The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.
While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.
- Were we prepared?
- Who did this?
- Why did this happen?
- Could this have been prevented?
Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.
And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.
- Is what we’re doing to protect ourselves really worth it?
At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.
This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.
But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.
So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.
But if we don’t learn from our mistakes it is all for nothing.
For most, if not all Americans, today is a special day.
Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.
Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.
And yet, that’s all they are.
In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.
Ask someone if they would rather text while driving or face a terrorist.
Yet texting while driving has killed twice as many people this year than terrorists.
So why aren’t we afraid of texting in a moving car?
The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.
It makes us really bad at judging risk sometimes.
Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.
We didn’t think terrorists would fly planes into buildings.
Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.
Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
Like most people, I remember September 11, 2001 like it was yesterday.
It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.
As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.
I will never forget the look on Andre’s face.
“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.
Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.
For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.
“It wasn’t a Cessna, it was a jumbo jet.”
For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.
The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.
We didn’t think it could happen to us.
As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.
This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.
By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?
On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:
What are we doing to avoid Cyber 9/11?