Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Cybersecurity: A Bleak 'Progress' Report
SolarWinds' Hack Prompts an Assessment of the Work That Still Needs to Be DoneFollowing the hack of SolarWinds' Orion network management tools, which affected FireEye, government agencies and others, I've been pondering yet again how little progress we've apparently made on cybersecurity (see: 7 Takeaways: Supply-Chain Attack Hits SolarWinds Customers ).
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The hack appears to be the result of the successful insertion of malware into SolarWinds' recent updates. The SolarWinds technology is used by the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice and the Office of the President of the United States, among others. Plus, it's installed at thousands of companies and organizations around the world.
Today, I'm recalling watching "60 Minutes" in February 2015 - an episode titled: "DARPA: Nobody's Safe on the Internet" with Leslie Stahl interviewing some intriguing guests. A review of that segment helps to illustrate that some efforts back then were misguided, and cybersecurity remains very much a work in progress.
The "60 Minutes" report said the Department of Defense had put Dan Kaufman, a former video game developer, in charge of inventing technology to secure the internet and given him a staff of 25 "brainiacs" and a budget of $500 million a year to "do something to help national security" and "make the world a better, safer, more secure place."
I cannot imagine how we can spend $500 million a year on 25 guys and some cloud services with the vague objective of "making the world a better, safer, more secure place." But what do I know?
Here's how Kaufman characterized the job search that led him into his current role:
"I did what all nerds do. I went to Barnes and Noble. And I got a big book. It said "Government Jobs." It was a big book. And I thumbed through it. And I said, "I will find something and I will donate some time." And I decided I would hunt serial killers. So I cold-called the FBI. I'm sure I'm still on a list somewhere. And I said, "You don't know me, but (laugh) I want to do this." And they told me I was too old.
But eventually, his resume got noticed by the Department of Defense, which saw an advantage to bringing in someone familiar with the language and the hardware of video games.
Interview Excerpt
Here's an excerpt from the "60 Minutes" report:
Lesley Stahl: "So you're working for the military?"
Dan Kaufman: "Absolutely. Part of the Department of Defense. And we don't do incremental improvement. So, the idea is: It has to be something really revolutionary."
"60 Minutes" Announcer: "This man is working on artificial intelligence software that would detect a hacker attack in real time and plug it in milliseconds with no humans involved. If such technology had been available to Sony, that breach from North Korea could have been plugged right as it happened. When DARPA first invented the internet 50 years ago, they just didn't imagine hacking would become such a problem."
Well, as many of us know, they couldn't have "plugged [that breach] right as it happened" because AI software to detect APTs doesn't exist yet So, the implication that the millisecond plug is right around the bend - as if it will fix all cyberattacks miraculously and the world will suddenly become a "safer and more secure place" - is misplaced information, at best.
'Fix' the Internet
Here's another excerpt from the TV show:
Stahl: "Can the internet be fixed? Or do we just have to throw this one out and build a whole new internet from scratch, with security built-in?"
Kaufman: "I don't think the internet is broken. I think the things we put on the internet are broken. What we're doing is we're putting a lot of devices on it that are unsecure."
Of course the internet is broken. At least in the context of Leslie Stahl's question. The internet was never designed with security in mind, ergo it's "broken" and, yes, we need a new one. It might have been useful to explain why that might be a problem, instead of launching into her next line of inquiry.
Hacking a Car
As the "60 Minutes" report continued, Stahl got behind the wheel of a car to demonstrate all the ways that hackers can take control of the onboard computers and create havoc with her driving attempts.
Stahl: "How many computers do you think are in a car like this?"
Kathleen Fisher (a DARPA veteran): "Somewhere between 30 and 50."
This is followed by lots of shrieking and screaming while Stahl's attempts at steering, braking, accelerating, etc. are foiled by the imaginary hackers.
Stahl: "I cannot ... Oh, my God. I can't operate the brakes at all. Oh, my word. That is frightening."
"60 Minutes" Announcer: "While there's no known case of a car hacked this way, security cameras have shown cars burglarized by hackers unlocking doors. You can find software to do that online for $25. All this has alarmed Sen. Ed Markey. Tomorrow, he is releasing a scathing report revealing that nearly all new cars can be hacked, but that only two out of 16 carmakers can 'diagnose or respond to an infiltration in real time.' DARPA researchers got involved in hacking cars and the internet of things in an effort to invent unhackable code for military drones."
Stahl: "And is your goal to do it for drones and then have it apply to cars and my refrigerator and things like that?"
Kaufman: "Exactly right. I think that's when DARPA's at its very best. We're solving a specific problem for the military. I want to make sure their systems are safe, but I would like everything to be safe."
"60 Minutes" Announcer: "And now 'DARPA Dan' is trying to reinvent search engines. Traffickers who sell weapons or young girls online remain largely hidden from authorities. Kaufman and his team set out to remedy that. First, they studied the time-consuming way law enforcement agents bust sex trafficking networks by clicking on one sex ad or link at a time on commercial search engines."
Kaufman: "And we watched, and they did what you'd think. You know, they put an address of a massage parlor or something, and then they'd write it down on a yellow stickie, and then they'd try to build in each to each to each. And we looked at that, and we said, 'There has to be a better way.' So DARPA invented Memex, with which you can click just one button and all the hidden information scattered deep in the web about an illicit activity is pulled together and revealed."
I am assuming he meant the deep web, where search engines don't index, and not the actual dark web, which refers to lost address spaces that no hosts can reach. The deep web is difficult to crawl, but it is also where most of the nefarious internet trafficking - drugs, money laundering, murder for hire, vast child pornography rings, etc. - occurs and is reachable through the anonymity network called Tor.
Now, this is an interesting story and one which "60 Minutes" might do well to cover because it is actually where the next cyberwars will be fought and understanding how all that works would be informative.
Back to the 2015 "60 Minutes" transcript:
Stahl: (Completely ignoring the "dark web" comment): "So ... you're building the network?"
Chris White: (who invented Memex): "Building the network. That's right."
"60 Minutes" Announcer: "Memex is so effective, the White House has asked to see if it could be used to monitor ISIS. A downside is that Memex could also invade our privacy."
Stahl: "So, what do you do? You throw this out there, and it can do many good things, but there's the dark side?"
Kaufman: "There's always a dark side, and it's something we wrestle with tremendously. Our job is to sort of say, "This is what it is. Let's decide how we want to use it." And then, with some of the new programs we're working on just beginning now, are there ways that I can get in here and still protect your privacy?
Stahl: (completely ignoring the whole privacy issue): "How much of your time is spent inventing things for the NSA?"
Kaufman:"Almost none, actually."
"60 Minutes" Announcer:"He can't control how his inventions will be used. ... These aren't video games, after all. But when it comes to beating the hackers out there, Dan Kaufman has total confidence."
Stahl: "Are you worried at all that by showing us all the new wowie-doo things you're working on that you're going to give car thieves an idea or you're going to give someone who wants to break into my refrigerator an idea or a terrorist an idea?"
Kaufman: "I think they have lots of ideas on their own. And what I want them to know is that there's somebody smart on the other side who's going to make that way harder. I want them to think twice."
The Consequences
That sentiment rings a bit shallow following the last couple of days, when we have gone beyond even the smartest guys at the NSA in terms of Frankenstein projects gone rogue and are now beginning to suffer the consequences.
What happens in the coming days and weeks will be instructive on several levels. If, as many suspect, we have just supplied our adversaries' arsenals with serious weaponry, we should brace ourselves for a flurry of probative attacks testing the nature and assessing the architecture of our defensive topologies, and perhaps even worse.
Perhaps these events will serve as a wake-up call to our citizenry and bring the severity of our exposure to adversarial cyberattacks into a more focused picture.
But if mainstream news media coverage of these events uses the "60 Minutes" model as the standard, we may have to give up on our hope that an enlightened democracy will be able to move the needle to develop a serious cybersecurity plan.