While the financial industry was teetering on the brink of oblivion, another industry was being born: the cybersecurity complex. By now it is a multibillion-dollar boondoggle, employing shoddy forensic techniques and politicized investigations. But it is highly profitable. The boom has been driven by the grim leaky reality of our digital world. Not a month goes by without some huge corporation or government agency getting hacked, its data splattered across the internet or siphoned off for the exclusive use of scammers, corporate spies, and intelligence agencies.
Cybersecurity firms have stepped up to the challenge. They’ve attracted funding from the biggest and most powerful venture capital houses: Sequoia, Google Capital, and the like. Not surprisingly, the CIA’s in-house VC outfit, In-Q-Tel, has been a leading investor in this space. All these firms position themselves as objective forensic investigators, patiently sifting through the evidence to find the guilty party and then figuring out how to defend against it. They have been involved with diagnosing and attributing big hacks for shamefaced clients like Target, J.P. Morgan, and Sony Pictures. Investors and intelligence agencies sing the praises of the critical services these outfits offer in an online environment teeming with hostile threats.
But in private conversations, as well as little-noticed public discussions, security professionals take a dimmer view of the cybersecurity complex. And the more I’ve looked at the hysteria surrounding Russia’s supposed hacking of our elections, the more I’ve come to see it as a case study of everything wrong and dangerous about the cyber-attribution business.