Every single computer in the world can be hacked. From your personal computer at home to the office workstation of the CIA director, it is not possible to fully protect any computer from cyber penetration. For all the talk about cyber protection and the billions of dollars being spent ($3.2 billion in 2012 for the Pentagon alone) to improve defenses in the public and private sectors, your bank account PIN and the secrets in President Obama's computer are both vulnerable. The key difference is the number of people with the skill, time and money to exploit these potential targets.
There is a popular misconception that perfect cybersecurity is obtainable if you invest in sufficient defenses and practice reasonable access procedures. The cold, hard truth is that we live in an age where cyber-offensive capabilities are dominant. For example, specialists who test the vulnerabilities of our nation’s computer systems said in private conversations that their success rate is nearly 99 percent—and that penetrating that remaining 1 percent is primarily a question of investing additional time and money. There used to be a famous and much-debated air force concept that “the bomber always gets through.” The sobering fact about the current state of cybersecurity is that the “hacker always gets through.” For the foreseeable future, cyber offense is king.
According to some reports, one of our nation’s most closely guarded secrets—the advanced technology for the stealth F-35 Joint Strike Fighter jet—already may have been stolen by hackers from China. The evidence suggests that they did not penetrate the Pentagon’s defenses, instead acquiring the data by infiltrating the computers of as many as nine defense contractors. As a result, we may be spending hundreds of billions of dollars and staking the future of our air forces on an aircraft for which our adversaries apparently have stolen the plans already.
A defense contractor should be a hard target, one that presumably would be unhackable. Unfortunately, the number of companies successfully penetrated through cyber espionage is alarming. BAE Systems, Verisign, Citi, Booz Allen, Google and NASDAQ lead the hit list, and these were all just in the past two years. And since most companies and government departments hush it up after they are hit, the real toll is probably far worse.
The recent disclosure of details about the origin of Stuxnet and its penetration of Iran’s high-security nuclear facility at Natanz provide a graphic example of the current dominance of offensive cyber operations. The U.S. examples above also should serve as a sobering reminder that Iran is not the only nation whose elaborate cyber defenses are vulnerable to a well-resourced and committed state actor.
In light of this state of affairs, are cyber defenses even worthwhile? Yes, even though they cannot provide us with perfect protection, cyber defenses do serve a valuable purpose. According to information from Verizon, 96 percent of intrusions succeed because defenses are so poor that infiltration is relatively easy. In fact, the majority of cyber threats are this type of low-level probes swarming the Internet for targets of opportunity. As President Obama recently warned, too many companies have poor cyber defenses, and some lack “even the most basic protection: a good password. That puts public safety and our national security at risk.” Improving security raises the bar to keep out these rudimentary attacks, leaving defenders time to focus their attention on more sophisticated threats to their high-value assets.
This attention to basic security will decrease the number of successful cyber threats from millions of clever hackers to a handful of usual suspects with the resources and intent to attack a cyber-resilient system. Stronger defenses require greater costs, time and skills to be overcome.
Policy makers must understand this distinction: Complete cybersecurity is a myth, but cyber resiliency is obtainable and worthwhile.
Jorge Benitez is director of NATOSource. Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow them on Twitter, @NATOSource and @Jason_Healey.