Tue, December 16, 2008 — CIO — Thank goodness I'm not a gossip columnist! Those guys have to deal (sort of) with the world as it is, rather than as it should be. Here, I get to decide what should have been news-worthy (but wasn't) or to rewrite history a little bit based upon the impact of tiny little events that everyone overlooked. Better still, I get to point and say "you should overlook that one!" Without further ado, then, here are some of the important stories from 2008:

Georgian Cyberwar
This was the big non-event that got headlines in '08. Similar to the great Estonian cyberwar of April, the great Georgian cyberwar proved, once again, that cyberwar pundits are shameless. A bunch of DDoS (distributed denial of service) attacks, launched by a non-government-affiliated hacker, were able to seriously degrade government websites. Last time I checked, getting slashdotted could do that, too. Here's a news tidbit for you: it's not a "cyberwar" if it was launched by geeks who live in their parents' basement.

What can we learn from this important experience? This: Denial of service attacks remain a problem, and should be considered if you're running a public website, especially a government. Secondly, if you're hosting a critical service, it's important to understand where your upstream connectivity comes from. Is any of this new news?

Lastly, there is a huge difference between "Nationalist inspired hackers" and agents of a hostile government.

Software Security
Remaining on my list since 1987, software security remains the "good idea that just works" that everyone is going to try only after everything else fails. Use solid design principles to build our next-generation software? What, are you kidding? The computer security world, and the software industry in general, remains stuck in the land of "penetrate and patch." There's an old saying about making silk purses out of sow's ears—here's a hint for the industry: start with silk.

It vastly more expensive to start with something buggy and mediocre that you attempt to patch into goodness than it is to start with something.

Chinese Cyberattacks
In 2008, several federal agencies (mostly notably, the CIA and FBI) rushed to accuse China of sponsoring cyberattacks against U.S. corporate and government assets. What was remarkable about these accusations was the dearth of evidence that went along with them. It's not 2001; if you're going to accuse a sovereign power of launching orchestrated attacks, you're going to need a smoking gun or two along with it. Which brings me to the real questions that we should be asking: "Why are your networks still so darned permeable?" and "What do you mean 'you lost 10 terabytes out through your firewall and only just now noticed? Don't you have logs?"

Did I mention that there is a huge difference between "Nationalist inspired hackers" and agents of a hostile government?