Don’t miss this excellent piece, over at the Volokh Conspiracy, by Stewart Baker about the opportunity created by the poor cybersecurity habits of hackers. Here’s Stewart’s distillation of the issue at the opening:
Right now, policymakers are intent on improving network security, perhaps by pressing the private sector to improve its security, or by waiving outmoded privacy rules that prevent rapid sharing of information about attackers’ tactics and tools.
Those things would improve our network security, but not enough to change our strategic position—which is bad and getting worse. The hard fact is that we can’t defend our way out of the current security crisis, any more than we can end street crime by requiring pedestrians to wear better and better body armor.
That’s why I’ve been urging a renewed strategic focus on catching attackers and punishing them. Catching and punishing rulebreakers works for street crime. It even works for nation states. So why hasn’t it worked in the realm of network attacks? Mostly because our intelligence community insists that attribution is just too hard.
I think that’s wrong, and I’ll spend this post explaining why.
My theory is simple: The same human flaws that expose our networks to attack will compromise our attackers’ anonymity. Or, as I put it in speeches, “The bad news is that our security sucks. The good news is that their security sucks too.”