Why America will never be safe from cyberattacks

Hackers continue to target the U.S. and its allies, and there's, unfortuantely, no end in sight. (AP Photo/Altaf Qadri, File) (ASSOCIATED PRESS)

Wednesday, March 17, 2021

This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe

It's impossible to stop all hacks, and a lack of cybersecurity experts isn't helping

The U.S. government is still managing the fallout from two separate, massive cyberattacks linked to Russian and Chinese hackers, with a White House task force meeting this past Monday to probe the most recent attack, which involved Microsoft’s (MSFT) e-mail software.

On Thursday, the Senate’s homeland security committee will hold a hearing to probe the other attack, which exploited a vulnerability in a software company called SolarWinds (SWI) in one of history’s most far-reaching cyberattacks on governments and private companies.

While Washington grapples with how to prevent another attack of this scale, the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. And the United States will never truly be safe from all cyberattacks.

The reason such systems don’t exist? Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.

“Nobody knows how to make a system that is usable and perfectly secure. Nobody knows how to do that,” Herbert Lin, senior research scholar at the Center for International Security and Cooperation, told Yahoo Finance.

But there’s a crucial way we can trip up some attackers — namely, grooming a new generation of cybersecurity experts.

Cyberattacks can be prevented, but they’ll never be eliminated

The nation’s vulnerability to cyberattacks became particularly apparent in December of last year, when the Russia-linked SolarWinds hack was uncovered.

As I wrote at the time, the SolarWinds attack was especially insidious, as it touched everything from Cox Communications to an Arizona county to the U.S. agency that oversees the nation’s nuclear arsenal. In January, The New York Times reported the hack had involved as many as 250 federal agencies and private businesses.

It didn’t take long for another major hack to rear its head. On March 2, Microsoft revealed its Exchange software had been breached by Hafnium, a group sponsored by the Chinese government that it described as a “highly skilled and sophisticated actor.” It was the eighth time in 12 months Microsoft had disclosed nation-state groups going after entities “critical to society,” according to the company, which itself had helped the U.S. government respond to the earlier SolarWinds attack.

These attacks keep happening, in part, because the battle between cybersecurity experts and hackers is a game of cat and mouse exacerbated by the increasing amount of digital data.

“There's a constant back and forth, where companies are trying to do as much as possible, in theory, to protect data, and hackers are constantly trying to find new ways around it,” Jessica Vitak, associate professor at the University of Maryland’s School of Information Studies, told Yahoo Finance. “But I think what we're seeing here is the inevitable result of more and more data being collected and stored digitally.”

Microsoft President Brad Smith testifies during a Senate Intelligence Committee hearing on a series of data breaches within several agencies and departments in the U.S. federal government. (Photo by Drew Angerer/Getty Images) (Drew Angerer via Getty Images)

Think of hacking this way. You’ve got a suite of disparate systems and services that your company or government agency relies on every day, each powered by hundreds of millions of lines of code. And that code is written by people.

Inevitably, someone writing code for a program will make a mistake that finds its way into the sea of characters that make up the final software. It’s not just issues with code, either. Breaches can happen when systems aren’t configured properly, or passwords aren’t changed regularly.

To ensure that hackers can’t launch indiscriminate attacks, security professionals need to work around the clock to lock down their software. As Stuart Madnick, professor of information technologies and engineering systems at MIT, explains it, hackers exploit the asymmetry between themselves and a system’s defenders.

“If your building has 20 doors on it, your job is to make sure all 20 doors are kept locked at night,” Madnick explained. “The burglar only has to be able to find one door that isn't locked. So it's kind of a 20 to one advantage.”

Cloud computing also has its own vulnerabilities. While cloud services can cut down on the number of doors a burglar is trying to smash through, it gives them a bigger entryway to target.

Of course, cybersecurity experts always poke and prod software to find potential vulnerabilities they can then shore up. But cyber attackers are just as diligent in their search for weaknesses, as well. And when they find them, they can launch so-called Zero Day attacks.

Zero Day attacks are especially troubling, because attackers can exploit vulnerabilities until cybersecurity professionals discover them. And even when they are found out, the attackers can continue to exploit the vulnerability behind a Zero Day, because the software being hit needs to be patched to shut down the attack vector. And doing that can take weeks or months.

More training and more cybersecurity professionals

One of the keys to preventing at least some cyberattacks is for companies and government organizations to think about security right out of the gate.

“When we just look at the Internet of Things and smart home technology and smart city technology there's a push for the technology, without pairing that with proper understanding and respect for ensuring security measures are taken,” Vitak said.

Outside of keeping cybersecurity top of mind, it’s crucial to attract more students into the cybersecurity field. According to (ISC)2, an international nonprofit representing information security professionals, global organizations need to add at least 3.1 million more cybersecurity experts to their payrolls to secure their operations. The U.S. alone needs to add more than 350,000 cybersecurity jobs.

What’s more, the pandemic has seen cybersecurity professionals pulled from their full-time jobs to assist in shortfalls in day-to-day web operations. While there’s no such thing as a perfectly secure, connected system, the incredible shortfall in cybersecurity professionals is making a bad situation even more dire.

“I'm seeing a generation of developers that really understand how to write cool apps, how to call libraries, how to make something that's really attractive to you as a consumer,” says Hanan Hibshi, a researcher and teaching faculty at Carnegie Mellon University’s Security and Privacy Institute. “But we do not have enough of those who understand what's going on under the hood.”

By Daniel Howley, tech editor. Follow him at @DanielHowley