FBI's Top Cyber-cop Says We're Losing the War Against Hackers

New submitter sienrak writes "Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is 'unsustainable.' 'I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,' Mr. Henry said."

Just like terrorism

[honestmonkey]

You can't really fight terrorism with bullets and bombs, just like you can't fight hackers with some "new" anti-virus program or whatever (at least not for long). But nobody wants to think like that. "If we kill enough of them, they'll stop" doesn't work with terrorists - they're roaches in the walls and you can't get them all without collateral damage or creating yet a different kind of roach. However, all we have are bullets and bombs. "If we build a good enough firewall, it'll stop them" is just a challenge to hackers. Nobody wants to hear "You must completely change how your computers work to have even a ghost of a chance." Instead, it's "How do I fix what I have now?" The answer "You can't" doesn't let you keep your job or make anyone any money.

Re:I fully agree

[hjf]

I don't see any problem with that. I don't want an idiot with a pirated Windows Server 2008 to be in charge of my medical records, for example. And a lot of times that's exactly what you get.

"Anyone can do it" doesn't mean they SHOULD. Doctors, architects, engineers, and everyone in charge of infrastructure or other critical projects or things that could cost your life are required a license. Why aren't "IT managers" required the same? IT now IS infrastructure, and a lot of times the sysadmin is just a guy who installed a server. IT systems run traffic lights. I'm sure the engineer that designed and placed the lights was licensed, but the guy in charge of the two computers that run the system isn't.

And as a bonus, since IT managers now need to be licensed, their rates would go higher. We'd get rid of the boss' nephew installed warez windows and undercutting a tech that actually knows what he's doing.

Re:Given the previous FBI story...

[DCFusor]

They are losing the battle, but we're doing just fine, thanks. Their definition of the battle is that they effortlessly control everything and have "Total Information Awareness" which, of course, is not the battle we are in ourselves at all.

Re:Given the previous FBI story...

[Anthony Mouse]

Anyone anywhere can come up with a way ( if smart and motivated enough) to hack anything anywhere, it is completely different from invading another country or defending your own.

You're completely right. And the idea of having some incompetent bureaucracy with the power to spy on everyone and shut down the internet is is totally insane.

But let's not just complain about it, shall we? Why don't we do one better?

Making systems totally secure is a pipe dream, but we can certainly make them more secure. And entirely without a surveillance bureaucracy.

The key is to understand that secure software is a market failure: Nobody wants to pay for security until after they get hacked, which means software developers have the wrong incentives. The one that goes out of their way to do security right end up going out of business because they get beat to market by the ones that ship the first code that compiles. But let's resist the knee jerk government reaction to this, which is to pass laws telling everybody what to do. That isn't what's needed here -- the result of any sanctions will be a "teaching to the test" problem where developers do the bare minimum to avoid liability while not actually making secure software, and meanwhile software development is made far more expensive due to regulatory compliance burdens. So forget about that.

What would actually work? SE Linux. It was produced by the NSA, it's open source, and it makes things more secure. Why don't we spend the money on that sort of thing? Use the carrot, not the stick. Have the NSA provide free, voluntary security audits to major infrastructure providers. Have them produce more software in the nature of SE Linux -- things designed by all those genius cryptographers they already employ, which can subsequently be adopted by everyone everywhere and make things more secure. Fund more software like TOR which can protect privacy, to get such things to the point that they're fast and efficient enough for regular use by everyday people (and screw over enemy countries that censor and oppress in the process). Provide incentives for the more rapid adoption of technologies that increase security, like DNSSEC and IPv6.

These are the things that have the potential to actually work. If they're actually serious about improving security, and Something Must Be Done, let it be that. Because the last thing we need is another hopeless regulatory bureaucracy.

Re:Given the previous FBI story...

[justforgetme]

Correct, the solution is not to battle the effects (hacking, hacktivism, organized digital crime) but the things that create the need for them (IP, DRM, Patents, Coprorational governance of the world wide market). Still hacking and hacktivism will continue to exists as long as there is a reason to tinker and protest.

Hacking was never the bad guy, it is the establishment being afraid of change that instigates it.