SAN FRANCISCO – In recent weeks, WikiLeaks has released a stash of Central Intelligence Agency tools designed to break into phones, computers and other devices — a windfall for hackers and a headache for the devices’ makers. With U.S. data breaches at an all-time high, it’s alarming that even the CIA is vulnerable: If only the government put as much effort into protecting computer systems as it does into hacking them.
Some 90 percent of government cyberspending goes toward offensive efforts, according to Rick Ledgett, the departing deputy director of the National Security Agency. Apparently, the idea is that the best defense is a good offense. That’s reasonable in physical war, which is how the Pentagon seems to be positioning us. As one military official characterized it: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”
But in cyberspace, most of the battle is figuring out who the enemy is and what to deter. Only last month did the Justice Department indict Russian agents for hacking Yahoo back in 2014. It took two years for Yahoo itself to realize it had been hacked. A retaliatory missile sort of loses its effect if three years have elapsed and half a billion people’s data has already been hawked on the darknet.
That said, developing expertise in cyberattacks can be useful: Figuring out how to break into other people’s systems is a good way to understand where your own systems might be vulnerable.
A lot of the government’s intrusion technology involves “zero-day” vulnerabilities — unreported software bugs that the vendor has had zero days to patch. Sometimes the government buys undisclosed exploits from security researchers. Other times the bugs exist by design: The Edward Snowden leaks revealed that the NSA collaborated with tech companies to incorporate secret back doors into popular products.
Problem is, the government can’t seem to secure its weapons. After the anonymous Shadow Brokers leaked a set of NSA hacking tools last summer, researchers immediately found them being repurposed for malicious attacks against vulnerable users.
While I appreciate the government’s desire to keep us safe through mass surveillance, U.S. companies could use more help in securing critical data. According to a survey conducted by Munich Re, 90 percent of businesses were victims of at least one hacking incident in 2016. The other 10 percent probably just haven’t realized it yet. In 2014, Intel McAfee estimated the annual loss to cybercrime at $100 billion in the United States.
The great thing about defensive security is that it’s much cheaper than the continuous development of new cyberweapons. Once a security hole is discovered and patched, the solution can be replicated for free and remains effective forever. This levels the playing field, making the best defensive tools available to anyone — one reason that so many hackers are turning to phishing tactics, which exploit human rather than software vulnerabilities.
Sure, a sufficiently motivated hacker with a state-sponsored bankroll could break into anything. But the goal of defensive security is to make attacks prohibitively expensive, not to make a system absolutely impenetrable. For example, breaking an encrypted message through brute force would take 10 trillion years using 10 billion MacBook Pros. That’s a lot of work just to read a single message.
The current strategy of building better cyberweapons without regard for defense works only if the government achieves superiority over every network on the planet. That’s not realistic. Computer security is knowledge-based, and no single entity can monopolize the technology. The best alternative is to get security tools into as many hands as possible. Defense is a lot easier if people already know how to protect themselves.
Elaine Ou is a blockchain engineer at Global Financial Access, a financial technology company in San Francisco. Previously she was a lecturer in the electrical and information engineering department at the University of Sydney.
By subscribing, you can help us get the story right.