Tag: cybersecurity

“Cyberattack” in Perspective

Two very welcome articles skewer breathless reporting and commentary on the recent cyberattack against U.S. government Web sites, among other things.

In a “Costs of War” column entitled “Chasing Cyberghosts,” intrepid reporter Shaun Waterman turns up the excesses that blew the story out of proportion and easily enticed congressional leaders to overreact.

[M]edia coverage of the attacks almost universally attributed them to North Korea, initially on the basis of anonymous sources in the South Korean intelligence services.

“There’s not a shred of technical evidence it was North Korea,” said [Internet Storm Center director Marcus] Sachs… . [M]any lawmakers, apparently anxious to polish their hawkish credentials, were swift, as Sachs put it, “to pound their fists and demand retaliation.”

The North Koreans “need to be sent a strong message, whether it is a counterattack on cyber, [or] whether it is more international sanctions,” said Republican Rep Peter Hoekstra, a ranking member of the House Intelligence Committee. “The only thing they will understand is some kind of show of force and strength.”

Security guru Bruce Schneier puts it all in perspective:

This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to.

Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again.

I testified on cybersecurity in the House Science Committee late last month. This episode was a perfect illustration of one of my points to the committee: “Threat exaggeration has become boilerplate in the cybersecurity area.”

Waterman’s and Schneier’s pieces are shorter and eminently more readable so I’ll give them a “read-the-whole-thing.” All three of us participated in the Cato’s January conference on counterterrorism strategy.

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Exciting! But Not True …

The Center for a New American Security is hosting an event on cybersecurity next week. Some fear-mongering in the text of the invite caught my eye:

[A] cyberattack on the United States’ telecommunications, electrical grid, or banking system could pose as serious a threat to U.S. security as an attack carried out by conventional forces.

As a statement of theoretical extremes, it’s true: The inconvenience and modest harms posed by a successful crack of our communications or data infrastructure would be more serious than an invasion by the Duchy of Grand Fenwick. But as a serious assertion about real threats, an attack by conventional forces (however unlikely) would be entirely more serious than any “cyberattack.”

This is not meant to knock the Center for a New American Security specifically, or their event, but breathless overstatement has become boilerplate in the “cybersecurity” area, and it’s driving the United States toward imbalanced responses that are likely to sacrifice our wealth, progress, and privacy.

… But What Is “Cyber”?

Cyberwar. Cyberdefense. Cyberattack. Cybercommand.

You run across these four words before you finish the first paragraph of this New York Times story (as reposted on msnbc.com). It’s about government plans to secure our technical infrastructure.

When you reach the end of the story, though, you still don’t know what it’s about. But you do get a sense of coming inroads against Americans’ online privacy.

The problem, which the federal government has assumed to tackle, is the nominal insecurity of networks, computers, and data. And the approach the federal government has assumed is the most self-gratifying: “Cyber” is a “strategic national asset.” It’s up to the defense, intelligence, and homeland security bureaucracies to protect it.

But what is “cyber”?

With the Internet and other technologies, we are creating a new communications and commerce “space.” And just like the real spaces we are so accustomed to, there are security issues. Some of the houses have flimsy locks on the front doors. Some of the stores leave merchandise on the loading docks unattended. Some office managers don’t lock the desk drawers that hold personnel files. Some of the streets can be too easily flooded with water. Some of the power lines can be too easily snapped.

These are problems that should be corrected, but we don’t call on the federal government to lock up our homes, merchandise, and personnel files. We don’t call on the federal government to fix roads and power lines (deficit “stimulus” spending aside). The federal government secures its own assets, but that doesn’t make all assets a federal responsibility or a military problem.

As yet, I haven’t seen an explanation of how an opponent of U.S. power would use “cyberattack” to advance any of its aims. If it’s even possible, which I doubt, taking down our banking system for a few days would not “soften up” the country for a military attack. Knocking out the electrical system in one region of the country for a day wouldn’t let Russia take control of the Bering Strait. Shutting down Americans’ access to Google Calendar wouldn’t advance Islamists’ plans for a worldwide Muslim caliphate.

This is why President Obama’s speech on cybersecurity retreated to a contrived threat he called “weapons of mass disruption.” Fearsome inconvenience!

The story quotes one government official as follows:

“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”

That’s correct. “Cyber” is not a problem that affects our sovereignty or the integrity of our national boundaries. Thus, it’s not a problem for the defense or intelligence establishments to handle.

The benefits of the online world vastly outstrip the risks - sorry Senator Rockefeller. With those benefits come a variety of problems akin to graffiti, house fires, street closures, petit theft, and organized crime. Those are not best handled by centralized bureaucracies, but by the decentralized systems we use to secure the real world: property rights, contract and tort liability, private enterprise, and innovation.

Awesome, Fearsome, Awesome - Or Maybe Silly

This video is making the rounds because Senator Jay Rockefeller (D-WV) muses in it that perhaps the Internet shouldn’t have been invented.

He immediately grants, “That’s a stupid thing to say” - perhaps for political reasons, or perhaps because he recognizes that the Internet makes us much better off despite every risk it carries and security flaw in it.

But he goes on to overstate cybersecurity risks excessively, breathlessly, and self-seriously. Not quite to the point of stupid - maybe we can call it “silly.”

The Department of Defense, he says, is “attacked” three million times a day. Well, yeah, but these “attacks” are mostly repetitious use of the same attack, mounted by “script kiddies” - unsophisticated know-nothings who get copies of others’ attacks and run them just to make trouble. The defense against this is to continually foreclose attacks and genres of attack as they develop, the way the human body develops antibodies to germs and viruses.

It’s important work, and it’s not always easy, but securing against attacks is an ongoing, stable practice in network management and a field of ongoing study in computer science. The attacks may continue to come, but it doesn’t really matter when the immunities and failsafes are in place and continuously being updated.

More important than this kind of threat inflation is the policy premise that the Internet should be treated as critical infrastructure because some important things happen on it.

Of cyber attack, Rockefeller says, “It’s an act … which can shut this country down. Shut down its electricity system, its banking system, shut down really anything we have to offer. It is an awesome problem.”

Umm, not really. Here’s Cato adjunct scholar Tim Lee, commenting on a report about the Estonian cyber attacks last year:

[S]ome mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that’s true, the lesson of the Estonian attacks isn’t that the Internet is “critical infrastructure” on par with electricity and water, but that it’s stupid to build “critical infrastructure” on top of the public Internet. There’s a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea.

Tim has also noted that the Estonia attacks didn’t reach parliament, ministries, banks, and media - just their Web sites. Calm down, everyone.

But in the debate over raising the bridge or lowering the river, Rockefeller is choosing the policy that most enthuses and involves him: Get critical infrastructure onto the Internet and get the government into the cyber security business.

That’s a recipe for disaster. The right answer is to warn the operators of key infrastructure to keep critical functions off the Internet and let markets and tort law hold them responsible should they fail to maintain themselves operational.

I have written elsewhere about maintaining private responsibility for cyber security. My colleague Ben Friedman has written about who owns cyber security and more on the great cyber security freakout.

Who Owns Cybersecurity?

There is a government brawl underway over cybersecurity.

The Department of Homeland Security’s National Cyber Security Center (NCSC) is legally responsible for cybersecurity for nonmilitary parts of the government. It is also supposed to help state and local government and the private sector protect their networks. But Shaun Waterman reports that the guy running that center just quit because the National Security Agency (the wiretapping intelligence agency) was basically running his office and taking over its function.

According to Walter Pincus’ article in today’s Washington Post, Strategic Command (the nuclear weapons command) is in charge of offensive cyber attacks and defending US military networks from cyberattack. But the NSA oversees Stratcom’s cybersecurity activities, somehow or other.

The White House is conducting a 60-day cybersecurity review, which is being led by an official in the office of Admiral Dennis Blair, Director of National Intelligence. Blair wants a bigger role for U.S. intelligence agencies in cybersecurity. Presumably that means the NSA, which employs some of the nation’s leading cryptographers. Meanwhile, Obama is likely to give General Keith Alexander, head of NSA, his fourth star and make him the White House’s cybersecurity coordinator (aka, the cyberczar).

So it sounds like the review may be moot – the decks are stacked for the NSA to take over. The Federal Times, however, reports that Congress may upset those plans.  Congressmen on the homeland security committee still want DHS in the lead.

What about private networks? The White House Review will address that too. Alexander has said that the NSA should play a role. But right now, according to most people, it’s DHS’s job. Pincus writes, “Responsibility of protecting civilian networks currently rests with the Department of Homeland Security.”

I would have thought it rests with the network operators. Missing in this debate, from what I can tell, is any attempt to outline what public goods are at play. Clearly, the federal government should defend its own networks. (Whether it should do so through the leadership of agency recently engaged in vast illegal activity is less clear.) The feds should probably also collect intelligence about cyberattacks, make it available to the public and pursue perpetrators. But providing security to private entities, through technology transfers or consultation, seems akin to providing locks to homeowners. That may be too simple – and the relevant distinction may be whether we are talking about state or non-state threats – but it’s something that the review should consider.

Here’s more on the great cybersecurity freakout.