Steve Blank on What Hackers Are Teaching Us Right Now

In the wake of numerous high-profile attacks by the notorious hacker groups LulzSec and Anonymous, Britain’s top policeman yesterday called the “challenges created by cybercrime extraordinarily significant and deeply worrying.”

Steve Blank thinks that’s putting it mildly.

“LulzSec and Anonymous are little more than disorganized gangs that can shoot straight, but they’ve exposed how weak our systems are,” says Blank, a renowned entrepreneur who now lectures on entrepreneurship at Stanford, UC Berkeley, and Columbia University.

“Imagine that instead of using a ballistic missile or expensive planes, you have 1,000 people who are financed by a nation and whose only job, 24/7, is to take out another country’s infrastructure” through hacking.

Easier yet, suggests Blank, just read the news, where plenty of stories about attacks should serve as wake-up calls. One of them centers on last year’s successful Stuxnet attack on an Iranian centrifuge facility. (Stuxnet is a worm that targets and subverts industrial software and equipment. It reportedly destroyed roughly 900 of the Iranian plant’s 9,000 centrifuge machines.)

Blank also points to the “secureID” authentication tokens that RSA Security provides customers like Bank of America, L-3 Communications, and Lockheed Martin, which were compromised in March during what RSA called “an extremely sophisticated cyber attack.”

Officials should have added “unrelenting.” Two weeks ago, after Lockheed also disclosed a “significant and sustained” cyber attack on its IT systems, RSA said that the information stolen from RSA in March was responsible. It has since recalled the 40 million secureID tokens being used around the world.

“That wasn’t LulzSec or Anonymous,” Blank says ominously. And he anticipates much worse if the government doesn’t intervene to help harden the infrastructure of many of our “civilian” assets, including banks, utilities – even FedEx.

The reason? Our financial system, much of our healthcare, our net worth – it all exists as “bits” that could be completely wiped out, says Blank, who argues that it only makes sense to treat certain commercial systems like military assets that are essential for national security.

“Ten years ago, we didn’t have enough of our infrastructure wired into the Net to do substantial damage. Now we do,” he says. While the government goes to great lengths to protect our national assets, it’s still doing  “nothing” to protect our civilian assets, instead leaving it to companies to decide what to do.

“Nothing” is a slight exaggeration. The Department of Homeland Security has identified 18 sectors of the economy as critical infrastructure and key resources, including financial services. President Obama appointed the first “Cyber Czar” two years ago. And the White House recognizes in its own policy review papers that “information and communications networks are largely owned and operated by the private sector, both nationally and internationally,” and so “addressing network security issues requires a public-private partnership as well as international cooperation and norms.”

Yet what this private-public partnership would look like remains an open question. And not addressing it in time could cost us dearly.

“It’s kind of like leaving the design and safety of nuclear reactors to reactor operators. Or not regulating the drug industry. While you hope they do the best thing, [the commercial sector’s] focus is on optimizing profits. If I’m a major U.S. bank, stopping a [potential] military incursion into [my] customers’ accounts requires more money than I want to spend. And why should I when the government doesn’t say I have to?”

Blank is quick to note that he’s “not the only one who’s been saying this.” For example, last year, Michael McConnell, a former director of national intelligence, testified before Congress that the country is losing a “cyber war” in which it is already actively engaged.

Richard Clarke, the former top counter-terrorism advisor to President Clinton and later President Bush, has also been very vocal about his concerns that a cyber war could seriously and quickly derail the country –even authoring a book on the threat last year titled, “Cyber War.”

As Blank points out, Clarke was laughed off as a self-promoting alarmist when the book was released, including in the pages of Wired. Then again, Clarke was brushed off when he sounded the alarm about Al Qaeda early on, too.