The recent cyberattacks on the U.S. government and select companies that security agencies say is “likely Russian in origin” should be ringing alarm bells across the capital and across the nation. By compromising a software vendor and manipulating their updates, hackers infiltrated the sensitive networks of many of our institutions.
Now I fear we’ll repeat our past mistakes by focusing all of our attention on how the attackers got in rather than focusing on what they were able to do once they got there.
The number of ways to get through the perimeter defenses is large. In a system as large as the U.S. government, there are an incalculable number of ways that an attacker could potentially get in. That’s because of the complexity of these systems and the amount of software and people involved.
Inevitably some of that software will have bugs and some of those bugs will be exploitable by hackers. And some of those people may be compromised as well.
The real problem here isn’t the security issue of the day, it’s the mindset we bring to the problem. We’re thinking about our cyber defense using outdated castle-wall analogies. We imagine we can keep the attackers outside the wall and keep our sensitive belongings safe inside it.
What if instead of imagining impregnable walls we instead assume the enemy is already within?
In this instance and almost every major hack that makes the news, we learn that the delay in detection was on the order of months. Given the likelihood of an undetected breach, the question we need to ask ourselves is this: How do we protect our data if our networks are already compromised?
To me, the answer is clear: We must secure the data using modern encryption techniques. Our focus must be to make it so the breach of a running machine doesn’t equate to the compromise of the data on that machine.
For most systems, it’s the confidential data we’re trying to protect. Sure there are other concerns, such as the integrity of critical infrastructure like power plants to consider as well.
In all of these cases, strong cryptography that ties to identity and links with provable access controls is the best answer available today.
I’ve spent years thinking about how we should retool our approach to cybersecurity. I’ve concluded that the only way to do this effectively and comprehensively is to start with the building of our software and systems. But this creates a problem because most of what we do today is tethered to a world of legacy software and systems that can’t easily be rebuilt.
I co-founded a company that is focused on solving this problem by giving software developers the tools they need to build modern applications with data security at their heart. By making it easier to build software this way, we hope to bend the industry towards a future where attackers don’t have such an overwhelming advantage over defenders.
But what if we could bring this sort of change about more quickly? At the current pace, it will be decades before our critical infrastructure is retooled with a secure base that protects the data. We’re fighting institutional lethargy, entrenched patterns for building software systems, and the lack of forcing functions that would make the needed changes a priority.
This impacts all of us. When major engines of our government are breached or when large corporations cough up data, it’s more often than not, our data. The data of citizens and consumers. And it happens over and over and over again.
Our lawmakers could force the change, but they meet this news with shrugs of the shoulders. For many of them, this is well outside of their core competency and so they hope the free market will solve its own problems. But the market is not meaningfully penalized for losing data nor rewarded for protecting it.
As with everything else that matters from energy to agriculture, the free market must be nudged to create the proper economic incentives for the good of society.
We need a combination of incentives starting with penalties in the form of more meaningful liability when people’s personal data is compromised as is now the case under California’s Consumer Privacy Act.
We need to reward companies that build data-protection-first systems by, for example, giving those systems preference in procurement processes where a contract for software that considers two systems with similar functionality goes to the system with the stronger data controls.
And we need to allocate funds to reshape or replace legacy software with modern, secure by design systems so these old systems don’t continue to hold back the change we need.
We live in an age of asymmetric cyber warfare where even small and dedicated teams of attackers have an advantage over large and well-funded defenders. It’s time to reshape the landscape. And we need our politicians to help lead this change.
The Colorado Sun is a nonpartisan news organization, and the opinions of columnists and editorial writers do not reflect the opinions of the newsroom. Read our ethics policy for more on The Sun’s opinion policy and submit columns, suggested writers and more to email@example.com. (Learn more about how to submit a column.)