Criminal mastermind Willie Sutton famously quipped that he robbed banks because "that's where the money is." Modern-day cyber-Suttons follow the same basic logic; the problem is that the "money" is everywhere. The Internet that we rely on to casually IM, order books, and video-chat is the same one that synchronizes power generation, enables collaborative design of fighter jets, and transmits electronic medical records. And while consumer banks have evolved to limit their exposure to gun-wielding bandits, there are billions of highly valuable and highly vulnerable nodes on the Internet that are not yet adapted to the new cyber-realities.
In the real world, federal authorities are massively outnumbered by professional hackers -- both freelance and state-sponsored -- who have the time and skill to penetrate our electronic perimeter. Meanwhile, the high-speed optical lines that carry data under seas and across continents allow adversaries to virtually stand on -- or in -- their targets long enough to find digital cracks and exploit them. In a cat-and-mouse game like this, patience is richly rewarded, and America's enemies can easily afford to wait.
Cybercriminals also enjoy three other advantages. First, they operate outside the jurisdiction of U.S. courts, making it virtually impossible for federal authorities to prosecute aggressors. Even if they can sometimes pinpoint the source of cyberattacks amidst the storm of digital data, there are few legal options available. As a result, America's best hope for protection is from the inside out, not the outside in: ferociously guard data and be more operationally tolerant of intruders in our midst. Indeed, we should assume that they are there already.
Second, the tools hackers use to find holes in U.S. networks are now automated. The days of pocket-protected nerds breaking into high security networks for kicks or glory are over. Today, highly trained professionals, sometimes employed by nation-states, work nine-to-five jobs to infiltrate networks -- both governmental and corporate -- and exfiltrate plans, intellectual property, and data. The United States needs a coherent program that attracts the best minds to guard the country's digital secrets; America's adversaries do a much better job of recruiting and training their human resources than the United States does at the moment.
Third, cyberattacks can be many orders of magnitude more profitable than robbing a bank. Launching them is essentially free, and the rewards in terms of cash and disruption can be astronomical. Just three months ago, a man working alone with a laptop and ordinary network access nearly brought down the global Internet with a so-called "distributed denial of service" attack on the web filtering service Spamhaus. Meanwhile, the average "zero day" attack -- a breach that occurs from a previously unknown vulnerability -- is embedded for 300 days prior to detection, according to a recent research report by the network security company Symantec. Latent infections and undetected holes can result in sensational escapades like the diversion in the year 2000 of 800,000 liters of raw sewage into a public park in Australia, and wickedly clever intrusions that siphon off credit card numbers from banks and clearinghouses, as has happened on numerous occasions.
According to Dan Geer of In-Q-Tel, a non-profit that invests on behalf of the intelligence community, the basic problem is that "detection alone is insufficient unless you have total surveillance of your network, which in reality no one does." That's correct, but we could have "total surveillance" of the software that runs at the network's endpoints. But better visibility would require a policy change, because both the public and private sectors are widely dependent on closed, proprietary, monolithic software systems that make true endpoint surveillance impossible. The federal government is especially stuck in this strategic trap, in part because the incumbent merchants and system integrators play off the fears of procurement officers about the make-believe risks and inflated transition costs of modernizing their enterprise systems.