Jorge Benitez and Jason Healy writing at The Atlanticist today make the point that the only computer safe from being hacked is unconnected to the net, at the bottom of a coal mine, guarded by two armored divisions and switched off.
For all the talk about cyber protection and the billions of dollars being spent ($3.2 billion in 2012 for the Pentagon alone) to improve defenses in the public and private sectors, your bank account PIN and the secrets in President Obama’s computer are both vulnerable. The key difference is the number of people with the skill, time and money to exploit these potential targets.
There is a popular misconception that perfect cybersecurity is obtainable if you invest in sufficient defenses and practice reasonable access procedures. The cold, hard truth is that we live in an age where cyber-offensive capabilities are dominant. For example, specialists who test the vulnerabilities of our nation’s computer systems said in private conversations that their success rate is nearly 99 percent””and that penetrating that remaining 1 percent is primarily a question of investing additional time and money. There used to be a famous and much-debated air force concept that ”œthe bomber always gets through.” The sobering fact about the current state of cybersecurity is that the ”œhacker always gets through.” For the foreseeable future, cyber offense is king.
…Improving security raises the bar to keep out these rudimentary attacks, leaving defenders time to focus their attention on more sophisticated threats to their high-value assets.
This attention to basic security will decrease the number of successful cyber threats from millions of clever hackers to a handful of usual suspects with the resources and intent to attack a cyber-resilient system. Stronger defenses require greater costs, time and skills to be overcome.
Policy makers must understand this distinction: Complete cybersecurity is a myth, but cyber resiliency is obtainable and worthwhile.
Of course, policy makers will not be encouraged to make this distinction by those with a vested financial or career interest in making cybersecurity the next big procurement turf-fight. With billions of dollars, promotions, bureaucratic clout and of course the power that comes from unfettered authority to meddle and spy all at stake, we can expect that buzzword cybersecurity rather than resililience to be on everyone’s lips. It’s the newest arms race and everyone who can will jump on the gravy train.