Is vulnerability an objective?

I ended last year with a death-of-the-Internet column, and I'm starting off the new year with a death-via-the-Internet one.

I spent time over the holiday reading "America the Vulnerable" by Joel Brenner. This is an activity that I recommend to anyone who does not mind a few sleepless nights.

BACKGROUND: 2011's biggest security snafus

Brenner served as the head of counterintelligence for the director of National Intelligence so he has reason to actually know what kind of threats the United States is under but, due to his previous government position, he is limited in what he can say to information already made public. Thus, he needed to provide public documentation to back up what he wanted to write about, and the book has 38 pages of references of that documentation. I shudder to think of what Brenner knows about active threats that he was not able to write about due to not being able to find a public document that disclosed the threats.

No doubt about it, we are exposed. Data about us as individuals is everywhere and totally out of our control; critical corporate data is wide open to everyone in the corporation, and too frequently, just to everyone; Internet service providers ignore compromised customer computers; utilities put the controls for their key systems directly on the Internet "protected" by security systems that would embarrass a maker of windup toys; the "best" security companies around have been breached and information about, or protecting, tens of thousands of their customers has been stolen; and our economic and political adversaries are getting good -- very, very good -- at exploiting these conditions.

Brenner details all of the above issues in great, and frightening, detail and includes some suggestions as to what government could do to mitigate some of the issues. I'll explore a few of them here:

*ISPs generally know when their customers' computers get infected and become botnet slaves, yet almost never let customers know they are toasted. Maybe ISPs should be required to let them in on the secret.

*Electric utilities too often put the controllers for their power generators, most of which have laughable security protections, directly on the Internet because it is convenient for their technicians. Of course, it is also convenient for remote hackers who might like to install software that could destroy the generators when it's convenient for the hackers (see The Aurora Project). Brenner lays out an all-too-feasible scenario of a future where a Chinese government blackmails the United States by destroying a few power generators as a demonstration of what it could do. (Note that the United States no longer builds this type of big generator -- we buy them from the Chinese.) Maybe it should be against the law, with criminal penalties, to connect such controls to the Internet.

*Why does just about everyone in your organization have direct access to just about all the company secret files? There is no reason that the person in the mailroom or, in most cases, the company president, should have such access. Take a look at WikiLeaks to see what goes wrong when there is too indiscriminate access.

The basic message of "America the Vulnerable" is that we are, almost willfully, handing over our secrets, economy and future to those who would do us harm. There are things we, as a country, as employees and as individuals should do to reduce the threats but we better get a move on or it will be too late. (It is too late in many cases, including with the technology used to quiet submarine propellers.)

Disclaimer: I had the privilege of attending a Harvard seminar with Mr. Brenner but the above book review, and situational report, is mine -- not the university's.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

More about LAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Bradner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts