Unless you’ve been living under a rock, you know that our digital infrastructure is under attack. ZDNet’s excellent security coverage has daily updates, usually with names I’ve never heard of before. As the ZDNet security tagline says, “Let’s face it. Software has holes. And hackers love to exploit them. New vulnerabilities appear almost daily.”
Sadly, that’s not hyperbole. “SolarWinds attack is not an outlier, but a moment of reckoning for security industry, says Microsoft exec” is a recent headline.
Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, said,
“These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever. I believe that SolarWinds is a moment of reckoning in the industry. This is not going to change and we have to do better as a defender community and we have to be unified in our responses.”
But Ms. Jakkal is wrong. Private enterprise can’t handle serious, nation state digital aggression. Nations have the resources and patience to pursue long term strategies. Even the largest corporations lack the heft of a nation.
Microsoft estimates that at least 1,000 engineers were needed to develop the SolarWinds hack. What company, what consortium of companies, could devote similar resources?
We don’t send defense contractors to fight wars. We send armed forces, backed by intelligence agencies and diplomacy – as well as the weapons defense contractors develop – to defeat the enemy.
Digital aggression is aggression
Scale changes everything is a Silicon Valley truism. Back when the Internet’s predecessor, ARPAnet, was five nodes, there was no money in digital crime.
Now the Internet is five billion nodes. Deep into the transition to a digital civilization, crime is following the money. The thieves, gangs, and nation-state bad actors are stealing everything that isn’t locked down. Money, industrial secrets, intelligence assets, and personal data.
There’s no end in sight since “software engineering” is an oxymoron. As Randall Munroe had a software writer say on xkcd.com: “. . . our entire field is bad at what we do, and if you rely on us, everyone will die.” We don’t know how to build a digital dike that doesn’t leak. We can only plug holes after the bad guys find them.
Strategically, deterrence seems to be the only option for persuading nation states to back off. And only a strong nation can persuade another nation to chill, as the Cold War showed.
Likewise, today’s Internet needs a police force as well. The Internet is borderless, so a global force is needed to bring the criminals to heel.
Despite massive private investment in digital security, the stakes keep rising and the hacks are getting worse. Private enterprise isn’t working. Private efforts to coordinate across organizations to record and analyze attacks are not enough.
Can the US government take this on?
Don’t reflexively dismiss the idea that government could handle this. Consider the US armed forces, the world’s most powerful fighting force. Handsomely funded, well-trained, and constantly analyzing the threats America faces. That’s a blueprint for US Digital Defense Force.
Perhaps you recoil at the thought of higher taxes to pay for the DDF. But the choice isn’t between no taxes and higher taxes. Criminals and nation-states – in Russia, they may be one and the same – are already collecting massive taxes to fund their aggression. The choice is essentially between paying for digital order and security, or paying the criminals.
America’s adversaries are actively probing our infrastructure for vulnerabilities. America’s superiority in conventional forces – for now anyway – makes a big shooting war unlikely. But crippling America’s government, power, water, energy, and medical systems all at once would help even the odds if someone wanted to take us down.
The current model of digital security isn’t working, nor is there a plan to fix it. Sorry Microsoft, you – and the rest of the private firms – don’t have the chops to take on Russia, Iran, and North Korea.
We’ve been here before. London in the early 1800s was a city of 1.3 million people with no central police force. In 1829 Parliament established the Metropolitan Police to bring order and security. Private firms and wealthy individuals had guards, but that was not enough.
Like 1820s London, we need to be a well-funded and trained force to stop digital muggers, gangs, and conspiracies, whether private or nation sponsored. And our government to make it clear that countries that mess with our digital infrastructure will face painful consequences.
Comments welcome. If you don’t like the government idea, what would you do instead?