9 January 2017

Opinion: The hackers are winning

Daniel Castro

JANUARY 4, 2017 —As Washington continues to wrangle over technical details and diplomatic consequences of Russian hacking allegations, we may lose sight of the only undisputed fact in this saga: Hackers attempted to undermine the integrity of US elections. And, it wasn't hard to do.

Regardless of the culprits' identity or motives, Congress and the administration now have an urgent responsibility. They need to develop specific policies and a new strategic focus to fix America’s endemic cybersecurity vulnerabilities. 

Michael Morell, former acting director of the CIA, called the recent attacks the “political equivalent of 9/11.” Yet, the response has been underwhelming. Rather than prioritize actions that would improve cybersecurity, the major responses to these cyberattacks have been to impose sanctions on Russia and call for congressional investigations of foreign influence in the election and potential breakdowns at the FBI.

While these actions may be necessary, they are not enough. In the aftermath of 9/11, Washington acted swiftly to recognize the failures in domestic security and put forth a new plan to fight terrorism at home and abroad by federalizing airport security, establishing the Department of Homeland Security, and passing the USA PATRIOT Act. Unfortunately, there appears to be no emerging consensus that US cybersecurity policy needs an overhaul.

The most notable aspect of the recent cyberattacks is that most businesses and government agencies are vulnerable to the same threats that brought down the DNC and Clinton campaigns. Just as 9/11 exposed how a few extremists with box cutters could unleash terror in the skies, these cyberattacks should serve as the wakeup call America needs to better prepare its computer systems and networks for today’s threat environment.

So, what should we do about it? The nation rushed to reinforce cockpit doors in the months after Sept. 11, 2001, and we need to take similar steps to close gaps in our digital security. For example, most Americans still use only passwords (weak ones at that) to sign in to online services. In contrast, Estonia provides its citizens with smartcards to securely access digital services using multifactor authentication. To jumpstart the market for online identification and authentication services, the US government should follow Britain's lead and allow all citizens to access government services using a single, trusted login.

Moreover, the election hacks are a symptom of the US government's flawed approach to cybersecurity. It wants to defend itself against digital attacks while successfully executing these same attacks on foreign adversaries. However, this policy is unrealistic for today's global networks. When everyone uses the same technology, everyone shares the same vulnerabilities. Cyber superiority is an impossible goal: when an online service is susceptible to an attack, all users, Americans and non-Americans alike, are threatened.

Yet these contradictory goals are at the heart of most US cybersecurity policy, including the mission of US Cyber Command. This philosophy of “relative security” rather than “absolute security” is the reason that US law enforcement and intelligence agencies oppose measures that would improve security for everyone, such as expanding the use of end-to-end encryption or disclosing new vulnerabilities, as they hope to exploit these weaknesses against America’s adversaries.

Unfortunately, the result is that US systems are just as likely to be compromised as those of our enemies. Until the US creates a new cybersecurity policy that prioritizes defensive capabilities and resiliency over offensive strength – and advocates for this new vision among its global allies – the fundamental cybersecurity challenges will remain unchanged. 

Rather than debating how to realign the US approach to cybersecurity, Congress appears to be fighting over committee jurisdiction to investigate the Russian hacking allegations. This will not solve the underlying problems. Regardless of whether Russian President Putin orchestrated the recent hacks, it is time to change the status quo. Securing cyberspace may prove to be much more difficult than securing airspace, but it is urgent that we begin this conversation anew.

Daniel Castro (@CastroTech) is vice president of the Information Technology and Innovation Foundation, a US science and tech policy think tank.

No comments: