Any football fan can tell you that offense makes the highlight reel, but defense wins championships.

The U.S. has been engaging in a global cyberwar for roughly a decade now, attacking Iran's nuclear program and North Korea's missile program.

But what do our cyber defenses look like? You might be shocked.



“About 75 percent of the devices that are control systems are on Windows XP or other nonsupported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment.

Haegley, speaking Thursday at an event hosted by OSIsoft, said the assessment was based on visits to 15 military sites. Microsoft stopped providing support for Windows XP in 2014. Haegley, however, said some of the systems that run DOD facilities are far older.

“A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” Haegley added.

Uh, no. It's not OK. It's not OK at all.

We are breaking things and picking fights with the world, but lack a clue for how to defend ourselves from a counterpunch.



Currently, the US offensive capability in cyber is one of the best in the world, but our defenses are sorely lacking due to a misunderstanding of what true cybersecurity is. We have been building cyber weapons but have essentially ignored cyber defense outside of the military.

Let me give you an idea of the immense scale of the problem we face.



The latest surveys show that small businesses need all the help they can get. In the last 12 months, hackers have breached half of all small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report.

Half of all small businesses.

That's 14 million small businesses that got attacked last year.

1 in 3 small businesses don't things like firewalls, antivirus software, spam filters or data-encryption tools.

Ransomware attacks, which can cripple a small business, increased 50% over last year.

Of actual hacks themselves, 73% are financially motivated.

So what does that mean to you?

It means your W-2 is selling online for less than $8.



One vendor noted on his sale of W-2s that it “comes with 2015 data to fully complete the return.” The IRS requires the prior year’s adjusted gross income (AGI) on a return, so that costs a would-be scammer extra. One vendor IBM found was selling W-2 and 1040 returns as a package for $30 worth of bitcoin; if someone wanted AGI information, that was $20 more. Another cybercriminal had a bulk offer that promised data that was “fresh” for the 2016 season, and included W-2 data, date of birth, and the AGI figure. That was $50 in bitcoin per record.

An individual’s tax data is far more valuable than their credit card data. Stolen credit card data might sell for $1 or be given away to establish credibility on the Dark Web, said Limor Kessem, executive security adviser of IBM Security.

I bet you thought your credit card info was worth more than a buck.

The volume of stolen information online is so enormous -$450 Billion on 2 billion records - that it's pushing the price down to dirt-cheap.



We are losing the war against criminal hackers who just want our money. Even squirrels are beating us.

What will happen if full-time, paid professionals of nation states want to do us harm?

I doubt we want to know the answer.