Cybersecurity people like to say that there are two types of organizations—those that have been hit and those that do not know it yet. Recent headlines should prove that this joke is largely true. Cybercriminals stole the credit-card information and personal data of millions of people from companies that included Target, Home Depot and JPMorgan Chase. Security researchers discovered fundamental flaws in Internet building blocks, such as the so-called Heartbleed vulnerability in the popular OpenSSL cryptographic software library. A massive data-destruction attack sent Sony Pictures Entertainment back to using pen and paper. Criminals accessed the data of more than 80 million customers of health insurance giant Anthem. And these are just the incidents we know about.
In the coming years, cyberattacks will almost certainly intensify, and that is a problem for all of us. Now that everyone is connected in some way to cyberspace—through our phones, our laptops, our corporate networks—we are all vulnerable. Hacked networks, servers, personal computers and online accounts are a basic resource for cybercriminals and government snoops alike. Your corporate network or personal gaming PC can easily become another tool in the arsenal of criminals—or taxpayer-sponsored cyberspies. Compromised computers can be used as stepping-stones for the next attack or become part of a “botnet,” a malicious network of controlled zombie devices rented out by the hour to launch denial-of-service attacks or distribute spam.
In response to threats such as these, the natural reflex of governments in the U.S. and elsewhere is to militarize cyberspace, to attempt to police the digital world using centralized bureaucracies and secret agencies. But this approach will never work. In fact, for reasons we will get to shortly, it might just make things worse. Cybersecurity is like a public health problem. Government agencies such as the Centers for Disease Control and Prevention have important roles to play, but they cannot stop the spread of diseases on their own. They can only do their job if citizens do theirs.
The vastness of cyberspace
Part of the challenge of protecting cyberspace is that there is no single “cyberspace.” It is a vast, interconnected system of systems, and it is changing and growing all the time. To appreciate this fact, we must go back half a century, to the work of Norbert Wiener, a professor of mathematics at the Massachusetts Institute of Technology. In 1948 Wiener borrowed from the ancient Greeks to describe a new scientific discipline he was developing: cybernetics, which he defined as the study of “control and communication in the animal and the machine.” In the original Greek, kybernetes was the title for the steersman or the pilot directing and controlling naval vessels sailing in the Mediterranean. By analogy, cyberspace should be understood as the collection of interconnected electronic and digital technologies that enable control and communications of all systems underpinning modern life. Cyberspace consists of a huge spectrum of remote control and communications technologies: from radio-enabled embedded insulin pumps to GPS satellites.
Cyberspace is not a public commons; it is not like international waters or the moon. It is not a collection of territories that governments or militaries could effectively control—even if we were to ask them to. Most of the technologies and networks that make up cyberspace are owned and maintained by multinational, for-profit conglomerates.
The number and variety of technologies included in this space are growing rapidly. Networking technology vendor Cisco Systems forecasts that by 2020, 50 billion devices will be connected to the Internet, including a large proportion of industrial-, military- and aerospace-related devices and systems. Each new thing that connects to cyberspace is a potential target for a cyberattack, and attackers are good at finding the weakest links in any network. The hackers who breached Target's point-of-sale system and stole millions of payment cards, for example, gained access to the retailer's network by first hacking into an easier target: Fazio Mechanical Services, the refrigeration maintenance company that runs Target's heating and cooling systems. The Chinese spies who allegedly gained access to the networks of defense company Lockheed Martin in 2011 did so by first hacking into security company RSA, which provided Lockheed Martin with its security tokens. RSA itself was compromised only because an employee at its parent corporation, EMC, opened an innocuous-looking Excel file attachment in an e-mail.
The “things” of the Internet of Things are not just windows that attackers can sneak through: they are themselves targets for potential sabotage. As early as 2008, security researchers demonstrated that they could remotely hack into embedded pacemakers. Since then, hackers have shown that they can hijack implanted insulin pumps using radio signals, instructing the devices to dump insulin into patients' bloodstream, with potentially lethal results.
Physical infrastructure is also at risk of attack, as we learned in 2010, when the infamous computer virus Stuxnet was found to be responsible for widespread destruction of uranium-enrichment centrifuges inside a clandestine facility in Natanz, Iran. Stuxnet, allegedly the fruit of an intensive and costly collaboration between the U.S. and Israel, made a historic point: digital computer code can disrupt and destroy analog, physical systems. Other attacks have since reinforced the point. Last December, Germany's Federal Office for Information Security reported that hackers had disrupted systems in a steel mill, preventing the blast furnace from shutting down and causing “massive damage to the system.” Three months earlier Chinese hackers attacked the U.S. National Oceanic and Atmospheric Administration Web sites that process data from satellites used for aviation, disaster response and other critical duties.
What this means is that cybersecurity is not just about securing computers, networks or Web servers. It is certainly not just about securing “secrets” (as if there is much Google and Facebook do not already know about us). The real battle in cyberspace is about protecting things, infrastructures and processes. The danger is the subversion and sabotage of the technologies we rely on every day. Our cars, ATMs and medical devices. Our electric grids, communications satellites and telephone networks. Cybersecurity is about protecting our way of life.
The role of government
Governments face deep conflicts when it comes to securing cyberspace. Many federal agencies, including the Department of Homeland Security in the U.S., have an earnest interest in protecting national companies and citizens from cyberattacks. Yet other government entities can benefit from keeping the world's networks riddled with vulnerabilities. Clandestine groups such as the National Security Agency invest millions in finding and curating technical flaws that could allow an attacker to take control of a system.
One person's terrifying security vulnerability is another's secret weapon. Consider the Heartbleed bug. If you have used the Internet in the past five years, your information has probably been encrypted and decrypted by computers running OpenSSL software. SSL is the basic technology behind those “lock” icons we have grown to expect on secure Web sites. Heartbleed was the result of a basic software development error in one of OpenSSL's popular extensions, “Heartbeat,” hence the name. When exploited, the bug gave eavesdroppers easy access to cryptographic keys, usernames and passwords, rendering moot any security offered by SSL encryption. OpenSSL was vulnerable for two years before two separate teams of security researchers (one headed by Neel Mehta, a security expert at Google, and the other at Codenomicon, headquartered in Finland) discovered the bug. A few days later Bloomberg Businessweek cited anonymous sources claiming the NSA had been using the flaw to conduct cyberespionage for years.
Many of the world's leading powers have devoted their best tech talent and millions of dollars to finding and exploiting vulnerabilities such as Heartbleed. Governments also buy bugs on the open market, helping to sustain the trade in security flaws. A growing number of companies such as Vupen Security, a French firm, and Austin-based Exodus Intelligence specialize in the discovery and packaging of these precious bugs. In fact, some governments spend more money on researching and developing offensive cybercapabilities than they do on defensive cyberresearch. The Pentagon employs legions of vulnerability researchers, and the NSA reportedly spends two and a half times more money on offensive cyberresearch than on defense.
None of this is to say that governments are nefarious or that they are the enemies of cybersecurity. It is easy to see where agencies such as the NSA are coming from. Their job is to gather intelligence to prevent terrible acts; it makes sense that they would use any tool at their disposal to make that happen. Yet an important step in securing cyberspace is to honestly weigh the costs and benefits of government agencies cultivating vulnerabilities. Another key is to take full advantage of those things that governments can do and other organizations cannot. For example, they can enable or even compel companies and other organizations to share information about cyberattacks.
Banks in particular would benefit from sharing information about cyberattacks because attacks on financial institutions usually follow a predictable pattern: once criminals find something that works on one bank, they try it on another bank and then another. Yet banks traditionally avoid disclosing information about attacks because it raises questions about their security. They also avoid talking to competitors; in some cases, antitrust laws prohibit them from doing so. Governments, however, can facilitate information sharing among banks. This is already happening in the U.S. in the form of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which also serves global financial organizations. And in February, President Barack Obama signed an executive order that urged other companies to share similar information with one another and the government.
Hackers can help
As long as humans write code, vulnerabilities will exist. Driven by increasingly intense market pressures, technology companies push new products to market faster than ever before. These companies would be wise to tap into the vast human resource that is the global hacker community. In the past year, catalyzed by events such as the Edward Snowden NSA revelations, the technology industry and hacking community have become open to working together. Hundreds of companies now see the value of engaging hackers through so-called bug bounties and vulnerability reward programs, which offer incentives to independent researchers who report vulnerabilities and security problems. Netscape Communications created the first bug bounty program in 1995 as a way to find flaws in the Netscape Navigator Web browser. Today, 20 years later, research has shown that the strategy is one of the more cost-effective measures the organization and its successor, Mozilla, have taken to bolster security. Private and public communities of security professionals share information about malware, threats and vulnerabilities to create a kind of distributed immune system.
As cyberspace expands, car manufacturers, medical device companies, home-entertainment-system providers and other businesses will have to start thinking like cybersecurity firms. That involves baking security into the research and development process—investing in the security of products and services in the design phase, not as an afterthought or in response to government mandates. Here, too, the hacker community can help. In 2013, for example, security experts Joshua Corman and Nicholas Percoco launched a movement called “I Am the Cavalry,” urging hackers to conduct responsible security research that makes a difference in the world, with an emphasis on critical areas such as public infrastructures and automotive, medical device and connected home technologies. Another initiative, started by prominent security researchers Mark Stanislav and Zach Lanier, is called “BuildItSecure.ly” and aims to create a platform for developing secure Internet of Things applications.
The good news is that this distributed immune system is growing stronger. In January, Google launched a new program that complements its bug bounty program, offering grants to encourage security researchers to scrutinize the company's products. The program is an admission that even companies with the best in-house tech talent on the planet could use the outside perspective of friendly hackers. Some governments are even onboard. For example, the Dutch National Cyber Security Center established its own responsible disclosure program, allowing hackers to report vulnerabilities with no risk of legal reprisals.
The bad news is that some elements of the cybersecurity approach the Obama administration is pursuing could effectively criminalize common vulnerability research practices and tools, weakening this developing immune system. Many in the security community fear that both the current version of the Computer Fraud and Abuse Act and proposed changes to the law define hacking so expansively that even clicking on a link to a Web site containing leaked or stolen information could be considered trafficking in stolen goods. Criminalizing the work of independent security researchers would harm us all and have little effect on criminals motivated by profit or ideology.
The next few years could be messy. We will see more data breaches, and we will almost certainly see a vigorous debate about how much control over the digital realm we should cede to governments in return for security. The truth is that securing cyberspace will require solutions from many realms: technical, legal, economic and political. It is also up to us, the general public. As consumers, we should demand that companies make their products more secure. As citizens, we should hold our governments accountable when they intentionally weaken security. And as individual points of potential failure, we have a responsibility to secure our own stuff.
Defending ourselves involves simple steps such as keeping our software up-to-date, using secure Web browsers, and enabling two-factor authentication on our e-mail and social-media accounts. But it also involves being aware that each of our devices is a node in a much larger system and that the little choices we make can have wide-ranging effects. Again, cybersecurity is just like public health. Wash your hands and get vaccinated, and you can avoid spreading the disease further.