2017-04-05
In recent weeks, WikiLeaks has released a stash of Central Intelligence Agency tools designed to break into phones, computers and other devices -- a windfall for hackers and a headache for the devices’ makers. With U.S. data breaches at an all-time high, it’s alarming that even the CIA is vulnerable: If only the government put as much effort into protecting computer systems as it does into hacking them. Some 90 percent of government cyber spending goes towards offensive efforts, according to Rick Ledgett, the departing deputy director of the National Security Agency. Apparently, the idea is that the best defense is a good offense. That’s reasonable in physical war, which is how the Pentagon seems to be positioning us. As one military official characterized it: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.” But in cyberspace, most of the battle is figuring out who the enemy is and what to deter. Only last month did the Justice Department indictRussian agents for hacking Yahoo back in 2014. It took two years for Yahoo itself to realize it had been hacked. A retaliatory missile sort of loses its effect if three years have elapsed and half a billion people’s data has already been hawked on the darknet. That said, developing expertise in cyberattacks can be useful: Figuring out how to break into other people’s systems is a good way to understand where your own systems might be vulnerable. A lot of the government’s cyber intrusion technology involves “zero-day” vulnerabilities -- unreported software bugs that the vendor has had zero days to patch. Sometimes the government buys undisclosed exploits from security researchers. Other times the bugs exist by design: The Edward Snowden leaks revealed that the NSA collaborated with tech companies to incorporate secret back doors into popular products