Another “cyber war” article today, this one about informal contacts between U.S. and Chinese government agencies engaging in war games together.
The article is worth a read. The good news is that some on both sides are taking the issue of computer security seriously enough to engage with their potential adversaries at a technical level. The bad news is that it looks like many Americans involved in the issue are hopelessly deluded about what we can and should do about it.
At one point in the article Frank Cilluffo, who was a special assistant on homeland security in the last administration, was quoted as saying:
We need to talk about offensive capabilities to deter bad actors. You cannot expect companies to defend against foreign intelligence services.
Now that’s a well worn meme that deserves a response, but unfortunately didn’t get one in the body of the article. Fortunately there was at least one comment (by a certain “plembo”, a regular Guardian reader) that addressed it head-on:
“You cannot expect companies to defend against foreign intelligence services.” To the contrary, that is exactly what you *must* do if you don’t want an electronic Armageddon. The whole “best defense is a good offense” meme simply doesn’t work when it comes to computer security. The best defense has been, and always will be, a thorough defense. That means defensive measures at every layer of the stack, from the network all the way up into the applications. The efforts made by most companies *and government* thus far to improve their security has been laughable. Hand wringing and finger pointing just won’t cut it any more (how ironic that many who decry government intervention in other areas are so quick to make government responsible for their own system security). No wonder our potential adversaries have so little respect for us. What needs to happen is for executives in both the private and public sector to stop paying mere lip service to security and to begin taking the advice of their system security officers seriously.