Tag: cyber security

Planning a Cybersecurity Auto-Immune Reaction

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

House to Get its Own House in Order

The headline strikes fear: “House Takes Steps to Boost Cybersecurity,” says the Washington Post.

What boondoggle are they embarking on now?

Cybersecurity is hundreds of different problems that should be handled by thousands of different actors. The federal government is in no position to “fix” cybersecurity, as I testified in the House Science Committee earlier this year.

But this is a good news story. Realizing that its own cybersecurity practices are not up to snuff, the House of Representatives will be ramping up training for its staff.

Better awareness of the ins and outs of securing computers, data, and networks will disincline Congress to undertake a rash, sweeping “overhaul” of the systems and incentives that produce and advance cybersecurity.

This “Cyberwar” Is a Cybersnooze

The AP and other sources have been reporting on a “cyberattack” affecting South Korea and U.S. government Web sites, including the White House, Secret Service and Treasury Department.

Allegedly mounted by North Korea, this attack puts various “cyber” threats in perspective. Most Americans will probably not know about it, and the ones who do will learn of it by reading about it. Only a tiny percentage of people will notice the absence of the Web sites attacked. (An update to the story linked above notes that several agencies and entities “blunted” the attacks, as well-run Web sites will do.)

This is the face of “cyberwar,” which has little strategic value and little capacity to do real damage. This episode also underscores the fact that “cyberterrorism” cannot exist – because this kind of attack isn’t terrifying.

As I said in my recent testimony before the House Science Committee, it is important to secure web sites, data, and networks against all threats, but this can be done and is being done methodically and successfully – if imperfectly – by the distributed owners and controllers of all our nation’s “cyber” assets. Hyping threats like “cyberwar” and “cyberterror” is not helpful.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Cyber Security “Facts”

National Journal’s “Expert Blog” on National Security asked me late last week to comment on the question, “How Can Cyberspace Be Defended?” My comment and others went up yesterday.

My response was a fun jaunt through issues on which there are no experts. But the highlight is the response I drew out of Michael Jackson, the former #2 man at the Department of Homeland Security.

It does little to promote serious discourse about the truly grave topic of cyber security threats to begin by ridiculing DHS and DOD as “grasping for power” or to suggest that President Obama has somehow been duped into basing his sensible cyber strategy on “a lame and corny threat model called ‘weapons of mass disruption.’” It shows ignorance of the facts to deny that cyber vulnerabilities do indeed present the possibility of “paralyzing results.”

Jackson neglects to link to a source proving the factual existence of “paralyzing” threats to the Internet – he’d have to defeat the Internet’s basic resilient design to do it. (Or he has collapsed the Internet, the specific way of networking I was talking about, with “cyber” – a meaningless referent to everything.) But the need for tight argument or proof is almost always forgiven in homeland security and cyber security, where the Washington, D.C. echo-chamber relentlessly conjures problems that only an elite bureaucracy can solve.

In another comment – not taking umbrage at mine, but culturally similar to Jackson’s – Ron Marks, Senior Vice President for Government Relations at Oxford-Analytica, says, “Cyberterrorism is here to stay and will grow bigger.” The same can be said of the bogeyman, but the bogeyman isn’t real either.

(To all interlocutors: Claiming secrecy will be taken as confessing you have no evidence.)

Jackson’s close is the tour de force though: “Good people are working hard on these matters, and they deserve our unwavering financial and personal support. For now and for the long-term.”

A permanent tap on America’s wallets, and respect on command? Sounds like “grasping for power” to me.

Awesome, Fearsome, Awesome - Or Maybe Silly

This video is making the rounds because Senator Jay Rockefeller (D-WV) muses in it that perhaps the Internet shouldn’t have been invented.

He immediately grants, “That’s a stupid thing to say” - perhaps for political reasons, or perhaps because he recognizes that the Internet makes us much better off despite every risk it carries and security flaw in it.

But he goes on to overstate cybersecurity risks excessively, breathlessly, and self-seriously. Not quite to the point of stupid - maybe we can call it “silly.”

The Department of Defense, he says, is “attacked” three million times a day. Well, yeah, but these “attacks” are mostly repetitious use of the same attack, mounted by “script kiddies” - unsophisticated know-nothings who get copies of others’ attacks and run them just to make trouble. The defense against this is to continually foreclose attacks and genres of attack as they develop, the way the human body develops antibodies to germs and viruses.

It’s important work, and it’s not always easy, but securing against attacks is an ongoing, stable practice in network management and a field of ongoing study in computer science. The attacks may continue to come, but it doesn’t really matter when the immunities and failsafes are in place and continuously being updated.

More important than this kind of threat inflation is the policy premise that the Internet should be treated as critical infrastructure because some important things happen on it.

Of cyber attack, Rockefeller says, “It’s an act … which can shut this country down. Shut down its electricity system, its banking system, shut down really anything we have to offer. It is an awesome problem.”

Umm, not really. Here’s Cato adjunct scholar Tim Lee, commenting on a report about the Estonian cyber attacks last year:

[S]ome mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that’s true, the lesson of the Estonian attacks isn’t that the Internet is “critical infrastructure” on par with electricity and water, but that it’s stupid to build “critical infrastructure” on top of the public Internet. There’s a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea.

Tim has also noted that the Estonia attacks didn’t reach parliament, ministries, banks, and media - just their Web sites. Calm down, everyone.

But in the debate over raising the bridge or lowering the river, Rockefeller is choosing the policy that most enthuses and involves him: Get critical infrastructure onto the Internet and get the government into the cyber security business.

That’s a recipe for disaster. The right answer is to warn the operators of key infrastructure to keep critical functions off the Internet and let markets and tort law hold them responsible should they fail to maintain themselves operational.

I have written elsewhere about maintaining private responsibility for cyber security. My colleague Ben Friedman has written about who owns cyber security and more on the great cyber security freakout.

A Federal Takeover of Cyber Security?

One hopes not. But the White House’s 60-day review of cyber security, ongoing now, could set the stage for it.

In a TechKnowledge piece out today, I argue against federal responsibility for private cyber security. A common law liability regime is the best route to discovering and patching security flaws in all the implements of our information economy and society.

The smarties at the Center for Information Technology Policy at Princeton recently sat down to discuss these issues too.