Sadly, industry leaders have never emphasized the value of strong crypto sufficiently either. There are many reasons for this neglect -- the most likely being that encouraging ubiquitous use of strong crypto could weaken sales of the firewalls and anti-viral products that form so much of the cybersecurity business model. Most importantly, though, cybersecurity today is poor because the market hasn't demanded it. Consumers are much more interested in features such as speed, variety of apps, weight, even color -- so this is what drives production. It's a classic case of market failure.
Thus, the complex, constantly growing virtual world -- upon which individuals, commercial enterprises, and militaries are increasingly dependent -- is plagued by rampant insecurity. So say top governmental officials today. So say those who know the results of the CIA's extensive (and still classified) cyberwar game, Silent Horizon, conducted several years ago. And so say all involved in defending against the serious, real-life intrusions into defense information systems known to the public under names like Moonlight Maze and Titan Rain -- the former apparently involving sophisticated Russian hackers, the latter seemingly emanating from China.
Unless there is a profound change in perspective, the market will continue to fail, with manufacturers focusing on speedy, attractive tech products instead of secure ones. Unless a fresh mindset emerges among the public, the fear of Big Brother will prevent legislative action, even though the data-mining about individuals and consumer habits conducted by marketers and social networking sites -- a lot of Little Brothers -- already dwarfs what the government knows. It is odd indeed that people freely allow organizations like Facebook a level of access into their private lives that they resist giving their elected leaders in Washington. And unless presidents and their advisors start taking cyberthreats more seriously and stop saying things like "There is no cyberwar" (as President Barack Obama's former cyberczar, Howard Schmidt, used to), the lack of leadership on this issue will leave America gravely vulnerable.
But ways ahead do exist. There is a regulatory role: to mandate better security from the chip-level out -- something that Sen. Joseph Lieberman's Cybersecurity Act would only have made voluntary. Encouraging the widespread use of encryption can assuage fears about the loss of privacy. And finally, we should treat cybersecurity as a foreign-policy issue, not just a domestic one. For if countries, and even some networks, can find a way to agree to norms that discourage cyberwar-making against civilian infrastructure -- much as the many countries that can make chemical and biological weapons have signed conventions against doing so -- then it is just possible that the brave new virtual world will be a little less conflict prone.
SUBJECTS:
