multiple unknown attackers.

Thus we are facing a grim reality that we do not fully comprehend, and not much has been done about it so far. Our vulnerability has not improved over the years; indeed, it has deteriorated. The technology of cyber attacks has advanced more than technology of computer security. Let us review how we got into this situation and, more importantly, how to get out of it.

Running out of Time

Victors Sheymov’s Blog on Cyber Security and Intelligence

As a country, we are slowly coming to the realization that we are vulnerable. We are almost subconsciously accustomed to knowing that we are vulnerable to a nuclear attack by a very powerful potential adversary; luckily, there are only two of them on this planet. We are getting used to the realization that we are vulnerable to a possible collapse of the globalized monetary system. But we have yet to realize that we are vulnerable to a cyber attack that could be more damaging than anything except a massive nuclear strike. The most startling fact is that such an attack could be delivered by an individual or a small group with a few thousand dollars and access to nothing more than the Internet. This aspect is politely called “asymmetric warfare,” but in fact it represents the failure of our security technology.

The estimated annual cost of global cyber crimes is $960 billion, but that is just a small part of the threat. Damage to critical infrastructure and major industrial assets can easily surpass that, not to mention the potential of massive loss of life. We are beginning to realize that a cyber attack can literally incapacitate our critical infrastructure. Cyber attacks can explode oil refineries and chemical factories, clog up our streets and make emergency services powerless if they themselves are still available, and leave our houses without heating and air conditioning—or even blown up by the manipulation of gas distribution systems. If this list is not impressive enough, it can be very easily extended. And the reality is that at this time we are not doing much to defend against such attacks.

Victor Sheymov's Blog on cyber security and intelligence