SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Obama Orders Review of Election Hacking

BACKROUND - President Obama recently ordered a “deep dive” into the cyberattacks of this year’s election and he wants the report before he leaves office on January 20. This request comes as President-elect Trump has again dismissed the intelligence community’s findings about Russian hacking and meddling.

Investigating cyberattacks sounds like a good idea. 
Did we get attacked? 
Who did it? 
What did they do? 
How should we respond?

But attacks in cyberspace are not the same as attacks in the real world. It’s virtually impossible to identify the parties responsible.  I’ve reviewed logs and looked at network traffic and I know that what we capture is an infinitesimal fraction of the information that we need to understand the scope of an attack. The “attribution” problem means we will probably never know who attacked us.  And even if we do strongly suspect nation states, there are always very plausible alternatives that introduce reasonable, even likely, doubt.

Look, if you live in a glass house, or one with really weak door and window locks, and you live in a world of zombies and monsters, it doesn’t really matter which one is attacking you.  Even if you did manage to identify one of your attackers and could figure out a way to sanction them without violating any of our treaties or destroying our international policy, at best you can take out one.  Cyber attackers are like the Hydra, cut off one head and two more appear.

We need to be spending our time strengthening and verifying the defenses around our critical infrastructure, including our elections.  We need to raise the bar on the vendors that produce election systems.  There are numerous strategies here – regulation, taxation, liability, insurance, etc…  But for me, the best way to encourage security is to force transparency.  Vendors need to disclose how they build their code, what defenses are present,  what tools they have used to verify it, whether their developers are trained, etc…

We are heading at dangerous velocity to the point where we start throwing rocks at other countries.  Let’s not forget that we live in a glass house.  More than any other country, the US has the least capability to defend our critical infrastructure, since much of it is in the hands of private industry.  And because we have the most sophisticated and most advanced technical capabilities, we also have the most at risk.

I hope our leaders can use this event to focus on strengthening defenses, rather than chasing the boogeyman. 

--Jeff

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

SUBSCRIBE TO THE BLOG