Businesses under attack seem to be far less competent than the criminals. They should become more engaged either by hiring in-house expertise or security firms. And, you're right. More firm action by USA is necessary.
Fundamentally, this is a VERY asymmetrical conflict.
To stay secure, businesses have to be able to repel EVERYONE who comes knocking with malicious intent. To be profitable as an attacker in this scenario, you just need to find one business that's large enough for the payday that screws up once. That may be an unsecured web service, broken firewall, software that's not patched quickly enough, or simple bad fortune (in the 0-day cases). The name of the game is risk mitigation, and making yourself a hard enough target that the criminals will move onto someone else softer. And once you achieve a critical level of importance, flying under the radar and hoping that the criminals move onto the next fellow isn't a viable strategy any more.
To compound the issue, software is consistently increasing in complexity, and that complexity leads to the bugs, undefined behavior, and unforeseen interactions that open the door in the first place. And - unfortunately - our own national security services are much more interested in playing offense instead of defense, so that instead of working with domestic actors to help secure their infrastructure from the hackers, they hoard 0-day vulnerabilities themselves, in hope that they can pull off a STUXNET, Part II when called upon.
I agree with Steve that the US national security apparatus needs to go after the criminals where they are, but that's only half the solution. The second half is providing ongoing white-hat security probes and alerts to domestic businesses, so that at the very least, folks who are trying to run successful enterprises don't feel like they either have to go it alone or pony up significant funds to hire a third party firm to help manage that risk (and become ripe targets in their own right, as happened here).
The solution to the Gulf of Aden pirates is convoys, as has always been the case with pirates. Protection by well equipped naval vessels, plus a few countermeasures on the commercial ships do the trick. In this case, the cyber equivalent of a military convoy is a good analogy. I like the white hat idea and I think CISA should offer active penetration testing services to critical fields of business, gratis. I also think we should raise the cost of doing business for all the cyber pirates by having them factor in the price of a drone strike.
Congressman Will Hurd (R, TX-23) was a CIA employee and a cyber security expert. He did not run for re-election in 2020. You can Google him for the reasons.
Congress has over 30,000 employees on the payroll. Most must be cronies or slacker relatives. Congress is incapable of crafting any legislation that doesn't rely on regulatory bureaucrats and courts for definition.
What a wonderfully useless statement that had nothing to do with the statement I made. I said we need members of Congress that are technologically literate, so they can understand and guide legislation and appropriation knowledgeably - and so they can ask good questions about proposed legislation/policies. We get some really embarrassing questions about technology from far too many Congresspeople: or do you think that's a good thing?
Think a bit about what I type a bit more before responding: it'll help a great deal.
Well, they *used* to have an office dedicated to science and technology assessment that provided analysis and reports to Congress. It got shut down in 1995 after the GOP took control in the 1994 midterms.
Businesses under attack seem to be far less competent than the criminals. They should become more engaged either by hiring in-house expertise or security firms. And, you're right. More firm action by USA is necessary.
Fundamentally, this is a VERY asymmetrical conflict.
To stay secure, businesses have to be able to repel EVERYONE who comes knocking with malicious intent. To be profitable as an attacker in this scenario, you just need to find one business that's large enough for the payday that screws up once. That may be an unsecured web service, broken firewall, software that's not patched quickly enough, or simple bad fortune (in the 0-day cases). The name of the game is risk mitigation, and making yourself a hard enough target that the criminals will move onto someone else softer. And once you achieve a critical level of importance, flying under the radar and hoping that the criminals move onto the next fellow isn't a viable strategy any more.
To compound the issue, software is consistently increasing in complexity, and that complexity leads to the bugs, undefined behavior, and unforeseen interactions that open the door in the first place. And - unfortunately - our own national security services are much more interested in playing offense instead of defense, so that instead of working with domestic actors to help secure their infrastructure from the hackers, they hoard 0-day vulnerabilities themselves, in hope that they can pull off a STUXNET, Part II when called upon.
I agree with Steve that the US national security apparatus needs to go after the criminals where they are, but that's only half the solution. The second half is providing ongoing white-hat security probes and alerts to domestic businesses, so that at the very least, folks who are trying to run successful enterprises don't feel like they either have to go it alone or pony up significant funds to hire a third party firm to help manage that risk (and become ripe targets in their own right, as happened here).
The solution to the Gulf of Aden pirates is convoys, as has always been the case with pirates. Protection by well equipped naval vessels, plus a few countermeasures on the commercial ships do the trick. In this case, the cyber equivalent of a military convoy is a good analogy. I like the white hat idea and I think CISA should offer active penetration testing services to critical fields of business, gratis. I also think we should raise the cost of doing business for all the cyber pirates by having them factor in the price of a drone strike.
We also need some members of Congress that are technologically literate and can craft legislation/appropriate funds towards these goals.
Congressman Will Hurd (R, TX-23) was a CIA employee and a cyber security expert. He did not run for re-election in 2020. You can Google him for the reasons.
1 out of 535.
Congress has over 30,000 employees on the payroll. Most must be cronies or slacker relatives. Congress is incapable of crafting any legislation that doesn't rely on regulatory bureaucrats and courts for definition.
What a wonderfully useless statement that had nothing to do with the statement I made. I said we need members of Congress that are technologically literate, so they can understand and guide legislation and appropriation knowledgeably - and so they can ask good questions about proposed legislation/policies. We get some really embarrassing questions about technology from far too many Congresspeople: or do you think that's a good thing?
Think a bit about what I type a bit more before responding: it'll help a great deal.
I understood what you said. I'm just trying to help you understand why Congress is generally so inept.
Well, they *used* to have an office dedicated to science and technology assessment that provided analysis and reports to Congress. It got shut down in 1995 after the GOP took control in the 1994 midterms.
https://en.wikipedia.org/wiki/Office_of_Technology_Assessment
The hackers are targeting the security firms!
Worse than I thought. Incompetence and lack of engagement.