Techdirt Podcast Episode 10: Is Cybersecurity A Real Issue Or Government Boondoggle?
from the and-why-is-it-focused-on-information-sharing? dept
Cybersecurity has become a big buzzword in Washington, and there have been plenty of calls for legislation, usually focused on “information sharing” setups that allow companies and the government to compare notes on threats without fear of any legal liability. But the actual issues of cybersecurity are never clearly defined, nor is the need for various legislative changes fully explained. Is the problem really as big as it’s made out to be? Or is the whole thing just a bureaucratic turf war?
Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.
Filed Under: cybersecurity, hacking, podcast, privacy
Comments on “Techdirt Podcast Episode 10: Is Cybersecurity A Real Issue Or Government Boondoggle?”
As long as we have a government and it’s security branches insisting on accessing all programs and computers, we will never have computer or network safety. In order to have that access and much of it is weakening the very security needed to secure apps and equipment, there will never be a secure app, program, network, nor computer.
It’s as boondoggle as it comes.
Sony would like to have a word with you if you think Cybersecurity is not a real issue.
(Not to say they are geniuses on the issue)
Re: Re:
That’s right. Sony demonstrated first hand the “cybersecurity” problem when they tried to install malware on every computer system that dared to be touched by one of their CDs.
Computer security, like every other form of security, is important and shouldn’t be neglected. However, “cybersecurity” of the sort that is constantly being discussed in Washington DC is clearly a boondoggle, since there are more effective, less expensive, and and less intrusive ways of accomplishing security than legislation that weakens our overall security.
The recent Sony hack (the recent one where they were the victim rather than the perpetrator) is a good example of this. That hack is being treated as if it were an event of national security when nothing could be further from the truth. As a result, we are going to burn through countless dollars and civil rights to respond to it. That’s a boondoggle.
Re: Re: Sony BMG
Sony clearly doesn’t care about getting hacked unless they can make political hay out of it. They have been hacked so many times, and ignored it, just refusing to improve their security. Everyone who has been hurt by their behavior can certainly claim that Sony has intentionally failed to keep their fiduciary responsibility to their clients.
With regard to the rootkit hacks, how were there no criminal charges brought against Sony, when these are clear violations of the CFAA? If an individual were to do to Sony, what Sony did to millions, that person would never see the light of day.
Further, one must wonder how the class settlement was achieved so quickly, and so cheaply for Sony. In most other cases these things drag on for years. In addition, Sony BMG did nothing to aid those it had hacked, but rather released software reputed to fix the problem, but actually caused additional damage.
Yes but...
Sure the cybersecurity problem is huge, but information sharing is unlikely to do anything at all to address that. What’s needed is for people creating software to actually care about security. They need to harden applications and adhere to best practices.
Re: Yes but...
It is absolutely true that the software industry needs to be better about producing hardened software (and, truly, the industry is getting better on this count all the time). However, focusing on that aspect tends to get people to discount the even bigger issue: behavior.
Security (of any sort) is ultimately dependent on the regular users having the correct procedures and habits. The best technological countermeasures in the world can’t protect against people being stupid or ignorant very well.
Re: Re: Yes but...
Agree that you need to factor in the people as a huge attack surface, but if you fix all the behavior and still have swiss cheese software, then you’ve done nothing. Most of the highly visible breaches are preventable.
Re: Re: Re: Yes but...
“if you fix all the behavior and still have swiss cheese software, then you’ve done nothing.”
This is certainly untrue. If you still have swiss cheese software, security is more difficult to be sure, but if your behavior is up to snuff, you are still reasonably safe. Not as safe as you could be, but you’re better off having good habits and no technological countermeasures than having bad habits and top notch technological countermeasures.
Re: Re: Re:2 Yes but...
That’s only true if you have zero internet attack surfaces, otherwise your software is your weak point and there is no human behavior that can affect that. Take a look at the frequent use of SQL Injection as an example.
clearly a boondoggle
As one AC pointed out, when the Feds are working to weaken security with mandated backdoors, security cannot be an issue that our government takes seriously. Furthermore, until we start to have some standards in terms of what sort of software is permissible for internet-connected computers, our nation’s security will remain at risk. Modular software structures need to be stressed and required, rather than systems where cracking your way into one area makes for easy access to any of the others that are welded to it.
Re: clearly a boondoggle
That is a terrible idea, as it will result in closed source software, which due to regulatory overheads can only be produced by a few large corporations. You can almost guarantee that under such a scheme, users would not be allowed to use any software development tools, as it would allow them to bypass any regulations applied to all software.
two aspects of a broad problem
While hardened software will not solve poor social computer hygiene, good social computer hygiene also will not solve the problems of weak software. They’re two aspects of the same security issue. Sure, there is some overlap, but one doesn’t obviate the other.
Consider driving on the interstate with a car that has gas tanks mounted externally behind the rear bumper. That’s a security risk. A defensive driver will reduce the risk, but that driver cannot reduce the risk on his own. Bringing the gas tank to a shielded area helps, but it still won’t make up for poor drivers.
Re: two aspects of a broad problem
“While hardened software will not solve poor social computer hygiene, good social computer hygiene also will not solve the problems of weak software.”
I agree.
I’ll add a third category, as well: inappropriate exposure to public networks. Most of the types of risks that the government trots out when they want to grab more power in the name of “cybersecurity” actually fall into this third type. This type of security error includes things like connecting critical infrastructure (power grids, etc.) to the internet. The irony is that this is the easiest sort of fault to fix — disconnect the system from the internet — but is the one where the government seems the most intent on spending our gold and freedom to resolve using less effective means.
Cybersecurity is a real issue. The problem: the people in charge of its policies are grossly underqualified hypocrites with a superiority complex. If their approach to fighting cyberterrorism the same as fighting analogterrorism, I have no faith in them already.
Re: Re:
What in the world is “cyberterrorism”?
Re: Re: Re:
CyberTerrorism is the fear that members of Governments and Organized Crime suffer daily, worrying that young computer savvy citizen-hackers will expose the criminal dealings of the members of Governments and Organized Crime, by hacking into and exposing the communications, account books and contracts of the members of Governments and Organized Crime, to the world, via the internet.
CyberTerrorism Legislation is needed to deal with this very real threat to the well being of our wealthiest fellow humans, so the rules governing the use of the internet and public communications must be altered to allow constant surveillance of all users, and in many cases allow these systems to be secretly rebuilt and restructured to insure such unauthorized access and exposure never can occur without official sanction.
However, the comic-book version that they are currently trying to foist onto the public consciousness is:
CyberTerrorism is the plots of Evil-Genius Citizen Computer-Hackers, who electronically break into nuclear power plants, water purification plants, hospital drug sorting programs and other important and sensitive public and commercial computerized infrastructures, in order to cause chaos and mayhem and death and injury for chortles and giggles, and occasionally for money from one or more of the hundreds of millions of Evil Muslim Terrorist Organizations that occupy every fifth building on earth.
The NSA has of course thwarted thousands of these Cyber Terrorist threats annually and utterly foiled their plots to bring the world to its knees, destroy the moon, cause multiple simultaneous nuclear meltdowns, explode a 2000 megaton herpes bomb over Chicago, bring about a new ice age, and create a black hole in New York City, for example, but due to the nature of the investigative and surveillance tools that the Forces of Goodness and Light have used to catch these Evil Minions of Chaos, they cannot actually tell anyone, anything about any of them, ever.
And because the Evil Minions of Chaos are becoming smarter than your average bear, year after year, the Forces of Goodness and Light need some new laws that will let them ignore many more public concerns like freedom of speech, freedom of association and the like, in order to catch the new, even Eviler Minions of Chaos V2.0, who wear black masks to keep people from realizing they’re really just white, ex-military mercs, who are also certainly looking for ways to use the internet to kill Good Guys via means of on-line electronically triggered mass destruction.
Be afraid.
Be very afraid!!!
(ghostly sound effect fading slowly into a distant wolf-howl)
—
Conspiracy theory up in here!
Did a certain Japanese company hack itself so it can get stronger cyber’security’ laws that will prevent people jailbreaking the consoles and cellphones they thought they owned?
Re: Conspiracy theory up in here!
Very astute.
That would certainly explain the nearly instant reactions by the feds in offering their unlimited assistance to that certain Japanese company, and would also explain the massive news coverage that totally ignored the part about the incriminating emails found on that Japanese Company’s computers pertaining to the buying of Attornies General for the purpose of creating legislation to harm competitors and net neutrality, and noted instead only the Evil Chinese Hacker Terrorists (Cyber-terrorists) who threatened Movie Theaters around the world with bombings.
Very astute indeed. 🙂
—
Rant Warning
GEM’s – Rule of Dick when dealing with Government BS
====================================================
When a government claims that a new legislation is necessary for the security of the nation and that needed legislation happen to give their enforcement and/or investigation arms more power over civilians and civilian dealings, they are lying.
The “problem” has been manufactured to justify the initiation of the new laws, so that their enforcement and investigation arms can be given new powers over civilians and civilian dealings.
Prior examples:
War on Drugs – a lie giving new powers to police and G-Men and detouring tax money into a never-ending fake conflict where billions of dollars can be spent on paper, but pocketed in reality.
By making any substance illegal, the government creates a new black market for its friends in organized crime and other m/billionaires world wide to invest in, and presents a situation where these investors can and will kickback a great deal of their untaxable profit to the government officials in charge of maintaining the illegality of the contraband substances and to police and local governments to “look the other way”.
This war cannot be won.
—
War on Terror – a lie giving new powers to police and G-Men and detouring tax money into a never-ending fake conflict where billions of dollars can be spent on paper, but pocketed in reality.
The fall of Russia lost the American Government its best boogeyman and forced them to create a new one – Muslims – by financing a few body-bombs via young religious idiots desiring martyrdom over poverty.
As this fake threat began to wane into obscurity, and the government realized that the FBI’s make-a-terrorist programs were ineffective in the government’s goal of scaring Americans back under their beds and getting them to demand more legislative protection from the bad evil men in return for relinquishing more of their civil rights, a new face was needed for Terrorism and ISIL was created from tax-payer financed international mercenary ex-military forces wearing identity protecting masks and made famous by massive news coverage.
This war cannot be won.
—
War on Piracy (P2P) – a lie giving new powers to police and G-Men and making the mob-owned entertainment industries the new gatekeepers of the internet, eventually eliminating anonymity and freedom of speech from the internet.
Both government and the Mob want the internet placed under the sort of control that television suffers from in order to end the free flow of information between civilians world-wide and to allow better property control and sales revenues for legacy industry products, by eliminating disruptive competition.
This war cannot be won.
—
War on Hackers – a lie giving new powers to police and G-Men. The pattern will hold true, as the new legislation simply gives the government and its crony corporate friends in the mob and elsewhere, more control over the internet and legalises all of the government’s surveillance techniques and programs that are already in use today and those they want to introduce down the road, but know full well will not be acceptable without appropriate legality already on the books.
The real fear of hackers is the fear government and organized crime have that such people will expose their criminal dealings.
This war cannot be won.
You are being managed.
—