Where is the American Firewall?

Why does the U.S. Government Refuse to Protect its Citizens?

I just sat through yet another Department of Homeland Security (DHS) presentation describing all the “resources” they have to offer businesses to protect themselves from cyber threats. Unfortunately, this DHS representative was more on the physical security side (as opposed to cyber) so I missed my chance to ask the man directly…

Why does the U.S. government not have a U.S. firewall for its citizens and businesses? Why does the U.S. government do absolutely nothing to protect the digital assets of its country? Weird isn’t it? Almost inexplicable.

Thus, this article is about something that has perplexed me ever since I started building business applications accessed over the Internet nearly 20 years ago.

The Current U.S. Government Approach: Militias

Let’s start with a simple analogy to the military. The U.S. government does have a military that is responsible for protecting citizens from nefarious nation states who aim to cause harm to its citizens. If China starts bombing somewhere in the U.S., the military will quickly jump into action to stop the bombing and almost definitely retaliate.

So what happens if the “bombs” are malware to either gain potential control of our infrastructure, steal our trade secrets, or otherwise extract something they need from us? Well, then it’s the target’s responsibility. If a company is hacked by a state-sponsored actor in China, it is the company’s fault and the fact the U.S. government did nothing to protect them is somehow just accepted today.

Following the military analogy, this is the same as if the U.S. government said “we’re going to disband our centralized military and instead each individual municipality will need to create their own militia and we can advise them on the best way to do that”. So, if China were to bomb, say Philadelphia, then the militia in the subsection of Philly that was hit is responsible for responding?

This is absolutely insane, no? Why on earth would the U.S government delegate its singularly most important responsibility of protecting citizens to random organizations within the country? Why doesn’t the U.S. government do anything?

How about a U.S. Firewall?

So, given the fact that nearly every other country (whether we like them or not) is buying American-built technology to create their own country-wide firewalls, why don’t we build one for the U.S.? We build a firewall, and anyone from outside the U.S. who wants through it has to register with a Federal agency. Maybe we have partnerships with other countries such as the UK who would be required to adhere to certain vetting requirements and bridge the two firewalls.

Part of the DHS presentation I just watched showed a real-time video of number of cyber attacks per second with their source and destination shown as lines like from the old video game “Missile Command”. You only need to look at one of these to see the obvious — everyone is attacking the U.S. Why? Because we have no government protection, no government retaliation, and security is up to individuals — it’s like the Wild West.

Furthermore, if we are so good at displaying these cool real-time videos of the U.S. being attacked, why can’t we just stop those packets? I appreciate the cool video thank you very much, but it’s not “neat” to me — I’m just thinking, “where the hell is the government?”

The speaker said the one country that “keeps him up at night” is China (not particularly Russia by the way). Among many reasons, they are attacking us so they can:

1. Make sure they can control our infrastructure in the event of a combined military and cyber attack.
2. Steal trade secrets from companies they wish to emulate in companies within China. (See “Made in China 2025”).
3. Support criminal activities as this adds to the knowledge base of the state when it comes to vulnerabilities and threat vectors.

So, since the U.S. government knows this, and you (and they) can easily pull up a Web site to view this activity in graphical real-time, why doesn’t the U.S. government do anything?

What about the “openness”? Ha!

The openness argument is a non-starter. If you want to argue about how the openness of the U.S. Internet has created world peace and harmony I suggest you look at the real-time cyber-attack graphic one more time. The only thing the openness of the U.S. Internet has done is created a worldwide criminality campaign, targeted at our hapless infrastructure. This is what the “open” Internet has gotten us.

Part of today’s presentation predicted that cyber crime will overtake drug crime if it has not already. Why wouldn’t it? You won’t be put in prison for life for attacking someone’s computer system from another country. This is what the “open” Internet has gotten us.

Furthermore, if you’ve ever tried to build a Web site or sell a Web service in China, or, for example, had to adhere to the GDPR guidelines of doing business in the EU, you’d quickly realize that there is no “openness” of the Internet anymore. Whether by regulation (GDPR) or by technology (Great firewall of China), the Internet is already becoming balkanized. It’s just the U.S. that’s too stupid to get in front of the trend and start protecting their citizens.

What it’ll Take

In speaking with colleagues about this, everyone pretty much comes to the same sad conclusion. “It’ll take a 9/11 type cyber event before this’ll happen”. In other words, it’ll take a cyber catastrophe to get the U.S. government to actually start protecting citizens like it should. I’m hopeful that it will not.

What I think it will take is for businesses to demand of government to protect them, exactly the same way as they would from bombs. Businesses are not to blame because a zero-day exploit was released and attacked them from China. The government is to blame because they didn’t stop it coming from a known bad IP address in China. The mindset has got to change to blaming the U.S. government, not its people.

In fact, how about a new law (that is one thing we know government is good at) that states that if any U.S. company is hacked by any company outside the U.S., then that company is not held liable. Can you imagine that? That is how much the mindset has to change. A business that is bombed by China in Philly is not liable, nor should a business that is hacked from China. It’s the U.S. government’s fault for not stopping it.

I hope this generates a lot of comments, I’d really like to hear what is so wrong with the idea of a U.S. firewall. Maybe there’s just too much money in the selling of firewalls to individual organizations, like selling guns to militias. What would happen to all the firewall vendors if there was the Great American Firewall? Maybe that’s why the U.S. government doesn’t do anything.