
U.S. Cities Strain to Fight Hackers - Bostonian
https://www.wsj.com/articles/u-s-cities-strain-to-fight-hackers-11559899800
======
oldjokes
Replace "cities" with "any organization that is not tech first" and you'll
still find hundreds of win 7/vista/xp machines that have never been patched,
and ad-hoc network closet/cloud hybrid rigged solutions for everything.

There is literally no way to fix all this dumb fragile infrastructure without
a massive government program that accepts responsibility for doing so. You
need thousands of smart people going through every machine, all the software,
all the systems. These people are never going to work for Baltimore or for
Maersk, not in a million years.

Instead let's create a new government agency or pivot the NSA from it's dumb
paranoid reactionary posture to more of a proactive NIST-style advisory role
on best practices, have them hack everything domestically and start fixing
things as their core mission. Make sure nobody at state or DHS or justice can
subvert this new agency, they need to stand on equal footing with any company
or agency.

Then hopefully pillage all the miserable smart people who are currently
working at mega corps and agencies who actually want to do positive,
meaningful work for a change.

Problem solved someone hire me to advise on their political campaign.

~~~
Kalium
Advising companies that they can and should fix things is actually the easy
part. Getting things fixed in a way that makes companies happy is actually
_incredibly difficult_. You're proposing a government agency get its hands
dirty fixining thousands upon thousands of bizarro line-of-business
applications and mission-critical excel macros. Convincing companies to update
what they see as systems that "work just fine" tends to be a Herculean task
even when you _can_ make a business case for taking on the expense and risk.

Telling a company "The government says you have to patch and is offering to do
it for you" seems like it might not go over quite as well as you might hope. I
can already see the first thought - "Do they actually care if all my systems
work the way I need them to afterwards?". Having worked in Information
Security and offered to fix things for people, my experience is that entities
going for this is _extremely rare_ , even when it's just the next department
over.

As for the NSA, well, getting them into a proactive posture is a wonderful
idea! It's such a good idea that the US government decided you were right
decades ago. And acted accordingly. This tends not to make the news, so many
people are understandably ignorant. For example, the NSA publishes information
assurance best practices: [https://apps.nsa.gov/iaarchive/library/ia-
guidance/ia-standa...](https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-
standards/cgs/)

~~~
helen___keller
>Convincing companies to update what they see as systems that "work just fine"
tends to be a Herculean task even when you can make a business case for taking
on the expense and risk.

>Telling a company "The government says you have to patch and is offering to
do it for you" seems like it might not go over quite as well as you might
hope.

I think a better idea is to have the new agency play an advisory /
supplemental role but otherwise place the burden of fix on the company itself.
It just needs teeth for entities unwilling to adequately resolve their IT
failures.

The EPA will bring suit to companies polluting illegally. Why shouldn't a
government agency bring suit to companies or cities risking a leak of hundreds
of millions of social security numbers, for example?

~~~
consumer451
> The EPA will bring suit to companies polluting illegally. Why shouldn't a
> government agency bring suit to companies or cities risking a leak of
> hundreds of millions of social security numbers, for example?

Maybe at first we could try an in-between solution. I hate to water things
down but maybe a scheme like a USDA Prime Beef label[0] would be more likely
to actually pull off?

If there was a NIST Certified logo on one bank/app/merchant/site that asks for
personal info, and not another, I would be much more likely to go with the
NIST one. Obviously credit agencies and gov systems need to go first.

>In the United States, the United States Department of Agriculture's (USDA's)
Agricultural Marketing Service (AMS) operates a voluntary beef grading program
that began in 1917. A meat processor pays for a trained AMS meat grader to
grade whole carcasses at the abattoir. Such processors are required to comply
with Food Safety and Inspection Service (FSIS) grade labeling procedures. The
official USDA grade designation can appear as markings on retail containers,
individual bags, or on USDA shield stamps, as well as on legible roller brands
appearing on the meat itself.

[0]
[https://en.wikipedia.org/wiki/Beef_carcass_classification](https://en.wikipedia.org/wiki/Beef_carcass_classification)

~~~
AWildC182
"When a measure becomes a target, it ceases to be a good measure."

This sounds nice, but I can't help but feel like this could end up being
abused... _somehow_.

~~~
consumer451
I completely sympathize with that line of thought, but if I take that position
to its logical ends then I find myself nihilistic.

------
4ntonius8lock
I'm surprised no one has mentioned it here on __hacker __news.

But when CFAA makes all hacking criminal, the only hackers left are criminals.

Ethically motivated hackers should have the same protections as whistle
blowers - The day that happens, the world becomes more safe and transparent.

But transparency is not what everyone wants, obviously.

I wish I was more surprised that mainstream media fails to mention this
important part of the state of cyber security in the US.

~~~
AgentME
In the process of using a town's court website to try to pay a parking ticket,
I practically-accidentally found a security vulnerability in it. The
vulnerability immediately showed me many people's personal information. I
closed the page when I realized what had happened. I didn't report the issue
because I was worried that the people running a small town's buggy court
website might be more interested in figuring out what laws I broke than
understanding the issue. I'd rather have nothing to do with it. It's the only
time I haven't reported a security vulnerability I've found. I'm probably
over-thinking it, but when there's other groups that invite vulnerability
reports and even give bug bounties, it just feels like an unnecessary risk
reaching out to ones that don't.

~~~
4ntonius8lock
Over thinking it? I don't think so.

35 years of jail time has a powerful chilling effect.

How this article could talk about the 'surprising' lack of ethical hackers
without covering this law and it's abuse is beyond me.

It's like talking about the 'surprising lack of research into clinical MDMA
studies' and not talk about the war on drugs. It's like they are intentionally
ignoring the HUGE elephant in the room.

------
nwalker85
There is a big industry starting to spring up around this, data insurance. Go
to any big insurance conference and all they are talking about right now is
cyber insurance. Construction companies are asking for it for example; they've
always had to insure their employees, but now they are seeing things like
their offices being hit by cryptolockers and being extorted for bitcoin by
Russians. They can't afford to lose productivity over something like that so
they are getting insured. Those insurance agencies are working with security
consultants to help harden the networks too. So yes, this is definitely a big
problem, but the wheels are already moving to start addressing this issue,
because there is money to be made.

~~~
thephyber
It's not clear how valuable cybersecurity insurance will be if there is no
coverage for "acts of war" or if the insurer claims the insured didn't do
enough to protect/defend against it. [1]

[1] [https://www.lawfareblog.com/moment-truth-cyber-
insurance](https://www.lawfareblog.com/moment-truth-cyber-insurance)

------
elipsey
How many $40K ransoms would an org have to pay before it was cheaper to have a
security team? The demands might be small to make it cheaper in the short term
to pay instead of try to fix the problem. Obviously there are large costs
external to the ransom payment, but you don't have to get those funded via
political process.

Also, in my experience working for state government, engineers were considered
a waste of money. Hiring was difficult because they wouldn't pay anywhere
close to the market rate, and techies weren't allowed to earn more then
managers. There was a parade of sales people pitching the director to lay off
the devs and outsource everything, and then pat each other on the back for
"slashing government waste." It seems like most of their apps should in
principal should not need to have been completely reinvented from scratch, but
having people who don't work here responsible for security causes an agent-
principle problem; from the point of view of the contractors who don't care
about your security and the bureaucrats who don't understand it, everything
except management is just a cost center.

If you do manage to fix anything, the new director will throw it away and
start over with a new vendor contract next election. Also, if you are paid by
the gvt and are not a cop or a politician, you will be despised as a "useless
feeder" and face the risk or furlough, de-funding, re-org, hiring freezes,
etc, that make it hard to reliably get anything done.

If the public doesn't want a public sector, why fight them by trying to work
there?

I think Schneier was right to point out that security is an economic
externality, and that a high level political solution is likely necessary.

[https://www.schneier.com/essays/archives/2007/01/information...](https://www.schneier.com/essays/archives/2007/01/information_security_1.html)

EDIT: A couple of people here have pointed out that a "cyber" insurance
industry is emerging. I find this encouraging because it at least seems
possible for that to be a politically acceptable mechanism for pricing
security; your premiums could be contingent on compliance as determined by the
insurer, who has skin in the game to understand security and hire real
professionals as auditors. I'm not sure how that translates to actually fixing
security, but it seems like a start.

~~~
meesles
100% agreed. I've always found it very ironic that governments want the best
and brightest when they never pay market rates. Not only do they want the best
and brightest, they want them to selflessly serve their country at the cost of
financial advancement. Is it surprising that they end up getting the lower end
of the crop?

[https://18f.gsa.gov/](https://18f.gsa.gov/) was a fantastic move and exactly
what we need. Unfortunately, it took a group of extremely successful private
sector individuals to give up their careers temporarily in pursuit of fixing
something.

~~~
elipsey
Thanks, that's an interesting story, and a cool idea. My experience was before
I got to SF, so there was really not a lot of local talent around.

I was an intern back then, and I liked my boss and my team, and what we were
working on. I got an offer for a mid-level position, but I went elsewhere
partly because of the apparent instability.

------
javagram
These type of organizations probably need to be running all chromebooks with a
G Suite enterprise account (configured to require all employees to use 2FA).
Something that has way less attack surface than what they have now.

~~~
bytematic
Imagine getting/teaching them to use G Suite accounts, something I've
attempted once. I thought it would be the easiest possible transition

------
Kurtz79
Could someone suggest recognized and useful certifications, for those
interesting getting into cybersecurity?

The article has a link to another mentioning CompTIA and CISSP, are they any
good?

~~~
driverdan
Study to learn skills, not to get certs.

~~~
Kurtz79
Any suggestion on good study material, then?

A lot of resources seems to be more like games than something applicable to
the real world.

------
neonate
[http://archive.is/AXk1l](http://archive.is/AXk1l)

------
parliament32
Paywalled, non-paywall link:

[https://www.wsj.com/articles/u-s-cities-strain-to-fight-
hack...](https://www.wsj.com/articles/u-s-cities-strain-to-fight-
hackers-11559899800?mod=rsswn)

[https://archive.fo/AXk1l](https://archive.fo/AXk1l)

------
newswriter99
AP style should really push journalists to use the term "cybercriminals" over
"hackers".

I'm not the first to say it but the issue is growing, and it's only going to
make the public more leery of any tech-minded but innocent kid or professional
pentesting adult who uses the term "hacker".

~~~
surge
Journalists aren't that bright, they get confused at the difference.

~~~
stochastic_monk
Some are brilliant (e.g., Ronan Farrow), but the real point is that they’re
speaking to an audience which they’re essentially trying to coddle because the
audience isn’t comprised of experts.

~~~
newswriter99
You're on to something but it's a tiny bit more complicated than that.

Take general assignment reporters for example. They have to learn how to
learn.

What I mean is, they're experts on digesting new information. Because they
have to write about ANYTHING at a moment's notice, and can't be expected to be
experts on everything. THEN they have to write about that topic using only 500
words (or so) to an audience who also probably knows nothing about the topic.

That's a tall order and you shouldn't be surprised reporters get it wrong
sometimes.

------
true_tuna
Stop posting WSJ paywall articles. This isn’t a paywall advertisement service.

~~~
dang
If there's a workaround, it's ok. Users usually post workarounds in the
thread.

This is in the FAQ at
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)
and there's more explanation here:

[https://news.ycombinator.com/item?id=10178989](https://news.ycombinator.com/item?id=10178989)

[https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&...](https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&dateRange=all&type=comment&storyText=false&prefix&page=0)

~~~
craftyguy
If there's a workaround and it's not hard for people to find it and paste it
into the comments, then it's not hard for people submitting articles to post
the non-paywall version in the first place.

~~~
dang
It's important that the original URL be used so that readers can see what the
domain is. It's for that same reason that HN doesn't allow link shorteners.

------
bluedino
I'm painting with a broad brush here, but a lot of government employees do as
little as possible. They are union protected, so they can stay in their jobs
for a very long time. So you get a lot of the thing in IT where someone has 20
years of 1 year experience. I'm sure the budgets aren't great and the rest of
the government isn't pushing tech, but you end up with a lot of 'it works fine
just leave it as is'

~~~
moosey
> I'm painting with a broad brush here, but a lot of government employees do
> as little as possible.

Welcome to humanity. How many people actually devote their lives to the
improvement of the human condition, or have a devotion to even the jobs that
they are working for? I fear that treating your job with the devotion
necessary to do it truly effectively means that you limit yourself and future
opportunities, because you must devote time to your own growth.

And how many people are interested in devotion to any cause or personal
growth? Personal growth is hard, and devotion to a cause, a serious one
especially, is equally painful. Understanding climate change, for instance, is
so painful that people reject it in its entirety; it could be because it is a
direct refutation to their world view, or because the idea is just so
uncomfortable on its face.

I feel as if Ada Palmer had it right when she suggests that the first rule of
Utopians must be "I hereby renounce the right to complacency, and vow lifelong
to take only what minimum of leisure is necessary to my productivity, viewing
health, happiness, rest, and play as means, not ends".

I think that's too much weight for the vast majority of humanity, and
understandably so. In America it feels as if the way society is structured is
designed to sap willpower (for example: the Atomic Family). I can think of a
number of reasons why this might actually be the planned outcome of its
current design.

------
DyslexicAtheist
any non paywalled links?

------
microcolonel
Don't put extremely sensitive information on the internet.

~~~
njyx
On the other hand, we want digital public services, to be able to pay taxes
electronically, to be able to vote electronically etc.

I don't think the "don't put sensitive information on the Internet" idea
really holds any water unless we expect our public services to be done with
pen and paper for evermore, while everything else goes digital. (Yes, machines
could be disconnected from the network and so on... but that's arguably just
saying "an airgap is all you need")

~~~
mtgx
> to be able to vote electronically

That's one thing we definitely shouldn't want. This case is just the latest
proving what a bad idea that is.

~~~
RosanaAnaDana
I want to be able to vote electronically.

~~~
craftyguy
Then you don't understand why it is a terrible idea.

~~~
selebrazin
Instead of such general and frankly unhelpful statements, would you mind
explaining to the previous poster why electronic voting is such a bad idea? It
may even generate further discussion instead of just downvotes.

