Seattle -- LinuxCon is about Linux, cloud, and containers, but it's also about security. In the past year, programmers have been reminded that merely being "open-source" doesn't mean that your code is safe. Assuming you're secure is a mistake. Because, as security maven Bruce Schneier explained to the LinuxCon audience via Google Hangouts, we're in a cyber-arms race.
Scheier said, believe it or not, that "the first destructive attack by a nation against the US was against a movie company." The trigger may have been merely Sony's 'The Interview' movie, but the goal appears to have been to cause "destruction and coercion" to a major Western country. Sony was also targeted Schneier suspects because, compared to other companies, its security was so weak.
True, "on the Internet today, attackers have the advantage and a motivated attacker will get in, said Schneier. But "Sony had some pretty bad security ... I won't go into details, but they're embarrassing."
A related factor in the Sony hack was that it's not "as important how secure an organization is as it is how secure is a company relative to others in the same space". Or, as the old joke goes: I don't have to run faster than the bear chasing us, I just have to run faster than you.
What's bigger than the Sony attack though is how this attack showed how hard it is to tell who's attacking you. "You used to be able to tell who attackers were by the weapons they used. Governments used tanks, so if one rolled up outside your house, you'd know a government was behind it. Online everyone uses the same tools and techniques, so it's hard to tell whether the attack was from a government source, or two guys in a basement," said Schneier.
The Sony attack showed that attribution can be difficult. Indeed, while it may look like a lot of cyber-attacks are coming from China, Schneier believes "a lot of attacks from Western countries go through China [because] making an attack look like it comes from China is a good way to hide who's behind it."
Schneier think the U.S. does a better job than most in determining who's attacking us, but it's not an exact science. He cited, for example, that at first the FBI thought the Chinese government was behind the Office of Personnel Management (OPM) raid. Since then, he continued, the FBI has backed off on those claims.
What makes the job of answering the million-dollar question, "Who's attacking me?" even harder is not only are we "all vulnerable to these kinds of attacks ... politically motivated attacks are happening far more often. Hacking is no longer driven by just profit motives."
For example, the U.S. defines two kinds of computer attacks: Computer network exploitation (CNE), aka spying, which is their job, and Computer Network Attack (CNA), aka stealing and wrecking systems, which is the responsibility of the US Cyber Command. The problem according to Schneier is that "Every step is the same until it's 'delete *.*' [CNA] or 'copy *.* [CNE]. You can't tell which is which until it's too late."
Figuring out who's attacking whom, "takes a long time because you want to get it right. We're in an "arms race between attribution and defense."
Still the U.S. has "some advantages, such as the NSA and that so much of the Internet goes through the U.S." In addition, "the U.S. has made significant advances in working out who's actually responsible for attacks. but it's still slow." That said, "By and large we're seeing more attribution. We're telling the world if you try to attack us, we'll know it's you," continued Schneier.
So, today the problem is "We need good defense without being able to know who's attacking us. We need fast, flexible responses to attacks. Attribution, who did it, isn't that important in the short run."
Linux Foundation executive director, Jim Zemlin, said the obligation of the Linux community in regards to cyber-security is to "create a culture of security."
And for the rest of us? Schneier said, "We're in the beginning of a cyberwar arms race and we're all going to be blast radius." Welcome to the second decade of the 21st century.