Written by Robert Rennie – Originally published on Medium on November 15, 2018
I just sat through yet another Department of Homeland Security (DHS) presentation describing all the “resources” they have to offer businesses to protect themselves from cyber threats. Unfortunately, this DHS representative was more on the physical security side (as opposed to cyber) so I missed my chance to ask the man directly…
Why does the U.S. government not have a U.S. firewall for its citizens and businesses? Why does the U.S. government do absolutely nothing to protect the digital assets of its country? Weird isn’t it? Almost inexplicable.
Thus, this article is about something that has perplexed me ever since I started building business applications accessed over the Internet nearly 20 years ago.
The Current U.S. Government Approach: Militias
Let’s start with a simple analogy to the military. The U.S. government does have a military that is responsible for protecting citizens from nefarious nation states who aim to cause harm to its citizens. If China starts bombing somewhere in the U.S., the military will quickly jump into action to stop the bombing and almost definitely retaliate.
So what happens if the “bombs” are malware to either gain potential control of our infrastructure, steal our trade secrets, or otherwise extract something they need from us? Well, then it’s the target’s responsibility. If a company is hacked by a state-sponsored actor in China, it is the company’s fault and the fact the U.S. government did nothing to protect them is somehow just accepted today.
Following the military analogy, this is the same as if the U.S. government said, “we’re going to disband our centralized military and instead each individual municipality will need to create their own militia and we can advise them on the best way to do that.” So, if China were to bomb, say Philadelphia, then the militia in the subsection of Philly that was hit is responsible for responding?
This is absolutely insane, no? Why on earth would the U.S government delegate its singularly most important responsibility of protecting citizens to random organizations within the country? Why doesn’t the U.S. government do anything?
How about a U.S. Firewall?
So, given the fact that nearly every other country (whether we like them or not) is buying American-built technology to create their own country-wide firewalls, why don’t we build one for the U.S.? We build a firewall, and anyone from outside the U.S. who wants through it has to register with a Federal agency. Maybe we have partnerships with other countries such as the UK, who would be required to adhere to certain vetting requirements and bridge the two firewalls.
Part of the DHS presentation I just watched showed a real-time video of the number of cyber attacks per second, with their source and destination shown as lines like from the old video game “Missile Command”. You only need to look at one of these to see the obvious — everyone is attacking the U.S.
Why? Because we have no government protection, no government retaliation, and security is up to individuals — it’s like the Wild West.