| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by munificent 1570 days ago

Is it just me, or does it seem crazy that we all just accept that private businesses are obligated to protect themselves from state-sponsored hacking?

Imagine if Wal-Mart had to fund a private air force and patrol over their stores in order to combat foreign bombers coming in and everyone was like, "Yeah, that's just how it goes."

Isn't a primary responsibility of government to protect its citizens and businesses from other states' militaries?

11 comments

fuzzylightbulb 1570 days ago

I think that the closer metaphor would be if an American business was having to hire private security resources because it was on some resource finding expedition in an unsavory part of the world, which is exactly what happens all the time. Exposing your business to the internet is like opening up an infinite number of storefronts everywhere, and a good number of those places are not where you want to be.

throw10920 1569 days ago

Exactly - the internet is a hostile place, because of its openness, which is (was?) a core design trait. As much as it hurts, you can't have the freedom of the internet without allowing bad actors some degree of freedom, too.

Barrin92 1569 days ago

it isn't really a great comparison because while land borders are clearly defined and the military can easily march up and repel some invader, that's not the case for digital attack surfaces.

Every company's IT looks different, it's hard to tell whether an attack is private or state sponsored, often where or who it is originating from, and how to defend against it varies from case to case.

So it's hard to imagine what exactly it is that the government is supposed to do at a company level. Of course at an ISP level or when it comes to national infrastructure the government can do things, but I don't see how the government protects a middle-sized business from cyber attacks.

The government could probably do a lot of preventative things like sponsoring and funding security audits of open source software, but when some hackers exploits my broken config or some API it's not clear to me how the government is supposed to prevent that. They can't read every line of source code in the country.

kenhwang 1569 days ago

Realistically, I'd like to see the government develop software and tooling to mitigate these concerns. They already do at a low level for cryptographic primitives (like SHA and RSA). Maybe they do the next couple abstraction layers up, a secure OS image that's regularly patched, a web server, a programming framework, etc.

Currently those layers are roughly provided by the big tech companies, and the government's involvement in making those more secure is PhD students and curious professors from (public) universities. It would be nice if that was a more directly employed org in the government.

scottyah 1569 days ago

I could see this happening as the processes mature. The Air Force already has hardened repositories for containers etc and "Factory in a Box" type configurations that the Defense Industry is supposed to start adopting for new programs. It is really neat, though it's so low-level at this point that it won't make sense for small businesses to use it unless their underlying platforms like Shopify, Instagram, and Blogger do.

https://software.af.mil/dsop/services/

munificent 1569 days ago

> while land borders are clearly defined

I think we take for granted that they are clearly defined now because nation-states worked very hard to define, create, and enforce that concept. As I understand it, for most of human history there was no real notion of a well-bounded state and even today sovereignty is hotly debated in some areas.

So, it's not that enforcing land borders is intrinsically easy. It's that it appears easy because nations adopted it as their responsibility and do the work. Look at how much political energy was expended around Trump's wall between the US and Mexico to get a sense of how complex and effortful land borders are.

I don't see any reason that Internet sovereignty couldn't be equally well-defined and defended... except countries simply aren't doing it.

Barrin92 1569 days ago

The difference is that the geographical boundaries of nations are (to a large extent) found, not made. So the lines of defense run along natural ones. If you're talking about building one on the internet you're talking effectively about creating the equivalent of the Chinese firewall.

The inter-net as the name suggests is a network, not a perimeter and runs across boundaries. If you want Trump's border wall on the internet you're talking about handing the government sole access and control to all information going in and out.

That's way beyond cyber defense of private business. And looking at some countries engaging in this right now you better be careful what you ask for.

catlikesshrimp 1569 days ago

Boundaries are established, they are not "found". Algeria, Angola and Namibia. Check the borders of those 3 countries, there is nothing natural about those borders.

Countries try to enforce their borders. And they normally regulate traffic through a custom, the rest is deemed unlawful.

More on the point: the current internet is a mess. Hopefully it collapses and a new network is built, with security in mind this time.

munificent 1569 days ago

> So the lines of defense run along natural ones.

I think those boundaries are a lot less natural than you think when you take into account things like embassies, extradition treaties, etc.

hadlock 1570 days ago

The same could be said for buying door and window locks vs the responsibility of local police to guard your home.

d4mi3n 1570 days ago

This feels a bit reductionist. Parent post specifically calls out state-sponsored actors. It's fine to expect and require doors, windows, and locks. It is not fine to expect a commercial business or individual to have their own tanks and military on hand.

Organizations do bear responsibility for their security posture--and many have spectacularly failed in this responsibility--but let's not pretend that an employee being phished is equivalent to something on the level of the SolarWinds hack or any one of the many nasty bits of malware coming out of Russia.

State sponsored attacks are well funded and leverage one more or 0-days, which by definition cannot be defended against. The only way to stay ahead of a 0-day is to find it first, and that requires resources and expertise even large organizations are hard pressed to find in the numbers required.

munificent 1569 days ago

I lock my door to keep out other US individuals from robbing me, not to keep out China and Russia.

killjoywashere 1567 days ago

World’s smallest fiddle. All the cyber talent is going to industry already because the popular mythology says government employees are shit and shouldn’t make a dollar. I’ll bet there are some politicians (and voters) who would go so far as to say government employees should pay the government for the privilege of working.

Meanwhile, the high risk basic R&D spend that underpins many US businesses (including most grad student salaries and research grants) is from the US Government. Every time one of those fails (Solyndra) the press points it out as a failure of government. Every time it succeeds (SpaceX) it’s attributed to the scrappy entrepreneur and the government subsidy be damned.

The risk is socialized onto the taxpayer and the gains are privatized to the very rich. Look at the iPhone: internet (DARPA), cellular (developed to Army requirements based on Vietnam radio problems), GPS (DoD), multitouch (University of Delaware on an NSF grant). How about the Sand Hill boys spend some of that money on security instead of inflating Atherton real estate prices and laundering money through modern art auctions?

dillondoyle 1569 days ago

I tend to agree. And it does seem like US Gov has stepped up more and doing tighter industry cooperation (see Ukraine MSFT).

But there's also a perverse incentive. Offensive capabilities hidden and not patched.

And there's also issues with responding on US soil or assets.

Like would it be legal for NSA to proactively go into Google's networks or some internet infrastructure device without permission or court order? Even to do something good?

Godel_unicode 1569 days ago

I wish people would think this through, think about the federal government protecting you from state-sponsored terrorism.

Do you really want the TSA on the internet? Because that's what you're asking for...

JohnHaugeland 1570 days ago

Businesses also need to protect themselves from burglary, despite that we have the police; fire, despite the fire department; et cetera.

Government is not an abdication of responsibility.

dredmorbius 1569 days ago

OP specifically addressed "state-sponsored hacking".

Not petty crime and local burglary.

I suspect you'll find that the state does involve itself in organised crime, smuggling, consumer and securities fraud, and the like.

freedomben 1569 days ago

If we accept that philosophically, how does it work in practice? Does the government provide a Cloudflare-like service that we all put our sites behind?

Gelob 1570 days ago

good point but the government/FAA controls the skies and not the internet which may or may not be a good thing

jrochkind1 1570 days ago

Are you suggesting the NSA should spend most of it's budget on ensuring domestic businesses have better security (even if that means foreign businesses do too), instead of ensuring that foreign businesses have bad security (even if it means domestic do too, and that's being overly charitable and thinking US-based businesses being hackable by them isn't one of their goals too).

What a shocking idea!

nwsm 1569 days ago

I don't think we want to lose ground on ownership or regulation of the internet.