60 Minutes on Cyber-security: More Harm than Good?

I am forced to watch 60 minutes every time they cover any topic related to cyber-security so I can get a sense of how dumbed down the news media thinks their reporting has to be to convey their message to the general public and how informed the reporters seem to be about the material they are covering.

In Sunday night’s Episode 19, entitled “DARPA: Nobody's safe on the Internet”, I learned the answers to both questions. 1) Really, really dumbed down, and 2) not very informed at all. Leslie Stahl covered this segment.

Did any of you watch it? If you did and have an opinion of this kind of reporting, please share it with me.

I thought it was frightening. If “The oldest and most-watched newsmagazine on television” that “gets the real story of America's most prevalent issues” is an example of how well our supposedly well-informed journalists understand the real world of cyber-security, then it will be no surprise that the Federal government has attacked the problem thusly:

1. The Department of Defense has put a man in charge of inventing technology to secure the Internet by the name of Dan Kaufman, who is a former video game developer, and
2. Given him a staff of 25 “brainiacs” and a budget of … wait for it … $500,000,000 a year to
3. “Do something to help national security. So make the world a better, safer more secure place.”

Yes, no typo; $500 million a year. Here are a few companies make $500 million a year or less:

Adobe, Teradata, Electronic Arts, Autodesk, BMC, NetApp, CDW, SAIC, JetBlue, Booz Allen, Cablevision, Equinix, E*TRADE, Raymond james, NCR, Hyatt Hotels, Pitney Bowes, NASDAQ, Nieman-Marcus, Alaska Airlines, Foot Locker, Hilton, Wyndham, Dun and Bradstreet, Starbucks. And many more, but you get my point.

I cannot imagine how we (as in our tax dollars) can spend $500 million a year on 25 guys and some cloud services with the vague objective of “making the world a better, safer more secure place”. But, what do I know?

Here’s how Danny characterized the job search that led him into his current role:

Kaufman: I did what all nerds do. I went to Barnes and Noble. And I got a big book. It said "Government Jobs." It was a big book. And I thumbed through it. And I said, "I will find something and I will donate some time." And I decided I would hunt serial killers. So I cold-called the FBI. I'm sure I'm still on a list somewhere. And I said, "You don't know me, but (laugh) I want to do this." And they told me I was too old.

But eventually his resume got noticed by the Department of Defense that saw an advantage to bringing in someone familiar with the language and the hardware of videogames.

Lesley Stahl: So you're working for the military?

Dan Kaufman: Absolutely. Part of the Department of Defense. And we don't do incremental improvement. So the idea is it has to be something really revolutionary. (Code for no project plans; just free-wheeling coders and video-gaming) Cool.

60 Minutes Announcer: This man is working on artificial intelligence software that would detect a hacker attack in real-time and plug it in milliseconds with no humans involved. If such technology had been available to Sony that breach from North Korea could have been plugged right as it happened. (There they go with the North Korea thing again.) When DARPA first invented the Internet 50 years ago, they just didn't imagine hacking would become such a problem. (Well, it was actually 60 years ago but who am I to quibble?)

Well, as many of us know, they couldn’t have “plugged [that breach] right as it happened”, because AI software to detect APTs doesn’t exist yet and so, in addition to this being bogus reporting, it also implies that the millisecond plug is right around the bend – as if, it will fix all cyber-attacks miraculously and the world will suddenly become a “safer and more secure place”. Sorry. Won’t happen, Dan.

Lesley Stahl: Can the Internet be fixed? Or do we just have to throw this one out and build a whole new Internet from scratch, with security built in?

Dan Kaufman: I don't think the Internet is broken. I think the things we put on the Internet are broken. What we're doing is we're putting a lotta devices on it that are unsecure.

This is the frightening part. Of course the Internet is broken. At least in the context of Leslie Stahl’s question. The Internet was never designed with security in mind, ergo it’s “broken”, and yes Leslie, we need a new one. It might have been useful to explain why that might be a problem, instead of launching into her next line of inquiry.

Which is … Leslie gets behind the wheel of a car to demonstrate all the ways that hackers can take control of the onboard computers and create havoc with her driving attempts.

Lesley Stahl: How many computers do you think is in a car like this?

Kathleen Fisher (a DARPA veteran): Somewhere between 30 and 50.

Lesley Stahl: Here we go!

This is followed by lots of shrieking and screaming while her attempts at steering, braking, accelerating, etc. are foiled by the imaginary hackers.

Lesley Stahl: --I cannot-- oh, my God. I can't operate the brakes at all. Oh, my word. That is frightening.

60 Minutes Announcer: While there's no known case of a car hacked this way, security cameras have shown cars burglarized by hackers unlocking doors. You can find software to do that online for $25. All this has alarmed Sen. Ed Markey. Tomorrow he is releasing a scathing report revealing that nearly all new cars can be hacked, but that only two out of 16 carmakers can "diagnose or respond to an infiltration in real time." (Okay now, a US Senator is alarmed. He’s probably shocked as well. Whi are these people and how did they get into office?)

60 Minutes Announcer: DARPA researchers got involved in hacking cars and the Internet of things in an effort to invent unhackable code for military drones.

Lesley Stahl: And is your goal to do it for drones and then have it apply to cars and my refrigerator and things like that.

Dan Kaufman: Exactly right. I think that’s when DARPA's at its very best. (huh?) We're solving a specific problem for the military, I want to make sure their systems are safe; but I would like everything to be safe.

60 Minutes Announcer: And now DARPA Dan is trying to reinvent search engines. (DARPA Dan?) Traffickers who sell weapons or young girls online remain largely hidden from authorities. Kaufman and his team set out to remedy that. First they studied the time-consuming way law enforcement agents bust sex trafficking networks by clicking on one sex ad or link at a time on commercial search engines. (I’m not making this up. Honest.)

Dan Kaufman: And we watched, and they did what you'd think. You know, they put an address of a massage parlor or something, and then they'd write it down on a yellow stickie, and then they'd try to build in each to each to each. And we looked at that, and we said, "There has to be a better way." ($500 million a year)

Especially considering that Google and Bing don't penetrate the dark web, where most illegal goods are advertised and sold. So DARPA invented Memex, with which you can click just one button and all the hidden information scattered deep in the web about an illicit activity is pulled together and revealed.

I am assuming he meant the deep web, where search engines don’t index and not the actual dark web which refers to lost address spaces that no hosts can reach. The deep web is difficult to crawl for reasons I won’t go into here, but it is also where most of the nefarious Internet trafficking occurs (drugs, money laundering, murder for hire, vast child pornography rings, etc.) and is reachable through the anonymity network called Tor.

Now, this IS an interesting story and one which 60 minutes might do well to cover because it is actually where the next Cyber-wars will be fought and understanding how all that works would be, oh I don’t know, informative?

Lesley Stahl (Completely ignoring the “dark web” comment): So the--you're building the network.

Chris White (who invented Memex): Building the network. That's right.

60 Minutes Announcer: Memex is so effective the White House has asked to see if it could be used to monitor ISIS. A downside is that Memex could also invade our privacy. (hahahaha)

Lesley Stahl: So, what do you do? You throw this out there, and it can do many good things, but there's the dark side.

Dan Kaufman: There's always a dark side and it's something we wrestle with tremendously. Our job is to sort of say, "This is what it is. Let's decide how we want to use it." And then with some of the new programs we're working on just beginning now, are there ways that I can get in here and still protect your privacy?

Lesley Stahl (completely ignoring the whole privacy issue): How much of your time is spent inventing things for the NSA?

Dan Kaufman: Almost none, actually.

60 Minutes Announcer: He can't control how his inventions will be used...these aren't videogames, after all. But when it comes to beating the hackers out there, Dan Kaufman has total confidence. (Even though these aren’t videogames, after all)

Lesley Stahl: Are you worried at all that by showing us all the new wowie-doo things you're working on that you're going to give car thieves an idea or you're going to give someone who wants to break into my refrigerator an idea or a terrorist an idea?

Dan Kaufman: I think they have lots of ideas on their own. And what I want 'em to know is that there's somebody smart on the other side who's going to make that way harder. I want them to think twice. (yeah, I’m sure they are thinking twice now)

I don’t know DARPA Dan and have no opinion of him other than what we saw in the 60 Minutes segment, but perhaps a news flash is in order: Nine years ago, a guy named Marc Benioff wrote a report as the co-chair of the President’s IT Advisory Committee on Cybersecurity to President Bush: https://www.nitrd.gov/Pitac/Reports/20050301_cybersecurity/cybersecurity.pdf

He pretty much covered the subject and it might save DARPA Dan and Leslie Stahl a little time. In particular, one comment stands out:

“Cyber security is a complex and multifaceted problem. There is no silver bullet.”

Nine years later the problem has only gotten more complex and increasingly multifaceted. I suggest we need a modern day Manhattan project with a little less wowie-doo and a whole lot more strident engineering. There are serious guys around like Christopher Kruegel and Giovanni Vigna of LastLine and Nova Spivack and Dominiek Ter Heide of BottleNose who have spent big chunks of their lives working on actual Internet, data and threat intelligence problems who might just be interested in helping.

And yes, I understand that 60 Minutes is a news entertainment show, but for a bunch of people who take themselves so seriously, you would think they might be able to tell the difference between a video game problem and a global threat. Just saying.