America Needs a Cybersecurity “Reboot”
A generation ago, as Americans began logging onto the earliest versions of the internet, McAfee antivirus alerts were as ubiquitous as the sound of dial-up modems. For years, McAfee antivirus software was the standard in protection from spyware, Trojan horses, and other traps that allowed hackers access to your personal computer. Notwithstanding the recent controversy surrounding some of the activities associated with John McAfee — the 71-year-old software security pioneer — there is no denying he understands the benefits and pitfalls of government cybersecurity as well as anyone.
And he’s not optimistic about what the future holds if things do not change — immediately.
Since at least the Clinton Administration — notable for perhaps the first public cybersecurity battle over its plan to use a “Clipper chip” designed to break-through data encryption, and giving government snoops access to private phone conversations — the centerpiece of federal “cybersecurity” plans has been amassing an arsenal of hardware and software designed for mass surveillance, data collection and sharing, and streamlined analyses. Ostensibly, this weaponry has been intended to be used against terrorists and foreign enemies.
However, the 9-11 terror attacks completely flipped the script. Under President George W. Bush, these weapons became increasingly pointed inwards towards digital communications made within the United States, including those of U.S. citizens. This strategy was then refined – and accelerated — under President Barack Obama.
But while building weapons of offense, those in charge of America’s national cybersecurity eschewed formulating a comprehensive strategy for defense. This, as McAfee notes, was due to the government confusing “cyberwarfare” with “cybersecurity.”
“Our government defines cybersecurity by and large — especially the FBI, Department of Justice — as using cyber technology to make sure that American citizens toe the line, that there are no terrorist activities, and that we’re all monitored and controlled,” McAfee told Larry King in an interview last month.
The consequences of this singular mindset have not been pretty. Beyond scores of cyberattacks in recent years against private entities such as Sony (2014) and Dyn (2016) – the latter of which crippled internet access on the East Coast – government agencies have been frequently targeted as well, and with great success. These targets also include agencies tasked with the very responsibility of cybersecurity; the most embarrassing being an attack carried out against the FBI and CIA by a 15-year-old, resulting in the leaking of highly sensitive information on tens of thousands of FBI and DHS employees.
Consequently, McAfee asks, “is this the agency you want running America’s cybersecurity?”
To be sure, America’s spy agencies should be – indeed, must be -equipped with the tools to adapt and meet the rapidly evolving and ubiquitous security challenges in the digital age. However, amassing these tools cannot be its only focus as it has been in recent years; nor should such tools be used to blindly harvest and database the private communications of citizens accused or suspected of no crimes, as Trump’s pick for CIA director apparently desires. Not only are there serious constitutional questions surrounding these practices, but given the reluctance of all branches of government to adhere to virtually any meaningful privacy safeguards or use-protocols for such data, it is hard to trust these agencies with such sensitive data given their inability to protect even their own classified data from theft.
This highlights another pressing need – the development of effective defensive practices against cyber-attacks. While it is impossible to create a completely impenetrable firewall against hackers, the government’s demand for so-called “backdoors” into security systems and encryption “keys” exponentially weaken security measures in development. Rather than working to undermine data security, the government should be working directly with the private sector to boost these advancements; which would not only better protect private companies from attack, but also the government itself.
A good start for this is hiring security experts from the private sector, and even non-profit organizations aligned around exposing security flaws in the name of cybersecurity, to help spearhead the development of better cybersecurity protections; as opposed to the current plan of tasking law enforcement officials with the responsibility.
To make a “reboot” of the government’s cybersecurity strategy successful, it will require two major buy-ins from the new Trump Administration; neither of which appears imminent at first blush. The first is to finally recognize a problem exists with the way government is currently approaching cybersecurity. The second is a willingness to make a fundamental change to a culture of cyber-warfare, and instead focus on one of true cybersecurity – even if it comes at the expense of government’s grip over control of private communications.
McAfee is among many who actually understand the seriousness of this issue, but are not holding their breath waiting for this institutional change; nevertheless, he cares enough to raise the alarm. And we would do well to listen.