Protecting data is difficult. You can keep your data secure 99 times but the 100th time, if the attackers got in, then you failed.
The story of the world’s first keylogger, installed by Soviet spies into US Selectric Typewriters, reminds us of how intelligent adversaries require intelligent and coordinated defense That’s why we need a bill like the Cyber Information Sharing Act (CISA): to share information and stop the next attacks before they happen.
Without going into the gory technical details, it turns out the Soviet Union created clever little bugs to install into IBM Selectric electric typewriters used by the US government. These were installed and used to gather information on what US officials were typing. That leaked a lot of sensitive information we didn’t want the Soviets to know.
But what we can learn from most is this fact pointed out by Ars Technica:
The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.
The attacked used on the US was not used only against the US. It was used against other countries. Had our allies not shared information with us, we might not have found them until we replaced the dang typewriters with computers!
This is why CISA is important. It’s a bill that’s come up in more than one Congress that seeks to let government and private business share information about Internet attacks, without getting sued. The bill has been vilified by anarchists (who always side with pirates and hackers over honest Americans) and leftists (who simply want to see America lose now and then). So despite good faith efforts by some libertarians to work with the bill, we haven’t been able to pass something yet.
It’s a great idea though. One of the lessons of 9/11 was that we need to avoid keeping information in silos, because when information is aggregated, we can learn more than the sum of the parts. That’s true for online attacks as well. It’s also true for the private sector, as foreign attacks target them as much as they target government!
So let’s pass a bill like CISA. In the past there have been criticisms that it perhaps stomps too much on contractual agreements, but we can work out the details while maintaining the core concept. We need to share information about attacks, because successful attack methods get used more than once.
Photo by NVO on Wikimedia