One problem, however: the news media too often directs us from the real issues. While some cyber espionage uses highly sophisticated tools, in most cases, the biggest hacks involve very simple and quite unsophisticated tools to get into our systems. The best analogy is that we are leaving our doors and windows open. The bad guys don't need to (and often can't) pick locks.
Evan Osnos had a piece in the New Yorker today (with the great title "How Not To Freak Out About Cyber War") that does a good job making this point:
As Osnos notes, while policymakers spend a great deal of time and attention devoted to applying Cold War deterrence thinking to cybersecurity, what we really ought to be thinking about is "why don’t accounts like Podesta’s have two-factor authentication by default?” You can read the entire piece here.Almost always, journalists and analysts describe the latest cyber attack as a “sophisticated” operation, even when technical experts describe them as ordinary and preventable. Ben Buchanan, a Harvard researcher and the author of a new book called “The Cybersecurity Dilemma,” wrote this week on the Cipher Brief, a security blog, that “when every case is described as unprecedented and every threat actor billed as nearly unstoppable, it fuels what I call ‘the legend of sophistication.’ The effect of such a legend is to paint a picture of a world with so many talented adversaries that practical cybersecurity is out of reach.”In some cases, the costliest attacks are relatively low-tech. Hackers accused of working for Russian intelligence breached the Gmail account of John Podesta, the chairman of Hillary Clinton’s campaign, using an old-fashioned technique called “spear-phishing”: sending an e-mail under false pretenses to garner personal information, such as a password. Thomas Rid, a scholar at King’s College, in London, told me, “It’s like an I.E.D. In the nineties, leading up to Afghanistan, you had this expectation that the future of warfare would be very high tech, and that America would be leading because the American Armed Forces were spending so much money on network-centric platforms. But then what happened is the I.E.D. improvisation. If you drive with a vehicle that has wheels, it can be attacked. If you have an e-mail account, it can be hacked.”