If you believe one hacker, the government can easily get into any computer at any time. If that's the case, why aren't they? It might be that the government has us right where they want us and they don't want to let us know.
I was the youngest of three brothers who all loved to play sports. Because I was almost always the smallest, it was a challenge to compete at the same level as the older kids. I'd often get down on myself because I was the weak link. But every once in a while, I'd have a breakthrough game that kept me interested in the game and my hopes held high. Looking back years later, I'm convinced that my brothers and the other kids on my block conspired to let me score the winning basket or steal second base. And if a recent interview with a US government hacker is even remotely accurate, apparently the same is being done to IT security engineers.
InfoWorld recently published an interview with an anonymous employee of the US armed services. His current role within the government is to hack into targeted computers of other countries. For those of us paying attention to IT security, this person's occupation should come as no surprise. But what is surprising is the contractor's claim that the US government sits on a huge stockpile of next-generation hacking tools and zero-day exploits at their disposal. Tens of thousands of exploits for every operating system and application you can think of. One quote in the article that really caught my attention was this: "In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface."
This claim gave me the same feeling I got when I realized that I really didn't score the game-winning run back in the day. Instead, others around me simply allowed me to have that impression so I wouldn't quit.
If it's true that the US government has access to zero-day exploits and tools to easily bypass our enterprise-class operating systems, firewalls, and intrusion prevention systems, then are we simply being played, pretending we're protecting our networks? And if the US has a limitless inventory of exploits and high-tech hacking tools, than we have to assume that other foreign governments have a similar cache. Same goes for cyber criminal organizations as well. In the end, what we're doing at an enterprise-class IT security level may only be protecting us from the absolute lowest levels of cyber security threats.
There are likely many of you thinking that the InfoWorld interview is nothing more than a fascinating piece of fiction -- and you could very well be right. After all, if it were so easy to hack into systems to steal sensitive data, the house of cards would quickly fall. But perhaps those in power realize this and severely regulate their tools to be used only when needed. That way, the rest of us IT security professionals would naively play along, keeping busy downloading worthless security patches and updating outdated virus signatures. The reason they want to keep up the charade is that if we ever found out just how insecure the Internet is, we would all take our ball and go home. Game over. It's probably a long shot, but one must consider the thought that we're all simply being played.
So what do you think? Are current methods of enterprise IT security actually worth the time and money, or are we simply being lulled into a false sense of protection by governments and crime organizations that are years ahead of us?