Monday, September 24, 2018

Cyber Security...CyberWar Is At Our Door

We now know (actually already a year ago in 2017) that a 757 sitting on the tarmac can be weaponized through cyber attack. Trains can be weaponized. We have a problem that needs an answer... yesterday.
Boeing 757
This makes me sad. I was part of a cybersecurity group in the late 90s early 2000s dedicated to bringing business, police and government together on issues of cyber security. We did good work, we made advances.

We decreased the distrust between government and computer experts, "white hat" (good) hackers and law enforcement. Those efforts continue to this day. But I have retired and am onto other ventures and adventures. I did my time. I no longer have to live that frustration and yet today? I find I still am. Only now from a distance.

We tried to warn people on both sides going back twenty years and yet, we are still now in this situation when we had so long ago had warned so many! Our issue back then was in part that corporations paid too little or no attention to actual cyber security issues. Those were the days when it wasn't as big as some of us knew it would eventually be. Just as it is today.

Why didn't CEO's and government listen? Government has special issues that slow things down and for good reason for the most part. But business can and sometimes does move as they wish ,if they wish it, and yet... they mostly have not.

We argued in part back then that corporations weren't even spending 1% of their budget or even of their IT budgets, on cybersecurity issues. When it should have been closer to 10%. That may have been extreme, but in light of today, of reality, was it really? Invest and innovate, or pay later.

IF they had done that, back then? We would not be in the position today that we find ourselves in. And that, is a fact.

Facebook's Mark Zuckerberg's motto of "Move fast and break things" and his explanation of that in 2013: "We want to build our culture and our infrastructures, that we just try to move, you know, one or two clicks faster than, than other companies. And, you know, sometimes we go to fast and we mess up a bunch of stuff and then we have to fix it. And that's cool."

Really Mr. Zuckerberg? Because that actually seems to exemplify a vast misunderstanding of how the internet works. That may be how it worked back in the 90s. Maybe. When security was low and "black hat" type bad actor hackers and criminals were still gearing up, learning how to abuse a good thing. But today you really have to KNOW exactly what you're doing online. Especially when you are responsible for literally billions of people on your platform.

An article came out this week from Axios Codebook about this related to our Congress:

"Only 6 House candidates spent $1,000 on cybersecurity"

"The defining moment in the 2016 election was Russia's breach of the Democratic National Committee. Two years later, McClatchy reports that candidates for Congress are knowingly underspending on cybersecurity — with only 6 spending more than $1,000."

As we've seen, there is also the potential for very bad things to happen IF you... 1) don't know what can happen because you haven't fully planned out the potential for good AND bad things to happen, and 2) you have to fully understand that business as usual as you have planned it out, in order to make money off that platform, off those people, can indeed damage not only those individuals using your platform, but also entire countires.

Because, there are bad actors out there, predators, whose lives are devoted to finding ways, people and platforms to abuse, with no moral or ethical concerns. When you have a platform that large, you also have an oversized responsibility to be not only fully aware of how your platform and your business model can positively AND negatively affect people, but you also have to be better possibly, than you even are capable of.

And that is a serious concern.

Rather than increase their cyber security efforts and budgets smoothly, easily, over the years to more than they thought they needed it (and their cyber people knew they needed but were ignored or given miniscule, fly by night amounts to work with), they could by now have organically prepared over those past years (if not decades) to have spent less money overall. Consider what it cost Sony in their North Korean hack for the film, The Interview.

Rather than the cost now a days as well as having their reputation dragged through the mud and in losing even more money because of their lack of attention and resources and due to such bad actors as China, North Korea and Russia, just to name a few of today's major players.

Why? Capitalism run rampant? Defective corporate thinking? Yes, to be sure. But also a business as usual desire, based in greed and funneling too much money to shareholders and other such types. Rather than putting money into hyper serious concerns that merely weren't a concern to those in power at the time. Not until it was too late.

Maintaining bottom lines where the risk was considered worth it and they could not see that not only was it not worth it, but that risk was far greater than they could be made to understand, or even imagine.

Because the threat wasn't just for that year, or the year after, but in future years. It was the difference between simply installing a piece of software protection, or a method, and having a mindset that evolved over the years to come, to orient the corporation or government department in a certain way.

To see the future, then. To have build a paradigm, a mindset that would endure and evolve over time to protect and defend and protect profits and the American citizen, way of life, and national health. Both economically and emotionally.

Too often companies were saved only through the dedicated and excessive workloads of their computer IT departments. Not because they were there but because they had to make themselves overworked.

Rather than those typically overburdened, over educated, overdedicated IT workers receiving the necessary funding (which seldom happened) as well as confidence from management. The corporate attitude from on high so typically was (and still is):

"We pay them, so do your job!" Rather than "We delved into it, then give them what they needed to DO their job. We compensated them "appropriately." And we have confidence in them as they have gratitude in us for going that extra mile, for them, for us, and for our stock holders, customers, or citizens."

But that isn't the case.

It would be disingenuous for typically lucky management to point and say, "But we didn't have a devastating hack!" While they may not have known what they barely avoided, perhaps too many times. All because of the dedicated overworked efforts of their security IT people and perhaps...just good luck,

Those far too many times, they did have a successful hack against them. All too often, even. It has in fact been the point of many companies, credit card companies that the way they protected their card holders was simply to forgive their having been hacked, and absorb the cost.

Having set aside annually so much loss for fraud and hacks and yet, they still made billions of dollars overall. Simply in part, because they did not put the money and resources into handling things correctly because it seemed to frequently to those who did not understand, at the top, that it was simply money thrown away to protect themselves properly. To research and develop proactively. To overburden their IT shops rather than hire enough people and expend the money necessary to truly protect themselves.

Ignorance. It is the mainstay of business and the political party of business in this country. In all countries.

LUCK is NOT how you win wars. Be it cyber or otherwise. Nor is ignorance. Something we see as a governing body today in our current conservative Republican Trump administration.

We are now beyond that point while Russians and others have already tested our systems and have a good idea what to do if and when they choose to do it. To truly attack, on a massive scale. But again we are still protected by MAD (nuclear weapon Mutually Assured Destruction). Because a massive attack would surely need to lead to a nuclear war. It would have to. And they (Russians, North Korea, etc.) now that.

And so they attack under the wire, under the trigger point, in hitting our social media, oru elections and other things. Some of which we seldom hear about in public due to "national security issues."

And so our primary perceived protection? MAD, still. Physical war when a cyberwar is perpetrated upon us. Does that make you feel all warm and fuzzy and secure? Because, it shouldn't. Look what Russia did and what our response was and has been to cyber attacks on our 2016 and soon (and still) 2018 elections. Pathetic.

To be sure, we are more protected now than we were during the 2016 election or the previous one before it. But that does not say we are safe enough yet, and we do have a lot of work left, costly work even, to get there.

It's time already, time passed twenty years ago when we were first warned.

Stop looking only at profit. It's destroying this country in a counter intuitive paradigm anathema to  the purposely ignorant conservative, corporate, capitalist mind.

Tough beans, people. This, is reality.

No comments:

Post a Comment