Why hackers haven’t destroyed America

Summary: Next in a series debunking hysteria about the many threats to our world. One of America’s great polymaths, Andrew Odlyzko, looks at cyber threats – cutting though the self-interested propaganda of experts to see the truth. We must learn to see threats more clearly if we hope to survive the 21st century.

Excerpts from “Cybersecurity is not very important.“

By Andrew Odlyzko in the Ubiquity, June 2019.

There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes.

This continuing general progress of society suggests that cyber security is not very important. Adaptations to cyberspace of techniques that worked to protect the traditional physical world have been the main means of mitigating the problems that occurred. This “chewing gum and baling wire” approach is likely to continue to be the basic method of handling problems that arise, and will provide adequate levels of security.

Introduction.

{Accountants} have been blamed for placing excessive emphasis on short-term budget constraints, treating cybersecurity as unimportant, and downplaying the risks of disaster. With the benefit of what are now several decades of experience, we have to admit those bean counters have been right. The problems have simply not been all that serious. Further, if we step back and take a sober look, it becomes clear those problems are still not all that serious.

All along, the constant refrain has been that we need to take security seriously, and engineer our systems from the ground up to be truly secure. …This demand has been growing in stridency…. Yet in practice over the last few decades we have seen just a gradual increase in resources devoted to cybersecurity. Action has been dominated by minor patches. No fundamental reengineering has taken place.

This essay argues this “muddle through” approach was not as foolish as is usually claimed, and will continue to be the way we operate. Cyberinfrastructure is becoming more important. Hence intensifying efforts to keep it sufficiently secure to let the world function is justified. But this process can continue to be gradual. There is no need to panic or make drastic changes, as the threats are manageable, and not much different from those that we cope with in the physical realm. …This conclusion is diametrically opposed to the heated rhetoric we observe in popular media and to the unanimous opinions of the technical and professional literature. …

The key point is that, in cyberspace as well as in physical space, security is not the paramount goal by itself. Some degree of security is needed, but it is just a tool for achieving other social and economic goals.

The Skewed View Of Most Technologists.

The critics of the standard “business as usual” approach have been presenting to the public both a promise and a threat. The promise was that with enough resources and control over system development, truly secure information technologies systems would be built. The threat was that a gigantic disaster, a “digital Pearl Harbor,” would occur otherwise.

The promise of real security was hollow. If there is anything we can now regard as solidly established, it is that we don’t know how to build secure systems of any real complexity. …Serious bugs that pose major security risks are being found even in open-source software that has been around and in extensive use for years …. And some insecurities …not only go back decades, but are deeply embedded in the basic architecture of modern digital processors. They cannot be eliminated easily, and we will have to live with them for many years. The most we can hope for is to mitigate their deleterious effects. …

Furthermore, in both the cyber and the physical realms, the main vulnerabilities reside in people. Those creatures are not amenable to reengineering, and are only slightly amenable to reasoning and education.

The threat of digital catastrophe has also turned out to be hollow. …In information technology insecurity, there are two curious “incidents” that have not attracted much notice.

• Why have there been no giant cybersecurity disasters?
• Why is the world in general doing as well as it is?

…There have been many far larger disasters of the non-cyber kind such as 9/11, Hurricane Sandy, the Fukushima nuclear reactor meltdown, and the 2008 financial crash and ensuing Great Recession. Has any cyber disaster inflicted anywhere near as much damage to any large population as Hurricane Maria did to Puerto Rico in 2017? In the cyber realm itself, we have experienced many prominent disasters. But most of them …have arisen not from hostile action, but from ordinary run-of-the-mill programming bugs or human operational mistakes. …

There is a third curious incident in information technology (in)security that also appears to be universally ignored. For several decades we have had simple tools for strengthening security that did not require any fundamental reengineering of information systems. …{G}iven that this technology was not deployed, why did nothing terrible happen. …

Threats.

We certainly do face many threats. In particular, we face many cyberthreats. Although it seems inevitable that we will suffer a “digital Pearl Harbor,” we have to keep in mind that we have suffered a physical Pearl Harbor and other non-cyber disasters that large or larger. Many occurred quite recently, as noted before. It seems absolutely certain we will suffer many more, and an increasing number of them will surely be coming from the cyber realm. On the other hand, it is questionable whether the cyber threats are yet the most urgent ones. …

Surveillance Capitalism and Loss Of Privacy.

Already today, the old mantra that “on the Internet, nobody knows you are a dog,” has in practice been turned on its head. Many organizations know not only that you are a dog, but also what breed of dog you are and what kind of fleas you have.

For the purposes of this essay, the key counterpoint to this line of argument is that this erosion of privacy has little to do with cyber insecurity. Some of that erosion does come from illicit hacking of our systems, which is indeed facilitated by the insecurity of our information systems, but most of it comes by design. Providers of services and devices purposely build them to collect data about users for exploitation by those providers and their (almost universally concealed) networks of partners. …Hence there are no improvements in cybersecurity that would by themselves make a measurable difference to the erosion of privacy that we experience.

To the extent that society wants to preserve some semblance of privacy, other methods will have to be used, which likely will have to be based on laws, regulations, and to some extent on technologies for users to protect themselves. …

Conclusions.

…The main conclusion is contrary to the public perception and many calls from prominent business and government leaders; we are not facing a crisis. This does not mean that cybersecurity can be neglected, nor that all efforts devoted to new security technologies have been wasted. Threats are proliferating, and attackers are getting more sophisticated. …Now, though, we have to migrate to new approaches. …

This essay does not claim a “digital Pearl Harbor” will not take place. One, or more, almost surely will. But that has to be viewed in perspective. Given our inability to build secure system, such events are bound happen in any case. So all we can affect is their frequency and severity, just as with large physical dangers. Further, the likelihood of a “digital Pearl Harbor” has to be considered in comparison to all the other threats we face. The issue is risk management, deciding what resources to devote to various areas.

————————————–

Editor’s afterword

That was just an excerpt from a long and detailed analysis, which I strongly recommend reading. One additional note: there have already been two cyber “Pearl Harbors.” America did them against Iran.

The last paragraph is the most important, and a point I have made about many threats – especially shock-waves (low probability, high impact events), and described in A first step to protecting the world from its many dangers. We cannot keep responding to threats based on the wild tales told by activists (with vested interests in “their” threats). We need a broader perspective, including evaluations of the probability and magnitude of each threat, to allocate scarce resources for protection and mitigation.

About the author

“Andrew Odlyzko has had a long career in research and research management at Bell Labs, AT&T Labs, and most recently at the University of Minnesota, where he headed the Digital Technology Center and the Minnesota Supercomputing Institute. He is now a Professor in the School of Mathematics. He has written over 150 technical papers in a wide range of fields, and has three patents.

“In recent years he has also been working in electronic commerce, economics of data networks, and economic history, especially on diffusion of technological innovation. More information, including papers and presentation decks, is available on his web site.

See his fascinating articles about financial bubbles! Also see these articles.

• “Technobubbles: Ancient, recent, and future” at GIGAOM.
• “The Internet and past and future communications revolutions” in IEEE Internet Computing, Jan/Feb 2010.

For More Information

Ideas! For shopping ideas, see my recommended books and films at Amazon.

Also see an Interview with Andrew Odlyzko on Cyber Security in Communications of the Association for Computing Machinery, September 2019.

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about shockwaves, about cybersecurity, and especially these…

1. How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking. — by Steve Tornio and Brian Martin.
2. Advice from Sun Tzu and John Boyd on winning at cyberwar — By Chet Richards.
3. Selling Fear: How Cyber Terrorism is Being Portrayed by Edwin Covert.
4. Consequences of Overstating the Cyber Terrorism Threat by Edwin Covert.
5. Fight the hysteria about the hack of OPM’s files. It’s probably not a big threat. – The March 2014 hack of the Office of Personnel Management supposedly made China King of the World. Five years later it is forgotten, like the countless hacks of credit card data from banks and stores.
6. America hated ‘Pearl Harbor’ – so we do it again & again – We are the ones doing “electronic Pearl Harbors” attacks.

One of the best books about hacking

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick.

From the publisher…

“Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world’s biggest companies — and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn’t just about technological feats — it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information.

“Driven by a powerful urge to accomplish the impossible, Mitnick bypassed security systems and blazed into major organizations including Motorola, Sun Microsystems, and Pacific Bell. But as the FBI’s net began to tighten, Kevin went on the run, engaging in an increasingly sophisticated cat and mouse game that led through false identities, a host of cities, plenty of close shaves, and an ultimate showdown with the Feds, who would stop at nothing to bring him down.

“Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape, and a portrait of a visionary whose creativity, skills, and persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies protect their most sensitive information.”