What the U.S. Government Gets Wrong About Real Cybersecurity Threats

What's to come?
Jan. 29 2013 11:21 AM

The Two Classes of Cyber Threats

Why systems that everyone considers critical are at lower risk.

Aaron Swartz at a Boston Wiki Meetup.
Aaron Swartz at a Boston Wiki Meetup

Photograph by Sage Ross/Flickr/Wikimedia Commons.

There is one number that matters most in cybersecurity. No, it’s not the amount of money you’ve spent beefing up your information technology systems. And no, it’s not the number of PowerPoint slides needed to describe the sophisticated security measures protecting those systems, or the length of the encryption keys used to encode the data they hold. It’s really much simpler than that. The most important number in cybersecurity is how many people are mad at you.

Let’s say, for example, that your organization has done something that has angered a few hundred million people around the world. Suppose that 1 percent of them are computer whizzes, and 1 percent of that group has the time and inclination to devote themselves to waging war on your information technology infrastructure. That means you’re up against tens of thousands of people committed to bringing your systems down. Some of them are going to succeed.

Case in point: On Friday, Anonymous took over the U.S. Sentencing Commission’s website in response to the recent suicide of Aaron Swartz, who had been facing the prospect of more than 30 years in prison for downloading academic articles without authorization. In an action the group calls “Operation Last Resort,” Anonymous announced on the Sentencing Commission’s website that it has compromised and extracted secret files from multiple U.S. government systems. It threatened to release excerpts from those files in the coming weeks to various media outlets. After being intermittently restored to service, the Sentencing Commission’s website was hacked again on Sunday, this time turning into a playable game of Asteroids.

Advertisement

The image of Anonymous running roughshod over a Department of Justice website doesn’t inspire confidence in the level of U.S. government cybersecurity. In the DOJ’s defense, it could be pointed out that the Sentencing Commission site is merely an outward facing portal, and that most of the government’s systems and networks are buried behind many more layers of protection. But in today’s world, all electronic systems are connected. Even those that are separated from the rest of the Internet by an “air gap”—so that they don’t talk directly to the outside world—can be compromised via software delivered (and later extracted) by a USB stick or CD drive by a malicious or unwitting insider.

Anonymous, of course, is not the only group that might have an interest in compromising American computer systems. State actors have long been suspected of conducting industrial espionage on American companies, and unlike hacktivists, they aren’t likely to announce their successes. But it doesn’t take a genius to look at what Anonymous can do and conclude that true cybersecurity is an illusion, and that anyone who claims otherwise is lying, delusional, incompetent, or some combination thereof.

There are degrees of protection, and it is certainly possible and prudent to eliminate known vulnerabilities. But given the literally incomprehensible complexity of today’s systems, there is a never-ending stream of previously unknown vulnerabilities that cyberattackers are just as well-qualified—and in some instances better qualified than cyberdefenders—to find. Cybersecurity is a game of whack-a-mole on a large and rapidly expanding playing field, and when the number of moles is orders of magnitude higher than the number of people holding mallets, the moles will often have the upper hand.

Against this backdrop, it is interesting to consider a recent report that the government plans to add 4,000 people to the Department of Defense’s Cyber Command, which currently comprises only 900 personnel. In the current era of tightening federal spending, any staffing growth is unusual; an increase of this magnitude may be unmatched in any other sector of government. It telegraphs that the Department of Defense recognizes the increasingly critical role that cybersecurity plays in U.S. national security. And, to the extent that Cyber Command can help make critical infrastructure such as the power grid and financial system less vulnerable to a massive attack that could endanger the lives and livelihoods of tens of millions of people, its efforts will be an important and much-needed contribution.

If Cyber Command succeeds in safeguarding these systems, it will be in part thanks to the high skills and dedication of the people they will hire. But in large measure it will also be because there are few would-be hacktivists who would take any pleasure in an attack that could leave large swaths of America shivering in the dark on a cold winter night, or unable to purchase food because the country’s payment systems have stopped working.

Thus, what the government calls “critical infrastructure” really describes two different classes of systems that call for very different cybersecurity strategies: Some, like the power grid, are viewed by everyone as critical, and the number of people who might credibly target them is correspondingly smaller. Others, like the internal networks in the Pentagon, are viewed as a target by a much larger number of people. Providing a high level of protection to those systems is extremely challenging but feasible. Securing them completely is not. That’s a realization that, despite all evidence to the contrary, one suspects hasn’t fully sunk in inside the Beltway.

This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

John Villasenor is a nonresident senior fellow at the Brookings Institution and a professor of electrical engineering and public policy at UCLA.  

TODAY IN SLATE

Politics

The Irritating Confidante

John Dickerson on Ben Bradlee’s fascinating relationship with John F. Kennedy.

My Father Invented Social Networking at a Girls’ Reform School in the 1930s

Renée Zellweger’s New Face Is Too Real

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

The All The President’s Men Scene That Captured Ben Bradlee

Medical Examiner

Is It Better to Be a Hero Like Batman?

Or an altruist like Bruce Wayne?

Technology

Driving in Circles

The autonomous Google car may never actually happen.

The World’s Human Rights Violators Are Signatories on the World’s Human Rights Treaties

How Punctual Are Germans?

  News & Politics
Politics
Oct. 22 2014 12:44 AM We Need More Ben Bradlees His relationship with John F. Kennedy shows what’s missing from today’s Washington journalism.
  Business
Moneybox
Oct. 21 2014 5:57 PM Soda and Fries Have Lost Their Charm for Both Consumers and Investors
  Life
The Vault
Oct. 21 2014 2:23 PM A Data-Packed Map of American Immigration in 1903
  Double X
The XX Factor
Oct. 21 2014 3:03 PM Renée Zellweger’s New Face Is Too Real
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
  Arts
Brow Beat
Oct. 21 2014 9:42 PM The All The President’s Men Scene That Perfectly Captured Ben Bradlee’s Genius
  Technology
Technology
Oct. 21 2014 11:44 PM Driving in Circles The autonomous Google car may never actually happen.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.