Jen Easterly
In November 1988, the Morris worm—an experimental computer program written by a curious graduate student—unintentionally crippled the early Internet and exposed for the first time the serious consequences of poorly designed software. Nearly 40 years later, the world still runs on fragile code riddled with the same kinds of flaws and defects. Amid frequent news reports about hacks and leaks, a key truth is often overlooked: the United States does not have a cybersecurity problem. It has a software quality problem. The multibillion-dollar cybersecurity industry largely exists to compensate for insecure software.
The impact of persistent weaknesses in U.S. software is playing out in real time. Since at least 2021, for instance, hackers connected to China’s Ministry of State Security and People’s Liberation Army have exploited the same types of flaws that the Morris Worm feasted on decades ago. These groups—referred to as Salt Typhoon and Volt Typhoon—have taken advantage of unpatched systems, poorly secured routers, and devices built for connectivity rather than resilience to infiltrate telecommunications networks, transportation systems, and power utilities. And just this year, Russian Federal Security Service hackers exploited an unpatched flaw in networking devices to compromise thousands of routers and switches connected to U.S. infrastructure. As more institutions, from hospitals to ports, rely on software to function, unsafe code is a growing threat to the United States.
These vulnerabilities endure because software vendors face few incentives to prioritize security. It remains cheaper and faster to shift the costs of insecurity downstream to customers. And because much of the code that underpins critical infrastructure is decades old, rewriting it securely has long been too expensive and time-consuming to make business sense.
But capabilities—including the accelerating power of artificial intelligence—are emerging to fix these software problems across entire digital ecosystems. This could spell the end of cybersecurity as we currently know it—and make the United States much less vulnerable as a result. But the window to take advantage of new technology is closing as U.S. adversaries, too, are looking to use AI to enhance their cyberattack capabilities. Now is the time for U.S. government agencies, large companies, and investors to work together to fundamentally shift economic incentives and use AI to improve the United States’ digital defenses. Cyberspace will never be completely safe. But the cybersecurity market as it currently exists does not have to be a permanent feature of the digital age. A better and more secure approach to software is within reach.
No comments:
Post a Comment