The point isn’t that the latest massive cyberattack came from China. The attack on The Office of Personnel Management that has possibly compromised the personal data of millions of government workers, some of them in key areas, almost certainly originated in China. The question is who exactly in a country of almost 1.4 billion people is doing the attacks. Yes, Chinese hackers linked to specific Chinese military units – PLA Unit 61398 specifically – have been indicted by a federal grand jury, but there may be more than just military-run cyber warfare at play here. According to some, like Bruce Schneier, civilian hacker groups may be just as responsible for security breaches in the U.S. And the problem is far greater than even the Pentagon thinks, according to him. And if the Chinese military “recruits for its organizations from this self-selecting pool of experienced hacking experts”, then the creative pool of malicious talent available to groups like PLA Unit 61938 is deep indeed.

But what happens on this side of the Pacific matters even more. Cyber security experts Sood and Enbody, writing in the Georgetown Journal of International Affairs last December, state bluntly, “most software and hardware vulnerabilities are the result of poor coding practices and dearth of security understanding in the developers.” They add, “programmers prefer to have an easy way to access software for recovery purposes such as debugging.” Yes, debugging must be an irksome task for a developer, but dealing with the breakdown of a critical defense system caused by easy backdoor access is a disaster waiting to happen. Software developers need to get on board in a way they perhaps haven’t really bothered to in the past, being above the old-fashioned concerns of the industrial world. Or worse, developers consider espionage and treason as fun and games rather than a life-and-death ethical problem. Any software that has any possible connection to a critical system needs to be as bullet-proof, or spear phishing-proof if you will, as possible. From the moment a developer begins to work on the code. That’s not going to be easy in today’s angry climate, given the backlash to NSA meta-data gathering techniques. But it has to be done, and hopefully is being done. From drones being hijacked, to GPS and logistical systems being compromised, the U.S. Military has the absolute right to demand contractors and developers are up to speed on cyber security. And no one has to listen in on your mobile phone calls to get that done.

Comments