Dr. Evil’s Milk Run

Following is a guest post from my friend Eliot Peper. I met Eliot several years ago when he approached me about his first book. I loved his writing and FG Press went on to publish Eliot’s first two books – Uncommon Stock: Version 1.0 and Uncommon Stock: Power Play.

Eliot’s third book, Uncommon Stock: Exit Strategy came out recently and the topic is particularly timely. Enjoy some deeper thoughts of his on why. Oh – and grab Eliot’s books – they are awesome.

Our institutions are failing to protect us. In fact, they’re not even trying. That wasn’t what I set out to discover when I started drafting my first novel. I just wanted to write a page-turner about tech startups with enough real grit to make readers think (true fans may remember that I noted my original inspiration right here in a previous guest post). To research the book, I interviewed federal special agents, financial service executives, money laundering investigators, cybersecurity experts, investors, and technologists in order to deepen the story’s verisimilitude.

The novel turned into a trilogy and along the way I discovered how fact can be far more disturbing than fiction (a point of frustration for novelists). Every day, our government officials, bankers, and corporate leaders are betraying our trust through shortsightedness and technical ignorance.

The now-infamous breach of The Office of Personnel Management by state-sponsored Chinese hackers shocked the nation. Detailed background files on more than twenty-two million Americans were stolen. The pilfered data included medical history, social security numbers, and sensitive personal information on senior officials within The Department of Defense, The Federal Bureau of Investigation, and even The Central Intelligence Agency. The national security implications are staggering.

The emperor may have no clothes but he doesn’t stand alone. Every year, hundreds of millions of dollars are spirited away from major financial institutions. The United Nations estimates that organized crime brings in $2 trillion a year in profits and the black market makes up 15–20% of global GDP.

How do cartel bosses, arms dealers, and human traffickers stash their cash? By working with corrupt insiders, exploiting legal loopholes, lobbying crooked politicians, and taking advantage of the same kinds of technical weaknesses that made the OPM hack possible. They are only able to get away with it because banks and regulators turn a blind eye or, more often, don’t even know when it’s happening.

Large organizations like government agencies and international financial institutions started incorporating software into their operations decades ago. Ever since, they have consistently chosen to pile new updates on top of old code rather than rebuild systems from the ground up. Why? In the short run, it’s cheaper and easier to address the symptom instead of the cause. Now, that shortsightedness is catching up with them.

All of this is just what we know about already. It takes a median of 229 days for data breaches to even be discovered. That’s a long time for criminals to be inside our systems, building new backdoors for future exploitation. Worse, institutions are loath to report breaches even when they are uncovered for fear that our trust in them will degrade even further.

The software powering the digital infrastructure of our institutions is a mess of half-measures, lost source code, and mind-boggling integrations. It’s like a vault built out of swiss cheese, a house resting on a matchstick foundation, or the plot of a telenovela. You can choose your own metaphor, but every hole is a VIP ticket for society’s antagonists.

And that’s not all. In a study released earlier this month, The Government Accounting Office found that many federal examiners in charge of bank information security audits have little or no IT training. They also discovered that regulators are not even doing comparative analysis on system-wide deficiencies, limiting their scope to individual banks. Worse, the National Credit Union Administration lacks the authority to examine third party service providers to credit unions, leaving large segments of their systems beyond the jurisdiction of examiners. It’s painfully ironic that at a time when the NSA terrifies us with its digital omnipotence, so many government agencies can’t get their act together for legitimate enforcement. Our watchdogs are asleep on their feet.

Whether their endgames are espionage or financial malfeasance, we’re making it too damn easy for bad guys to do their dirty work. I was only trying to make my books feel real but now reality is forcing me to suspend disbelief. It makes for great plot twists, but verisimilitude isn’t worth this level of vulnerability.

These are big problems. Big problems always represent big opportunities for creative founders. Mattermark just released their first report on the hottest cybersecurity startups. But we need fixes that are even more fundamental than security. We must rebuild the technical infrastructure and human governance systems that shape our institutions. That change might come from an extraordinarily dedicated internal leader or it might emerge from a garage in Boulder.

We need hackers, makers, artists, and independent thinkers. We need to play smarter and think long-term. We need to call our leaders to action. We need to educate ourselves and build a future in which we can thrive, not fight to survive.