No Magic Solution to Cybersecurity

We all know security in cyberspace is a critical topic, but the problem is that we simply do not understand it, which means we can be taken advantage of.

by / January 15, 2014

Back in the 1950s, kids hacked soda vending machines with pen refills and made free pay-phone calls with straight pins. But the manufacturers quickly wised up, and those analog hacks don't work anymore (and payphones have been completely re-invented). But digital hacks are something different.

If you are one of the millions of people who shopped at Target between Thanksgiving and Christmas, for example, you probably have a queasy feeling following the news that some 110 million Target shoppers' data was grabbed by hackers. But don't be surprised, it's only the latest in a long line of attacks on financial and other infrastructure. And as our society runs more of its critical systems on connected digital networks, it will continue to happen. One Target shopper recently interviewed by the media said she's gone back to shopping with cash. Of course, carrying wads of cash is less convenient and makes one a target of another, more old-fashioned variety of crime.

And these days it's not kids with straight pins doing the hacks, but criminal gangs and even countries. Even banks, supposedly the gold standard for IT security, have been hacked. In one exploit a few years ago — called Operation High Roller — a coordinated cyberattack against 60 different banks netted hackers some $78 million. Then there are the “hacktivist” groups determined to make political or social points by attacking those they disagree with. And it's not a free soda or phone call at stake but bank accounts, reputations, the electrical grid, power plants, traffic signals or missiles.

This game of attack and defense will continue to escalate for many years, according to the Federal Trade Commission’s Chief Technologist Steven Bellovin. “The odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there’s no single cause or solution to that.” Bellovin, who is also a computer science professor at Columbia University, told Government Technology that we need to build systems with the understanding that there will always be security failures. "My own working philosophy," Bellovin said in 2012, "is that programs will have security bugs -- then what?"

"Then what," according to Peter W. Singer, is a better understanding of cyberspace and a committment to planning for a future with it at the center. Singer, coauthor of Cyber Security and Cyber War: What Everyone Needs to Know, in an interview published by the Brookings Institute, stated that we all know cyberspace and security is a critical topic.

"The problem is rather that we simply do not understand it," he said. "Not knowing about cyberspace means that we can be taken advantage of. At the individual level we are subject to hackers and false information. And at a higher level, companies and government agencies have profited, frankly, by just making this whole process seem much scarier than it actually is."

Singer says that we must understand the political, social and organizational factors of cyberspace to help us accept and better manage the risks. As in most things rational, he says we must strike a balance between too much control -- which opens the door for repressive regimes -- and anarchy.

“It is all about building structures and incentives that will allow you to manage the world better," Singer said in the interview.