SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Obama Orders Review of Election Hacking

BACKROUND - President Obama recently ordered a “deep dive” into the cyberattacks of this year’s election and he wants the report before he leaves office on January 20. This request comes as President-elect Trump has again dismissed the intelligence community’s findings about Russian hacking and meddling.

Investigating cyberattacks sounds like a good idea. 
Did we get attacked? 
Who did it? 
What did they do? 
How should we respond?

But attacks in cyberspace are not the same as attacks in the real world. It’s virtually impossible to identify the parties responsible.  I’ve reviewed logs and looked at network traffic and I know that what we capture is an infinitesimal fraction of the information that we need to understand the scope of an attack. The “attribution” problem means we will probably never know who attacked us.  And even if we do strongly suspect nation states, there are always very plausible alternatives that introduce reasonable, even likely, doubt.

Look, if you live in a glass house, or one with really weak door and window locks, and you live in a world of zombies and monsters, it doesn’t really matter which one is attacking you.  Even if you did manage to identify one of your attackers and could figure out a way to sanction them without violating any of our treaties or destroying our international policy, at best you can take out one.  Cyber attackers are like the Hydra, cut off one head and two more appear.

We need to be spending our time strengthening and verifying the defenses around our critical infrastructure, including our elections.  We need to raise the bar on the vendors that produce election systems.  There are numerous strategies here – regulation, taxation, liability, insurance, etc…  But for me, the best way to encourage security is to force transparency.  Vendors need to disclose how they build their code, what defenses are present,  what tools they have used to verify it, whether their developers are trained, etc…

We are heading at dangerous velocity to the point where we start throwing rocks at other countries.  Let’s not forget that we live in a glass house.  More than any other country, the US has the least capability to defend our critical infrastructure, since much of it is in the hands of private industry.  And because we have the most sophisticated and most advanced technical capabilities, we also have the most at risk.

I hope our leaders can use this event to focus on strengthening defenses, rather than chasing the boogeyman. 

--Jeff

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook