It is 31 years ago that Cliff Stoll discovered a hacker tunneling into US government networks by passing through his computers at the Lawrence Berkeley Lab. Stoll was asked to clear up a billing discrepancy, discovered the German hacker who was working for the KGB, and alerted the US government managers of the networks that the hacker was targeting. He later wrote about it in The Cuckoo’s Egg, which remains an excellent read.
Unfortunately, Stoll did better than average by today’s norms. He discovered the hacker in his own networks within a month and was able to independently monitor that hacker to the point of alerting the real targets of the hacker. The performance of the US government administrators 31 years ago was identical to what we see today. Today’s norm is that hackers generally are discovered by a third party, have been in the network for the better part of a year, and exploit a known vulnerability, according to the annual Verizon Data Breach Investigation Reports.
Clearly, we are doing it wrong if we have not improved our performance over the past three decades. What we are doing wrong is focusing on the hackers rather than on the vulnerabilities that they exploit, probably because the vulnerabilities are our responsibility. Almost all successful intrusions exploit well-known vulnerabilities for which patches or fixes are available. Computer hardware and software come with vulnerabilities, the majority of which are accidental or result from the fact that security is not a metric for original equipment manufacturers. That is changing, but slowly, and the proliferation of new—flawed—equipment grows much faster than the repairs to old well-tested equipment. As an example, consider all the Internet of Things (IoT) cameras that shipped with default passwords and were used in the enormous October 2016 distributed denial of service attacks (DDoS). It is hard to argue that default passwords are an unknown vulnerability.
To change the trajectory of cyber security for the next 30 years, we need to understand that security can only be achieved by changing our behaviors rather than relying on others or governments to defeat all hackers. The police cannot stop all burglars even if we do our bit by installing alarms, fences, lights, locks, and window bars. Those systems help us deter and detect an intrusion, but we would never dream of thinking that the police would stop all crime on their own, even if that is orders of magnitude simpler than stopping hackers.
Computer security cannot be accomplished by anybody but the users and owners of the systems, just as only Cliff Stoll was able to detect the hacker on his systems and defeat the threat.