For the last few weeks, I've been deeply involved in a cybersecurity project that I can't discuss, for a client I can't disclose. The fact that I can't discuss the nature of the work isn't relevant here. I'm simply mentioning the project to give you context.
I've been deeply involved in issues of America's cyberdefense for years. The difference between that work, and what I'm working on this month, is that my current project has me thinking deeply about the totality of the cyberthreat, and what attacks and breaches mean to America as a whole.
So let me cut to the chase. No matter what anyone tells you, no matter what any well-meaning blogger or so-called security "expert" might post, the cyberthreat is real. Very, very real.
The United States is a society of about 320 million people.
To most of the rest of the world, we are 320 million very wealthy people. Yes, I am all too aware that many Americans are struggling financially, and many of our fellow citizens have tough lives.
But even though some of us have it very, very tough, there are people in other nations who have it, comparably, far worse. There are those in India who walk barefoot in toxic goo to strip rusting, rotting ships, and do it for less than a dollar a day. There are people in China who live in one room huts with dirt floors, no running water, or toilets, who have no hope of anything ever changing.
Don't get sidetracked by the issue of who suffers more. The point to ponder is there are billions of suffering people living in foreign nations. China and India have more than 2.5 billion people, most of whom are far poorer than even our poorest Americans.
Some people in these countries, and in the former Soviet republics, and in North Korea, and in many Arab states -- and often whatever can be thought of as their governments -- look at us in the United States with disgust, envy, and anger.
They want what we have.
They dislike us for many reasons. They even feel they have some justification for their ire. We do tend to muck about in many countries, with our particularly American sense of right and might.
As recently as the early 1990s, that dislike and desire was kept at a distance. Angry, envious non-Americans were across the ocean, separated by borders and distance and time. But no longer. Most of them are now separated from each of us by a few milliseconds, a few IP address hops.
The point is, there is a huge motivation among an almost incomprehensibly large body of people to both try to steal from us, and disrupt our way of life.
It's not just individuals, of course. It's also enemy nations like North Korea, international crime syndicates, and even hacktivist groups. All of these groups, entities, and people know that not only can we be reached, not only can we potentially be hurt, but there's also a lot of money to be made from stealing from us.
And don't tell me you're not wealthy enough or important enough to be a target. Almost any of us with a bank account or a credit card or medical records -- or even in-game loot -- is juicy enough to be a target.
Steal a thousand dollars from almost any of us, and it'd hurt. A lot. But for those souls who live on a buck a day, stealing a thousand dollars is like winning a three-year windfall. There are many organized "companies" in countries like China, India, Belarus, and Russia that pitch hacking as an opportunity to their impoverished workers. Hundreds of workers occupy "hack-centers," where they are trained to hack, phish, and steal from Americans.
Defense against this isn't as easy as closing our borders. It's not like we can simply check air travelers as they arrive off an international flight. In the digital world, there are millions, even billions of potential incoming attack vectors, and thousands of ways those attacks can be executed.
Somehow, we have to defend against them all, or we'll be hit.
We are attacked every day. Our federal agencies are under constant, unyielding, unrelenting cyberattack. Our citizens are vulnerable to phishing attacks, Web page exploits, and identity theft. Our corporations are vulnerable to intellectual property theft and theft of customer information.
Our companies might spend hundreds of millions of dollars developing cutting-edge technologies and products, only to find those designs stolen, knocked off, and sold, competing at a fraction of the price.
Even worse, many of those designs, whether for drugs or bulletproof vests, are being sold as if they came from the original manufacturer, but are of vastly substandard quality. Not only are the American companies losing, American citizens are being put at physical risk by trusting counterfeit gear and medications as if they were the real thing.
A former Supreme Allied Commander of NATO Europe once tried to explain to me the perils of international cyberthreats. He seemed more afraid of the digital battlefield than he did of Russia's tanks. I once had a conversation with a senior three-letter-agency official, who explained that while we rely entirely on the Internet, we're terribly, terribly vulnerable. He told me he was scared.
Our congressional leaders are aware of this threat.
They're mostly politicians and attorneys, so their awareness often lacks some degree of technical have-a-clue, but they do get the basic concept that there are bad guys out there.
Unfortunately, our congressional leaders tend not to turn to our technical leaders. Instead, they spend a lot of time with lobbyists and former congressional leaders, who now work for special interests. These special interests and lobbies are also very well aware of the threat, but they have their own, often incredibly selfish take on how the threat should be dealt with.
This is how we get laws and bills like DMCA, SOPA, PIPA, CISPA and the like. Lobbyists conflate the risk of attack and theft from truly worrisome bad guys with their special interests and the result is often worse than no legislation at all.
Ben Franklin once said, "They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
The problem is that Congress doesn't value (or, perhaps, doesn't even understand) that our online liberty is the same as our offline liberty. Congress is often willing to propose bills that give up our essential digital liberty for some misguided temporary safety -- especially when it comes to protecting music labels and big video producers.
Make no mistake. We need comprehensive cybersecurity legislation, best practices, and instruction all the way from the residence of the White House down to our neighbors, the residents of that white house next door.
We must educate our leaders that, as Ben also said, "Distrust and caution are the parents of security." We must secure our nation from the billions of people out there who may choose to attack or steal from us. But we must not, ever, give up our fundamental freedoms, our fundamental privacy, in the pursuit of that security.
It's a fine line to walk. And rather than great thinkers like Thomas Jefferson and Ben Franklin, we're stuck with the 112th U.S. Congress. Even so, we must approach this problem like patriots and not like just so many politicians hungry for pork.
Are we up for the challenge? I'd like to think so.
- CISPA: more heinous than SOPA, and it just passed
- How SOPA protests were used to push CISPA
- Google helped with CISPA, joins Cybersecurity Theatre
- Facebook says it has 'no intention' to abuse CISPA
- After denouncing SOPA and PIPA, how can Facebook support CISPA?
- Chris Dodd and the MPAA: bribery or politics as usual?
- 5 reasons why SOPA, PROTECT-IP and other legislative idiocy will never die
- Dear Congress, guess what? We already have copyright laws.
- SOPA: So how much does it cost to buy off America's Internet freedom?