Talking Cyber-Security With Homeland Security Advisor (and Former Hacker) Jeff Moss
What exactly does your government gig as an advisor entail?
I'm one of 24 members of the council. In the post-9/11 world an act was passed that imposed advisory councils on various aspects of Homeland Security to prevent groupthink and provide an outside opinion to the secretary or other people who want it. Apparently, the different Homeland Secretaries have used the councils in different ways. Tom Ridge used the advisory council a lot, the previous secretary used them less, the current secretary is using them more. But because cyber is on the mind of pretty much everybody now, everyone has a question or an interest.
If you were to ask a techie what the government's handle is on cyber-security they'd say we're way behind the ball. Have you found that to be true?
Actually I was surprised by how many more smart people I've run into that I didn't believe existed in government. Some of them are really amazing, like the chairman of our committee, Judge William Webster. He's a living legend. He's the only person to have been director of both the CIA and the FBI, and also worked at the NSA. His breadth and depth of experience is just... cool. Through inference I had assumed there must be this big bureaucratic layer somewhere that just slows everything down but I haven't found that yet. I know it exists but I haven't found it. What I've found instead is a lot of legal barriers that are out of the control of everyone's hands except different committees in Congress.
So what are the central security issues our country faces?
We're dealing with a structure that's not designed well to fight cyber-crime. And that's the same thing with a lot of other communications and privacy laws. You can see this fight going on right now on U.S. cyber command in the military. Is it a war-fighting thing, or is an intelligence thing? And people use that today to talk about bigger issues like who really is in charge of cyber-security.
When we go to war there's a very clear chain of command and processes that have to take place. So what is the US policy in terms of cyber-warfare or taking offensive action using the 'Net?
I'm not a policy maker, but as far as I can tell, cyber is just another component of the different military domains -- air, sea, land. You have this emerging domain but it's unclear if it will be its own, or if it'll be sprinkled on top of all the other branches of the military: the Army, Air Force, Navy and Marines. If it's a war function, it's very clearly under the control of the Joint Chiefs of Staff and the President. The thing that's different with a cyber act is that we haven't figured out what is considered an act of war and what isn't. I have a feeling that until there's a loss of life, it'll remain that way.
So what is the state of the union, as it were?
During the Cold War we weren't shooting at each other with the Russians; there was all this covert action and spy versus spy activity. So that's where we currently are as well, everybody is spying on everyone else and stealing and robbing from each other. It's like two big buckets: organized crime wants your money and nation-states want the secrets. They go about it differently though. Organized crime doesn't really care if they get noticed because good luck finding them, and the attack model doesn't need them to stay in place for months at a time -- they get in, get as much money as they can and get out.
On the nation-state side, they're pretty much after secrets. It's a bit different because they don't want a political blow-out, unlike organized criminals who don't care if there's a front page story in the New York Times. There's no embassy to protest to. But if you're a nation-state that is spying, you don't want to cause a lot of drama. During the Cold War there were all sorts of handshake agreements where you'd trade spies if they got caught, a sort of gentleman's agreement about what you do and don't do. That doesn't seem to exist in the cyber version of spying. That stuff hasn't been sorted out. It's only been recently, when Google announced the spying in China, that we started this debate on a grander scale.
Because enterprise doesn't want customers to think that their business in trouble?
Or because they want to do business in China. Adobe admitted briefly that they had been attacked, but out of all the other 30-plus odd companies that were affected, none have come forward and identified themselves. There must be a reason why they're doing that. This started a much-needed debate.
You think it really was a watershed moment?
Yeah, until now it's been ten years of security guys standing around saying, "Yup, this is just what is happening, it's happening all the time, everybody knows it's happening and it's not a big deal." It wasn't something talked about in the newspaper or on the radar of politicians. It took an American icon, a powerhouse tech company, to stand up and do something and [now] it's on everybody's thoughts.
In terms of state of the union then you're saying the Internet is fundamentally flawed right now?
Well, I mean it's not flawed, it's doing exactly what it was designed to do, it's just people are now using it for different purposes. It wasn't designed as an e-commerce or entertainment platform -- it was an academic collaboration platform. You find out the Internet works very well for carrying information, but it's just not doing a fantastic job of moving credit card data in a secure fashion. It's basically impossible to get 100-percent attribution, 100-percent knowability of who is attacking you.
How difficult is it going to be to change that? Is that the Internet's legacy forever or do we need to create a start over and create a separate Internet?
I mean everybody in the industry is painfully aware of all the shortcomings and there's a million security vendors trying to sell you a million bells and whistles to fix whatever particular ailment there is that day. But fundamentally, out of the big architectural issues, a secure DNS (Domain Name System, or the 'code' that translates binary to text) is the most visible. We must fix the DNS to be more secure. That doesn't solve everything, but it's something that's important and moving forward rapidly. By rapidly, I mean it it'll be probably five to six years before it's widespread.
How hard is it to get the attention these problems deserve?
I don't know about other countries but the U.S. generally learns through pain. You know, you get bombed in WWII and you go "Oh, I guess we're at war." It's that same mentality that's hindering us in the electronic age.
So the public and the government and industry are still in a learning, childhood stage.
Everything is hooked up to the Internet. It's so complicated and has so many interdependencies nobody really knows how it works. For instance, what happens if a DNS stops working for a day? What does that affect? Maybe I can't go to my Web site. But would your voice telephone still works, and would you still be able to book an airline ticket if you called up a travel agent? Would you be able to process a credit card at the grocery? I mean everyone's built a million systems differently that plug into the Internet one way or another, so you have all these complex interactions. A lightning strike in Texas might make things stop in California.
Do you think the market will change things or is government regulation the future of the Internet?
Unfortunately, I think regulation is. I'm not a fan, but years ago people were suggesting that what's going to happen is that, at some point in the future when there's enough money, the insurance companies will get involved because some company will get broken into and they'll have all these losses and the insurance companies will say we're not going to insure you unless you do X, follow these best practices and follow this checklist. Now that doesn't mean they're secure, it just means processors follow guidelines. Well, people expected the same thing to happen with insurance, where through normal market forces if you want to do something risky, your insurance premiums would go up. But that never happened. I've never heard someone say, "I have to install a security upgrade or else my rates will go up." That was supposedly our last gasp, because if insurance doesn't work, that only leaves regulation. Insurance didn't work, so now we're in the regulation phase.
Is there an Achilles heel of the Internet we all should we worried about until things get fixed?
Hmm. [Pauses] Poke around with anything enough and you can cause a problem, but I don't want to give a recipe for what to attack.