The Strategic Flaw in the Federal Cyber Security Strategy — Ignoring Recovery Technology
Cyber Security Overconfidence suppressed use of Effective Recovery Technology that would have minimized the yet to be appraised colossal damage from the 2020 successful invasion of US Cyber territory
The fundamental feature of stored data is that it can be read without leaving a trace. Every custodian of data has to admit the following simple premise: an adversary with sufficient imagination will mark a pathway to the protected data. If the data custodian was equally imaginative to block this pathway, then the intruder will simply imagine another access scenario, and a third, until one such hacking procedure will exceed the imagination of the data custodian and the data will be compromised. And when this happens no bells are ringing, no alarms are turned on. If the intruder is discreet, then the eavesdropping will continue indefinitely, while the people in charge of security trumpet their apparent triumphs.
That is exactly what happened to the entire cyber habitat of the US government, corporate USA, overspilling to other countries as well.
This modern of all wars is not determined by body count, nor even computer count. You don’t build strength by spending more and more money, nor piling up more and more security protocols. The cyber war is a race of imagination.
One psychologically stressed individual, single handedly helped bring down the entire Nazi war machine. Alan Turing did not outspend the Germans, he out-imagined them. How many Alan Turing grade smarties have been born in Moscow or Teheran some two or three decades ago — now doing to the good guys what Alan Turing did to the bad guys?
Following the above reasoning, it is a no brainer to conclude that over sufficient stretch of time, cyber systems will be compromised. There will arise circumstances when our adversaries have out-imagined us, and got into our socks. Usually intruders are caught when they make changes to the data, or openly use it. But the warriors that take on mighty USA are very good. They read our secrets and don’t flaunt it, they do their best not to behave in a way that would suggest that they successfully compromised our systems. And that is how they operate and overshadow the full body of American cyber security smarts.
Federal cyber security is totally controlled by a handful of “big names” that so very naturally project a sense of confidence in the expensive tools and implements they sell the government for very higher prices.
When BitMint presents cyber recovery technology (CRT), it is regarded as a waste of money: “Why do we need recovery if in all likelihood we prevent every serious intrusion in the first place?”The powers that be then argue dollar figures — security expenditure.
The entire business of federal security is managed through an elaborate scheme of certification, authentication and signature verification — a bureaucratic maze that gives the illusion of security and hides the vulnerability of everything we express as stored data. As a professor of cyber security at the University of Maryland Global Campus, I battled the trend to blindly stick to complex security protocols, while disengaging one’s imagination. We graduated ‘certified security officers’ taught to adhere to well established set of ‘rules’, rather than maintain the jungle anxiety of wakeful alertness and stubborn apprehension. We nurtured a stiff cyber orthodoxy, and were afflicted by harmful overconfidence. And then, it is quite logical to dismiss serious cyber recovery technology, since it will never be called for. Same logic that guided the designers of the Titanic: who needs life boats on an unsinkable ship?
That is the fundamental flaw of the federal government security strategy. To fix this flaw, overconfidence must be replaced with caution, hubris with doubt, boasting with apprehension. The claim of “we are so wonderfully secure” should be replaced with the admission that we must build security by assuming that over the long run we will be compromised time and again.
And this very assumption leads naturally to the premise that we should put in place a powerful and effective recovery technology so that the damage sustained from a breach will be minimized. In its most effective form, recovery technology will be so powerful that the prospective intruder will be disincentivized to go through the considerable effort of penetrating the system, since the harvest of the intrusion will be largely useless.
There are quite a few breach recovery patents listed by the US Patent and Trademark Office, and many more in scientific publications. BitMint alone has been granted five such patents, and more related ones. What we publish attracts immediate attention abroad. Other countries are eagerly reviewing budding American technology. It is domestically where cyber recovery technology creates unwelcome friction with the narrative of stellar security, so effectively articulated by the leading security vendors.
I am not suggesting that the industry is not diligent nor careless in its work. Tens of thousands of well-trained cyber security professionals are monitoring, overseeing, fixing security issues 24/7. It’s a tedious enterprise, but it is an unfair enterprise too. Security efforts must stretch and spread thin over an ever larger ‘cyber front’ while the intruders can focus all their effort on one single weakest security link, bringing to bear their top intelligence, applying their most sophisticated tools narrowly focused on the selected entry spot. This disparity in resource distribution brings upon us adversaries large and small, and we have to be ready to meet them one and all.
The various carefully crafted security protocols are no good if a single “access-certified” individual decides to ‘Snowden’ the system. Self-radicalized deep-seated individuals are impossible to predict or catch, bringing about long lasting damage. US Intelligence appears not to have adopted serious cyber recovery technology when licking its wounds from the Snowden breach.
By their very nature government systems admit a large number of bona fide users from various ports and various computers, exploiting the convenience of this technology. But this reality builds countless opportunities for spies to stealthily take hold of the required access keys. Cyber security is “key based”. The only way to distinguish a bona fide user from a malicious intruder is through testing for the possession of a key. But key is data, it can be read, stolen, without leaving any trace. Some falsely argue that biometrics solves this vulnerability. Not so: biometric data is also data. A spy who captures from a glass of beer the thumbprint of his victim, will construct the thumbprint signature that would allow the spy to steal its victim’s identity.
Complex security systems are built the way this article is built: from letters and words, used over and over again. Once such component is compromised then everything built upon it is too. Computer culture evolved through “opaque boundaries”: a piece of hardware or software is certified if when tested for several instances of input, it generated the expected output. But it is infeasible to test for every possible input-output pair, which means that the most innocent looking subroutine, or dedicated computing hardware may house undetected malware. Again, this is so disturbing that the powers that be simply ignore it.
It is a mistake to measure security by the amount of effort invested in putting it together. Security must be measured by the amount of effort needed to compromise it. This effort may be large, but it is always finite. The only thing that security measures accomplish is to make it costlier and more time consuming for the intruder to break in. Declaration of perfect security, and doubt-free confidence in the cyber integrity of our systems are dangerous in as much as they blunt one’s alertness, calm down one’s nervousness, put to sleep our wakefulness.
It is very disheartening and very daunting to reach this conclusion that breaches will happen. Hopefully few and far between, but happen they will. The import of this conclusion is that it is of utmost urgency to develop robust effective smart recovery technology. The objective of cyber recovery technology (CRT) is to bounce back fast and with minimum lasting damage in response to being cyber compromised.
I am discussing the principles of this technology is another post. (Readers are invited to review HTTPS://www.BitMintalk.com/Recovery.Here I wish to stress: the federal government and Big Tech must recognize the fact that breaches will occur — they can be limited to a bare minimum, but they are inevitable, and if we ignore this conclusion and respond to threats by surrounding our data with ever thicker walls while not preparing to clean house when those walls are cracked then we invite a devastating blow as we are reeling from right now.
Imagine on the other hand that we have good detection in place and when an intrusion manifests itself we quickly revamp our system, activate an effective remedial strategy and stop the ‘bleeding’ while keeping the gain of the intruder at a minimum. At some point the intruder will conclude that the cost benefit for it is in the wrong territory. That is deterrence — the most effective security measure by far.
It is astonishing that combing through all the boilerplate statements of what needs to be done to prevent such breaches as now upon us — the simple notion of an effective and quick recovery is not in the narrative, let alone in reality. Government — listen to us, the small cyber outfits. Don’t be carried away by big words coming from big corporations. Bureaucracies don’t have the necessary imagination. This cyber war will be won by the winner of the imagination race. We, the little guy all over America, we are the solution!
