It’s safe to say most countries are investing in their cyber-offense capabilities or will be very soon. Even the smallest countries can wreak havoc on the most powerful with very little money. And while you consider the ramifications of this, here’s a quote to help it sink in.
“National security is no longer about tanks. National security is increasingly about economic well-being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.” -Ian Bremmer
How can a corporation — even the largest, let alone small businesses and individuals — possibly defend against armies of well-funded nation-state sponsored hackers? These hackers are professionally trained, with no reason to fear our laws, physically distant from their victims, and operate 24 hours a day, 7 days a week, 365 days a year. Remember, the Internet does not recognize or respect geographic borders. The Internet is particularly adept at routing around country-by-country laws and regulations that impeded traffic.
Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens if the majority of people lose confidence in the system – the security of the Internet – and either stop or limit their use of the Internet. I’m worried about the long-term economic damage this causes, the loss of our ability to innovate, the failure to take advantage of the opportunities that the Internet provides.
New laws against criminal hacking are not going to help. Conventional warfare tactics are not much good either. Governments are largely unable to protect the private sector from international cyber-attack, nor should they be expected to. The perpetrators can be located anywhere, are extremely difficult to identify, prove attribution, and track down, even harder extradite, and even if identified, located, and extradited, difficult to successfully prosecute. And then, if they are found to be spies, the likelihood of them getting traded for our own spies is high – so they go back to what they were doing. Not to mention foreign governments are highly unlikely to turn over their own cyber-warriors. Every CEO in America must understand — in cyber-security you’re on your own.
The reality is that a problem as diverse and wide reaching as cyber-crime cannot be solved by any one thing; but I’ll tell you this — protecting the Internet requires a completely new way of thinking. While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense.
Offense can inform defense.
I call this approach Hack Yourself First, a concept that is critical to our self-defense. Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses (we call them vulnerabilities) and the good guys who find and fix them. I felt so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies doing business online to hack into them and explain how we did so.
In no time flat we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system — all the things that could have made headlines like those you’ve probably seen recently. And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them. Collectively, they constitute billions of end-user accounts. In short, we’re probably already protecting you. Every vulnerability we find and our customers fix is one less hack that happens.
“Hack Yourself First” is also the reason why we teach other people how to hack, hundred and thousands of them. We teach all sorts of ways to hack into banks, retail websites, social networks, government systems, and more. We teach people how this can be done from anywhere across the Internet.
Many wonder why teaching people how to hack is a good thing. I know hacking is often stereotyped as illegal or nefarious activity — but this is not always the case. Teaching people how to hack — building up our cyber-offense skills — is absolutely essential. Only if we have hacking skills can we focus these skills inward at ourselves BEFORE the bad guys do. The idea of “Hack Yourself First” is critical to national security and to ensuring our long-term economic well-being.
Remember, security is optional, but so is survival.