Slashdot Mirror
FBI's Top Cyber-cop Says We're Losing the War Against Hackers
New submitter sienrak writes "Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is 'unsustainable.' 'I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,' Mr. Henry said."
Well of course they are losing the battle..... a house fighting against itself will fall.
Economic espionage is an excellent excuse for implementing centralized control of the internet.
Give me Classic Slashdot or give me death!
"Privacy and Security". Watch those words, folks. In the name of privacy and security we have already given up bits of both. This yahoo wants us to give up even more. Fear the person who says he can guarantee your privacy and security because first you need to give those up to him.
Can you feel it? The government wants to get control of the internet, and computers, and all communications devices in general.
They're going to pretend it's for our safety. They just want to protect us from hackers, after all.
I'm not a "government is evil" guy, but this is the kind of thing governments typically want to do. And it has to be prevented. Call your congressman.
Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.
Anyone else find it ironic that the FBI, of all organizations, (perhaps besides the NSA) is whining about losing to people hacking into our privacy? Isn't that what they do for a living? Not just to "the other people", but to our own citizens all the same nowadays?
They're grousing over a problem that they're part of...
I work for the Department of Redundancy Department.
There are hackers, phishers, spammers, and other untrustworthy people on the internet. The FBI seems to have just realized that they can't prevent them from existing, and now tells us that we'll "never be secure", and people react. But this has always been the case offline as well. There are thieves, murderers, and con-artists, and we can never make them go away either, and as such, here too, we will never be secure.
That said, if you use common sense, encrypt your important data, don't click links in unsolicited emails, and use a password better than "12345", you'll already be enough of a pain to most "hackers" that they'll not bother, because next door, there's a guy who's got a plaintext full of banking passwords on his desktop with file sharing on.
There's a saying that if attacked by a hungry bear, you don't need to outrun the bear, just the other people at the campground. Same goes here.
You can legislate only to a certain degree. That is, make companies responsible for the security of the information related to their CLIENTS. I personally don't care if a company loses their trade secrets to hackers, but I do care if they lose my personal information, credit card numbers, etc.
Information sharing is built into the universe, and so is copying of patterns. Atoms and molecules share electrons in predictable ways, cells communicate with each other, living entities communicate and share in incredibly diverse and complex ways; and once "the cat is out of the bag" it's almost impossible to get it back in. Streisand effects ad nauseum. The war living things wage against each other on so many levels - for example, viruses versus our immune systems - are also a facet of this interaction. We exist in an environment where sharing and communication is fundamental and everything influences everything else in myriad, complex ways. Making something totally secure - in other words, preventing it from interacting with its environment - hence is utterly impossible, or at the very least the amount of energy required to secure something is immense and the result is always imperfect.
Goes for plagiairism as well. DNA copies itself, kids copy their parents, we copy habits and patterns from each other hundreds of times every day. It's part of our processes for optimalisation and they're also intrinsic to the universe. Thus, things like copyright are also doomed to fail. Here, too, the amount of energy required is huge.
A positive attitude may not solve all your problems, but it will annoy enough people to make it well worth the effort.
"Mr. President, we must not allow... a hacker gap!"
Standard tactic for getting the government to spend money on a military-industrial complex project.
Hail Eris, full of mischief...
E pluribus sanguinem
Any "war" where there isn't a party who can negotiate terms of surrender is doomed to failure.
Any insufficiently advanced magic is indistinguishable from technology.
You can't really fight terrorism with bullets and bombs, just like you can't fight hackers with some "new" anti-virus program or whatever (at least not for long). But nobody wants to think like that. "If we kill enough of them, they'll stop" doesn't work with terrorists - they're roaches in the walls and you can't get them all without collateral damage or creating yet a different kind of roach. However, all we have are bullets and bombs. "If we build a good enough firewall, it'll stop them" is just a challenge to hackers. Nobody wants to hear "You must completely change how your computers work to have even a ghost of a chance." Instead, it's "How do I fix what I have now?" The answer "You can't" doesn't let you keep your job or make anyone any money.
Everything you know is wrong, Just forget the words and sing along.
At least, that is what I got out of the warnings in the article. It wasn't about the FBI needing more money, so much as his discussion of the absolutely deplorable state of most business networks. Most businesses, even IT managers within businesses, seem to think that best security practice means sending someone to a Cisco firewall class, putting an ASA into an external facing connection, and passing a security scan as all they need to stop the bad guys. They never really consider what it means to really monitor the health of a network, or have an understanding of how their internal applications operate across their machines, nor are they willing to really invest in the kind of staffing and knowledge needed to make sure their data is actually secure. In the end, they are better off with making that early investment, because that knowledge also translates into fewer expenditures on gimmicky appliances, and a better focus on having things run right. It is a shame that mostly these businesses are blithely whistling past the graveyard.
Most businesses seem to miss from the day they replaced their file drawers with a file server, they went from a "widget" company to an IT company that does widgets. It is a subtle but definitive change in how businesses need to focus investments in resources. Unfortunately, most businesses just don't get it. They think because some snake oil dealer slapped "security" on the side of the box that the word means anything.
What I'd like to see is ACM, the ISC, ISC2 (no relation), and other organizations start pushing for more stringent best practices written into regulation (not law). Basically, if a business doesn't take the effort to invest in their own security, then they should be held liable if they get broken into. Don't expect insurance to pay out. Don't expect to be personally shielded by corporate liability if your client data goes into the wild. On the other hand, if businesses DO meet those standards, then they likewise shouldn't be held liable. I would really like to see the above organizations testifying on the Hill about what that would mean.
make every technician in charge of systems security liable for hacks to their network
Okay, so technicians will require hack insurance, because nobody will risk the financial penalty of taking said job with unlimited financial liability. This means that network technicians will have to be licensed to be insurable, which will cost money. Now only large firms will be able to afford the cost of these technicians. It is almost certain that the government will step in an license operators, just as they do doctors, accountants and other professionals. This is all certain to do wonders for the "anyone can do it" nature of computing.
Have gnu, will travel.
The technology is fine, the problem is the user-centric security that everything employs. There's an alternative called the principle of least privilege, which we use all the time in other aspects of life, just not with computers.
You might be tempted to think you know of a system that actually uses this, but you're wrong. The term capability has a lot of uses, and the application of it in Posix or Symbian systems isn't the same thing.
Only when we stop assuming that a program should be able to have free run of everything will we be able to fix this problem.
It's almost like there's an active conspiracy to keep this idea in obscurity..... but probably not.
The OP lives in USA which is - last time I checked - a representative democracy. It might be imperfect one (=difficult to break the two-party system) but it's still a democracy... which means that The Government is just the set of institutions that The Population has built. Saying that you aren't part of the government in such a state is saying that you can't influence the decision making process, which probably means that you are too young to vote.
It doesn't help if you say "I'm a LIBERTARIAN. I want the fed abolished...". Even ignoring all arguments about how you can't exclude yourself from a group just because you don't believe in everything it has democratically decided... This is FBI we are talking about. Even the most idealistic libertarians would say "The government has only one job: Keep us safe from the bad guys" (i.e. power to use violence is the only true natural monopoly) so this is perhaps the one institution that libertarians would retain.
Over the years I've been subjected to less and less personal data attacks to the point where I can't remember the last time I got a virus. Back in the day I used to be constantly battling with them.
I'm able to do my job (high-performance computational simulations in physics) just fine without worrying about "hackers".
I buy shit off the internet, pay my bills, have cybersex with my girlfriend, play online games, and read the news -- no problems.
How are we "losing the war on hackers" if I can basically do all sorts of useful crap on the internet without having to greatly alter my patterns of behavior because of hackers?
I definitely am more worried about non-computer theft (which I've been the victim of quite a few times) than ONOZ HACKERS. Yes, there is computer crime, but it is really not that big of a deal.
Solving the problem might require abandoning the "war" metaphor. Declaring this a "war" is a way of allowing the authorities to ignore insignificant (to them) things like legality and morality. The inevitable result, which we're already seeing, is offending a lot of the population by the overreaction and "scorched earth" tactics. Taking down sites without any semblance of due process is guaranteed to hurt a lot of innocent bystanders, and as with real wars, this just turns the population against you.
This is much like the "war on drugs". Even those of us who don't abuse (or even use) illegal drugs are still very likely to be offended by the atrocities committed by the warriors. Taking people's cars, homes, and sometimes lives without any sort of trial is both wrong and counterproductive, but it's what the "war" metaphor leads to.
There's also a major problem with the media's expropriation of the term "hacker", which was originally a term of high praise for a technical expert, retargetting (;-) it as a term for an anti-social criminal. This tends to get the message across that people with technical expertise in software security are considered suspect by the media and the general population. You want these people on your side. Characterizing them as criminals isn't the best way to make this happen.
As long as we have a "war against hackers", I'd expect the problems to get worse. That phrase itself is pretty much a guarantee that the problems won't be approached in a reasonable fashion. It also guarantees that lots of innocent bystanders will be hit by the warlike measures. Even worse, people who could have helped you will be classified as hackers and, uh, "discouraged" from helping find the solutions.
I'm reminded of the time, back in the 1960s, when a "War on Poverty" was declared here in the US. That one ended rather quickly, as lots of poor people started publicly asking where they could go to surrender. But it's not obvious that the large population of software "hackers" will take this approach. If I happened to be a software expert with some expertise in computer security, where would I go to surrender?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
And I would be far from surprised to learn he is an inveterate Windows user.
Have you got your LWN subscription yet?
I think the quote you're looking for is "Security is a process, not a product." --Bruce Schneier.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.