Attackers Have Advantage in Cyberspace, Says Cybersecurity Expert
Homeland Security NewsWire: In your opinion, what is the cause behind the recent increase of sophisticated cyber attacks against major corporations and government entities by hacktivist groups like Anonymous, AntiSec, and LulzSec?
Bruce Schneier: I'm not sure there has been any recent increase of sophisticated cyberattacks. There has certainly been a recent increase in the press reporting incidences of sophisticated cyber attacks. I think this is because several groups have attached them to political causes -- for example the torture of Bradley Manning by the United States -- and because media attention begets more media attention. If there has been any increase in politically motivated hacking, it is because of the press attention being lavished on these sorts of cyberattacks makes them more attractive.
HSNW: What can be done to better protect digital assets against these types of groups?
BS: The same things that can be done to protect computers and networks against all sorts of hacking groups for the past several decades; there's nothing new or magical about these groups. The important caveat is that there is probably nothing that can be done to protect against a sufficiently sophisticated and motivated cyberattack. Attackers are at an advantage in cyberspace -- this will not always be true, but it'll certainly be true for the next bunch of years -- and that makes defense difficult. I think it would be best to concentrate on attack detection, response, resilience, and recovery.
HSNW: What are your thoughts on the Obama administration's new cyber security plan? Does it go far enough? In particular, what are your thoughts on the proposed provision of having government oversight where DHS reviews a company's cyber security plan and will actually penalize them if it is found to be inadequate?
BS: There is nothing new about presidents coming out with cybersecurity plans. They have done it since Clinton. The plans always sound good, read well, and fail in the implementation. With all policy directives, the devil is in the details; so I have stopped reading them. The question of penalizing companies for inadequate cybersecurity is complicated, and depends on the details of the companies and the markets. There certainly are market failures in cybersecurity where the government has to step in. If DHS facilitates that, it is a good idea. To the extent it does not, it is not.
HSNW: With the recent admission by a DHS official that contaminated computer components have entered U.S. networks and make it easier for hackers to steal information, is there a cost-effective or realistic way to prevent this from happening?
BS: No. I am not even sure there is an expensive and unrealistic way to prevent this from happening. Detecting deliberately hidden back doors in computer and network hardware is such a hard problem that there really is not any way to audit the hardware after it has been produced. You could demand to audit how the hardware was created, but then you have to trust the audit process. This kind of attack is far beyond the reach of hackers and criminals, but a perfectly reasonable attack for national intelligence services. It is a big problem with no solution.
HSNW: Finally, as a broader question, has the threat from hackers been overly inflated or is it as dire as many government officials and security experts make it out to be?
BS: Which threat? The threat of cyber-war has been grossly exaggerated, both by government and industry. We are in the early years of a cyber-war arms race, and there is a lot of money and power up for grabs. Same with cyber-terrorism, the threat is being exaggerated. Cyber-espionage is about at the level of popular opinion. On the other hand, the threat of cybercrime is largely being ignored, and that is greater than most people believe. I do not think anyone really knows the full extent of cybercrime -- fraud, theft, extortion, and so on -- worldwide.