Justice League Blog
Cyber War and US Policy
I spent more time this year in Washington talking to policy makers than I have in past years. I’ve been to the White House, to the Pentagon, and to a think tank or two. One thing became clear, cyber security is a confusing field full of FUD and nonsense! Oh yeah, and the government is WAY behind.
In order to cut through the nonsense and try to refocus the discussion on building things right, I published an article with Ivan Arce from Core Security:
Cyber Warmongering and Influence Peddling (November 24, 2010)
Ivan and I believe that the only defense when it comes to Cyber War is a good defense (that is, building systems to be secure in the first place and raising the cost of attack). Plus we wonder why it is that we’re talking about Cyber War in the first place, when Cyber Crime and Cyber Espionage are both much bigger problems. The good news is that building better systems can kill all three birds with the same stone.
The wikileaks problem that the foreign policy establishment is dealing with? Only better defense (reasonable system design) would have helped stop that. Ask yourself how on earth could a Private have access to diplomatic cables form SIPRnet?! Who built that system?
The Aurora cyber espionage problem that stole lots of Google IP? Better defense.
The Stuxnet worm (whose Siemens-aimed payload was at heart a simple DLL interpositioning attack)? Better defense in the form of software security.
The key to cyber security is not being able to throw a more accurate and deadly rock inside of our glass house. Instead, we need to work on the glass house itself.
Hopefully our article will provide some easy to understand guideposts for policy makers as they grapple with the cyber security problem. If you like what we have to say, please pass our article on to your representatives.
-
http://www.cigital.com/~gem gem
