Who Would Want to Take Down the Internet?

 

This is a question I often ask in response to those sounding the alarm that “hackers” can take down the Internet and that we all should be very worried. This is a warning I’ve seen consistently for years ever since The L0pht told the U.S. Congress they could take down the Internet in about 30 minutes. I’m not about to disagree with The L0pht’s claims, maybe they and others can, but more importantly I fail to see the motivation for why they, or anyone else fitting their profile, would want to. Interestingly enough, there is only one particular class of attacker where it would make sense to take down the Internet.

To break this down we’ll use Mikko Hypponen’s TED talk as a framework. Mikko did a fine job categorizing and articulating the three main types of online attackers. They are cyber-criminals, hacktivists, and national-state. While the hacking techniques they use might be very similar to each others, each group has a unique set of motivations that drive their actions.

Hacktivists, such as Anonymous, LulzSec and others are among those who leverage hacking skills as a means to promote a social or political message — a form of protest if you will. A hacktivist might deface websites, publish stolen sensitive data, perform targeted Denial of Service attacks, but by enlarge their agenda does lead them to take down the Internet. Quite the contrary. If hacktivists disrupted the Internet, they also couldn’t spread their message, nor could others receive it and join the protest. Not to mention hacktivists are notoriously heavy supporters of the Internet, a free and open Internet.

Cyber-criminals, all they want is to make money. As much money as they can get their hands on. Cyber-criminals will hack their way into online accounts, directly or via compromised end-user PCs, and steal whatever money and data of value there is. Cyber-criminals also may Denial of Service a website to extract some extortion money, but just like the hacktivists, taking down the Internet would only obstruct their ability to profit. If the Internet went down, it would actually cost them money as they would not be able sell access to their botnet farms.

This leaves us with national-state, a type of online attacker that is government backed, whose mission is the theft of intellectual property, intelligence gathering, and surreptitious command-and-control over as many critical systems as possible. National-state hackers would also not seem to want to take down the Internet because it would directly prevent them from continuing their mission, especially when their targets are other countries. They’d lose their surveillance capabilities. However, there are exceptions here, two very particular scenarios where national-state and taking down the Internet makes sense.

In the first scenario, a national-state attacker would take down an enemy countries Internet access as part of an active and kinetic military conflict. The Russia v. Georgia conflict back in 2008 serves as a good example. Russia was accused of attacking Georgian government websites in a cyber war to accompany their military bombardment.

In the second scenario, when national-state enemy is domestic in origin (i.e. the people), then taking down or severely limiting Internet access for the entire country can be used to suppress citizen dissent. There are reports of this having occurred in Egypt and Iran — massive surveillance, disruption of communication, and censorship.

So when you get right down to it, the only attacker with motivation to “take down the Internet” is government backed. Then in one of the two scenarios, if your Internet goes down your government will be responsible. For myself, as one always considering the most pressing day-to-day threats to Internet security, I’m less concerned if the Internet can be taken down, but what happens when it stays up.

TEDxMaui -- Hack Yourself First

Update 04.12.2012: Video of the presentation embedded below.                                                  Ten years ago if you would have told me that I'd be back living in Hawaii, founder of a fast growing technology company, and a TED speaker -- I would've said, "What's a TED?" Preparing for TEDxMaui was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.

I wanted everyone, both the viewers in the audience and those who would eventually watch the video, to deeply appreciate the crucial importance of Internet security. I want everyone to know that to discuss Internet security is really to discuss our economic well-being and our national security, and I want everyone to know that both are under attack -- every single day. Most of all I wanted everyone to know that hacking, and people learning how to hack, is absolutely essential to defend ourselves. I labelled this concept Hack Yourself First, the title of the presentation. Hack Yourself First advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.

Before presenting Hack Yourself First I had to first imagine how the audience would respond. Most watching undoubtedly have only had negative experiences with the words “hacking” and “hackers.” All they likely knew of hacking is in relation to viruses infecting their computers, stealing money out of (their) bank accounts, TV interviews of shadowy characters wearing Guy Fawkes masks, salacious articles featuring cyber villains, and of course bad hollywood movies. Whether we like it or not, these are the ambassadors of hacking, so the idea of teaching cyber-offense skills might be considered akin to illegal activity. Just the same, there I was on stage revealing that, “Yes, I am a hacker -- but not like them.” 

I don’t know what precisely it was that I said, but the message of Hack Yourself First undoubtedly resonated in a big way. No less than a hundred people introduced themselves to me afterwards excitedly asking, “How do I learn to hack myself first?” Perhaps I shouldn’t have been, but I was blown away. And not just the very young or student age, I’m talking about people 45 up to 70 years old with zero technology background. Maybe it was because I taught them a simple hacking trick, a simple hacking trick they could grasp, and even do, like those from my “Get Rich or Die Trying” presentation. Suddenly the fascinating subject of hacking, which they previously assumed was too complicated to learn, was suddenly approachable. I taught a TED audience how to hack! How cool is that!? :)

Many in the information security industry have been trying desperately and in vain to raise Internet security awareness among the masses. We repeatedly give people laundry lists of what not to do, and it isn’t helping. Better awareness, better overall Internet security, could be accomplished through Hack Yourself First. Teach anyone and everyone who wants to learn how to do the actual attacks the bad guys use against them, perhaps packaged up in a Capture-the-Flag format.  That would be a lot of fun for everyone. When people know precisely how hacking works, they’ll be in a better position to spot attacks against them and be on their guard.

I came to TEDxMaui to share my ideas with a wider audience, but what I came away with was more ideas from them about where we can take Hack Yourself First. 

Who are WhiteHat Security’s competitors? — It’s not who you think

A significant portion of my travel schedule is dedicated to meeting with InfoSec teams at organizations large and small, mostly asking questions about the current status of their application security programs. From the interaction I learn A LOT about today’s most pressing challenges. Such as what strategies [really] work, which [really] don’t, and what direction things are heading. Budgetary resources, or the lack thereof, is easily the most commonly cited obstacle to progress, second only maybe to management & developer awareness, which is probably the root cause.

During the same discussions I’m often asked by prospective customers, industry analysts, and the media too, “Who does WhiteHat Security compete with?” Sometimes the question is asked to better understand how we’re different or what problems we help solve. Other times the question is about getting a clearer picture of where WhiteHat Security fits in the market. I typically answer with the names of the usual suspects, how they are either a desktop scanner or a billable hour consulting shop, while we’re a better, more efficient, scalable option as an on-demand subscription service. The more I repeat this, though, and the more of the aforementioned discussions I participate in, the more I find this answer wholly superficial and inadequate.

Here’s the thing. By the time serious application security planning takes place, when it comes time for organizations to invest real $ in executing a strategy, 90% or more of the InfoSec budget has normally already been spent or spoken for — spent protecting the network and hosts. Important layers such, but it also  leaves just a tiny fraction of the pie available to address the biggest and most important problem the entire security industry is facing. Crumbs to protect the area of IT where the business invests the most money creating — software. Let me put this another way. Every firm, every person in the application security field, more directly competes with firewalls and anti-virus products.

The big security companies out there, the guys who peddle these products to those who purchase them out of habit or compliance mandate, also simply don’t “get” application security, nor do they care to. This is understandable since the overall application market  is still too small for the mega-corps to care about. That’s just basic business economics. If one of their customers wants to invest in application security, to them that probably just means swapping dollars away from their firewall & AV cash cow, and zero net new revenue to them. Yet they’ll be happy to sell you an cheap widget, that is “better than nothing,” and/or toss it in as part of larger “enterprise” sale.

Organizations are starting to figure this game out though. They are asking why their firewall, anti-virus, and intrusion detection systesm didn’t protect their multi-million, multi-billion dollar Web-based business from getting hacked — for the the money or the lulz. With every breach headline, more are more are to realizing how little of what they spent 90% of the budget on is designed to do anything of the kind. This is precisely why I’m optimistic about change. 2012 is going to be an important year, a year where application security  became too painful to ignore.