The Irony in WaPo's "Net of Insecurity"
In the opening of part 3 of the Washington Post series “Net of Insecurity”, WaPo posits that L0pht warned congress early on in 1998 of the inherent security flaws of the internet, but that congress ultimately failed to act.
The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together... ...“If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes. The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said. What happened instead was a tragedy of missed opportunity, and 17 years later the world is still paying the price in rampant insecurity.
Emphasis mine. My twitter feed was abuzz this morning with security pros tweeting the story in vindicated satisfaction. A sense of vindication was also my initial reaction... and then the irony began to creep in. Here was WaPo implying that some act of congress back in 1998 could have forestalled the next seventeen years of security woes. Issues that we continue to grapple with today. And then I remembered that simultaneously, elsewhere on the paper, WaPo is covering another story.
The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel... ...The compromise of the system was discovered early this month and dates back to June or early July 2014, agency officials said. The network holds a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors. “This is some of the most sensitive non-classified information I could imagine the Chinese getting access to,” said Baker...
One cannot find a better example of the Gell-Mann Amnesia Effect. The Federal Government, on an annual basis, spends tens of billions of dollars on the implementation of the Federal Information Security Management Act (FISMA) which Congress passed in 2002 to improve the security of Federal agencies. Despite this spending, the Government struggles to maintain the security of its own systems. So, how can WaPo believe that a secure internet was within reach back in 1998 were it not for a few fuddy-duddies in Congress? Perhaps a bias that leads to a sense of over-optimism in the efficacy of Government? . But putting criticism of the media aside, I think this is a fairly typical condition that Security Professionals find ourselves. Our industry is in danger of growing complacent with seeing our job as finders of the problems -- who are only responsible for bringing them to the attention of the "authorities". Instead, we must own up to the fact that there may be no-one smarter in the room, or who is better positioned to come up with the solutions that break the cycle, than ourselves.