Dan Kaminsky is a security researcher and chief scientist at malware-detection firm White Ops.
IMAGINE, ALL ACROSS America, our homes and businesses regularly going up in flames. Firefighters would be deployed en masse to stop the fires from spreading. Law enforcement would hunt the arsonists and bring them to justice. Engineers would learn to design structures far more resistant to flames.
Our government would respond to this obvious national emergency with force, competence, and leadership. And it certainly would not persecute the firefighters.
Yet the United States government is doing just that as it struggles with a choice: Necessary security for all versus the desired insecurity of some. No less integral to civilization at this point than the roofs over our heads, the information technology that connects us to one another is increasingly connecting hackers to our daily lives. Every month, more devices go online: Cars, thermostats, and baby monitors, all troublingly exposed.
Strong cybersecurity delivers the digital world that does not burn.
A hospital is forced to pay a ransom to keep treating patients. A small business goes under, its entire payroll account emptied in a weekend. Millions of consumers lose access to their credit cards over Christmas. Multi-billion dollar international corporations watch their digital infrastructure burn to the ground in the blink of an eye, perhaps as extortion, perhaps for fun. A quarter million citizens of the Ukraine have their power disrupted by hackers. And all those who ever sought the trust and confidence of our government must now fear identity theft for the rest of their lives.
A Fireproof Future
But there is hope. Our technology companies, literally the most valuable in the world, have made dramatic strides toward building devices that cannot be hacked. If your iPhone is stolen, it is unlikely that the thief will be apprehended. But he will access no emails, view no photos, take no money, steal no secrets—not from you, not from your employer. There will be no breach to report, no loss to incur, no job to lose. You were protected from risk, and nothing was asked of you but a passcode or thumbprint.
Strong cybersecurity delivers the digital world that does not burn.
Instead of helping put out fires, though, the FBI is “concerned.” A world where not everything can be hacked is a world where it can’t necessarily hack everything. And so, in a case where the FBI has enjoyed almost complete cooperation with Apple, it is demanding more: The engineering authority to require a “backdoor,” making the extraction of data from any device trivial, and setting the dangerous precedent that the government can turn any or all of the technology in our lives against us.
The FBI’s argument against Apple seems almost reasonable at first glance. There’s an extraordinary crime, there’s a secret we as a society want. Why not hack this one device, just this once? Because it’s not just this once. Not only are there other cases in the courts where the government is asking for access to iPhones, the real point is precedent. The problem is that for every one device we want to hack, there are tens of thousands we need to protect. Do we leave every device vulnerable just so the next one can be hacked?
As a lifelong hacker committed to protecting the Internet —I found a core vulnerability in the Internet’s design, which led to what became its largest synchronized fix ever—I can tell you that we are suffering the largest crime wave in human history, and it is built on a foundation of failed cybersecurity.
The FBI’s actions against Apple seek to maintain and enshrine this cracked foundation. Apple CEO Tim Cook is fighting back, and our nation must support him.
The FBI has placed all of America’s cybersecurity engineers on notice: Don’t do too good a job now.
The moral, economic, strategic, and technical leadership of the United States is at stake here. If Americans are not allowed to repair cybersecurity, somebody else will, and the damage to our interests will be incalculable and self-inflicted. Whoever masters making a secure digital world not just possible, but practical, will own the next Silicon Valley. There are at least 865 products from 55 countries with encryption, the vast majority from outside the US. Our companies have the head start in this coming space race.
But there is a small team at Apple that just became an enormous liability for their company. They did world-class work to protect you, and now untold billions are at stake. If only they hadn’t done quite so good a job, or left a couple convenient flaws. If only their managers hadn’t hired people quite so passionate. As it happens, Cook is standing up for his team.
But Cook, and the enormous resources at his disposal, cannot be everywhere. By trying to set the precedent that it’s OK for the government to intentionally undermine Internet security, the FBI has placed all of America’s cybersecurity engineers on notice: Don’t do too good a job now. Let it burn, or we’ll burn you.
Our Nation Is Capable of So Much More
We must repair the Internet. Too much is broken and taking years or even decades to fix. Our failures are not for lack of trying, but they might be for lack of staffing. I am a proud member of what might be called the Internet’s community of “volunteer firefighters,” but there is something to be said for professionals in numbers with infrastructure and a mandate. Our society doesn’t have just “The Guy Who Works On Cancer;” we build institutes. So let’s find and fix these flaws, faster and better. Let’s collaborate, systematically, comprehensively. Engineers should have the data, based on real world experimentation, about how to build the future securely, and practically.
Millions are learning to code; how do we ensure that the next generation of innovation is not even more fragile than this one? There are solutions that work, but are impractical. There are solutions that are practical, but do not work. Chief information security officers are flooded with noise regarding magic solutions that will fix all their problems. It’s not all snake oil.
A “CyberUL”, similar to the system that tells us which hoverboards might set our homes on fire (apparently all of them), would be helpful. It could allow us to understand what security technologies to invest in, and what systems need protection. Even when it comes to the bugs we’re already finding, nobody quite knows the global severity of a particular flaw. Who’s at risk? What should we prioritize?
The FBI publishes crime statistics for a reason.
There will need to be a bureaucratic firewall in place, for these efforts to be credible. Those defending and repairing the Internet must be separated from those with offensive cyber missions, no matter how legitimate. “Dual Missions”—playing defense and offense, fixing infrastructure one day and exploiting it the next, are a lie and everybody knows it.
It has been said that our nation needs a Manhattan Project for cybersecurity. What we need is a project to protect Manhattan, and San Francisco, and Seattle, and Chicago. Each of these cities suffered enormous fires once upon a time (Manhattan three times!). Our nation came together and fixed that. These very cities are guaranteed to be under cyberattack tomorrow. We can protect them, but only if we back Tim Cook in his profound belief that the Internet is not secure enough.