Wednesday, September 19, 2012

An open letter to Senator Rockefeller

Dear Sen. Rockefeller,

I am a cyber expert. I invented a key technology known as “IPS” that is a standard part of network defense. I invented hacking techniques like “sidejacking” that are a standard part of network offense. I am a coder who has written a million lines of production code. I am a "pentester" who has performed simulated attacks that confirm your worst nightmares about power-grid blackouts and financial meltdowns.

Your letter [*] was naïve. There is no such thing as “best” practice, because there is no such thing as “adequate” practice. The Fortune 500 has not figured out how to stop Chinese hackers from breaking into web browsers, or how to separate code from data injected into websites, or how to stop an inadvertent connection between a secured and unsecured network. This has allowed me to hack (in tests) into Fortune 500 companies, even those that follow the very best of “best practice”.

The problem isn’t that we don’t know how to secure companies, it’s that we don’t know how to do so economically. Security is a tradeoff with decreasing marginal returns. We have passed the point where we can invest $1 to stop $2 of losses due to hackers. We are now at the point where we spend $2 in protection to stop every $1 in losses. In other words, we are overspending on security. We do so because your laws, like HIPAA and SOX, force us too. The yearly cost of legal compliance already rivals the losses caused by Chinese hackers.

You want to pass laws to educate the public to take cybersecurity seriously. That’s not how our government works. You don’t teach us, we teach you. You don’t pass laws because you think it’s in our best interests. We tell you what our interests are. The justification for passing a law is because we ask you too, not because you want it. When the Fortune 500 says “we don’t want it”, you should listen. We are trying to tell you that your laws cost us too much. You derive your powers from the consent of the governed. Ignoring our interests is how revolutions get started.

We rejected your legislation because it wasn’t about cybersecurity, but increasing government authority. You want data sharing. Fine. You go first. Disclose all the details of past intrusions by Chinese hackers into the US government. I know some details, but I can’t talk about them. But you can. There are few national security secrets involved; government intrusions are kept secret because they are embarrassing to the responsible bureaucrats. You've passed laws exempting government from disclosing their mistakes; reverse these laws. Require the president to annually list all breaches against the US government. If you start sharing your data with us, then maybe we won’t mind so much sharing our data with you.

You trot out NSA head Gen. Keith Alexander to scare us about the threat of Chinese hackers and cyberterrorists in order to get support for you bills. Yet, you are unwilling to reveal any actual evidence. You tell us to trust you, because you are the experts. The problem is that you are also the ones who gain from this power grab, a conflict of interest making your testimony unreliable. Rather than scare us, show us, and let us make up our own mind. If the Chinese government is the existential threat you claim, then the evidence will convince us. We the American public deserve it. No law protecting us from these evil hackers should be passed without us seeing proof of the threat. I point this out because Americans are beginning to fear its own government more than the Chinese. You are behaving in a manner unaccountable to the public, from NSA spying on citizens, to indefinite detention of citizens, to extrajudicial killing of American citizens. I know how to stop the Chinese from hacking my computer, but I cannot stop my own government.

Before telling us how to secure our networks, secure your own first. The federal government is far behind the private sector in security. Just run a "Shodan" query on government address space and Fortune 500 address space, and you’ll see what I mean. If you know of some “best practice” that actually works, then do it, and document it. Laws are only needed to enforce “best practices” that don’t actually work (or are uneconomical). If they do work, then we’ll adopt them anyway, because it’s in own best interest to do so, in which case no law is needed.

Robert David Graham


Anonymous said...

You're right on the money asking US government to share their data before asking for ours. All the "cyberlegislation" thus far has been a power-grab to vacuum up private data and horde it behind closed government doors, in ways that are beyond the reach of public oversight.

If we should trust the government as "experts" on security, they need to prove it. Trotting the DIRNSA out to scare everyone at conferences does not instill confidence.

Anonymous said...

Lucid! Congratulations.

Anonymous said...

Being quite a motivational speach, the letter tries to fight the enemy with two very different notions - the price of security risk covering affected by restricting laws and the corruption of officials mind in terms of rather private than public gain.

If the latter is such discussible, the former, imho, should be a subject to a more thorough analysis. The forced insurance on software and data security in this case benefits both major companies and the public safety. When the not-so-bigggg premium keeps the balance between the cost of security maintenance and the cost of losses due to the attacks.

Anonymous said...

"I am a cyber expert."

Funny... We've never heard of you.