Tag: cybersecurity

We Fail More—So Put Us in Charge

The Washington Post reports today on an article coming out in Foreign Affairs in which Deputy Defense Secretary William J. Lynn III reveals a successful 2008 intrusion into military computer systems. Malicious code placed on a thumb drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command and propagated itself across a number of domains.

The Post article says that Lynn “puts the Homeland Security Department on notice that although it has the ‘lead’ in protecting the dot.gov and dot.com domains, the Pentagon — which includes the ultra-secret National Security Agency — should support efforts to protect critical industry networks.”

The failure of the military to protect its own systems creates an argument for it to have preeminence in protecting private computer infrastructure? Perhaps the Department of Homeland Security will reveal how badly it has been hacked in order to regain the upper hand in the battle to protect us.

Planning a Cybersecurity Auto-Immune Reaction

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

Unfounded Government Plans to Take Control of the Internet

Wired News reports on another bill proposing to create government authority to take over the Internet—this time, because of “cyberattacks.”

Most revealing is the part of the report exposing how Senate staff must fish around for reasons why the authority would be exercised, never mind to what effect:

In order for the President to declare such an emergency, there would have to be knowledge both of a massive network flaw — and information that someone was about to leverage that hole to do massive harm. For example, the recent “Aurora” hack to steal source code from Google, Adobe and other companies wouldn’t have qualified, one Senate staffer noted: “It’d have to be Aurora 2, plus the intel that country X is going to take us down using that vulnerability.”

A second staffer suggested that evidence of hackers looking to leverage something like the massive Conficker worm — which infected millions of machines and was seemingly poised in April 2009 to unleash something nefarious — might trigger the bill’s emergency provisions. “You could argue there’s some threat information built in there,” the staffer said.

These scenarios will never happen. And we wouldn’t want the government grabbing control of the Internet if they did.

The idea of government “taking over” the Internet for security purposes is equal parts misconceived and self-defeating. It’s a packet-switched network, meaning that it routes around the equivalent of damage that would be caused by anyone’s attempt to “control” it. The government could certainly degrade the Internet with a well-coordinated attack, of course.

And that’s the way to think about government controlling the Internet in some kind of emergency: It would be an attack on the country’s natural resilience.

In February, CNN broadcast a bogus reality TV show produced by the Bipartisan Policy Center called “cyber.shockwave.” A variety of technically incompetent government officials talked about pulling the plug on the Internet and cell phone networks in response to some emergency. Commentator D33PT00T captured the idiocy of this idea, Tweeting, “ok my phn doesn’t work & Internet doesn’t work – ths guys R planning 2 run arnd w/ bullhorns ‘all is well remain calm!’”

The Internet may have points of weakness, but it is a source of strength overall. A government take-over of the Internet in the event of emergency would be equivalent to an auto-immune reaction in which the government would attack the society. Proposals for the federal government to take control of the Internet under any circumstance are unfounded and dangerous.

Fact-Checking “Cyberwar”

Wired’s Ryan Singel has given a read to Cyberwar, the new cybersecurity book by Richard Clarke and Robert Knake. (I picked out a potential example of actual cyberwarfare in a Glenn Reynolds review of the book last week.)

Singel—a journalist who has been a sophisticated reporter of computer security issues for years now—is not impressed with the book or the reviews it has gotten. In his review, Richard Clarke’s Cyberwar: File Under Fiction, he writes:

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

It’s brief enough, and refreshing enough. I say read the whole thing.

Sober assessments of computer, network, and data security are far less interesting than the thrillers that would drive Washington policymakers to overreact. This report in Government Computer News, for example, relates the findings of a recent Symantec report on threats to government systems and gives reason to settle down about cyberthreats from China.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.

Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

(Symantec is a vendor to governments, so naturally prone to threat inflation itself. GCN reporter William Jackson deserves credit for the sobriety of the story.)

Cybersecurity-related fearmongering could drive unnecessary dischord between the United States and China, leading to actual conflict where none is warranted. Singel again:

[A]rtists of exaggeration … seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

An Actual Example of “Cyberwarfare”

The good thing about this review of the book “Cyber War” by Richard Clarke and Robert Knake is that it actually mentions attacks on computing and communications during warfare.

Messrs. Clarke and Knake are convinced that an Israeli air strike in 2007 against a secret North Korean-designed nuclear facility being constructed in the Syrian desert was a textbook case of cyber-aided warfare. Israeli computers “owned” Syria’s elaborate air defenses, the authors say, “ensuring that the enemy could not even raise its defenses.”

That might actually be “cyberwarfare.”

The rest of the review, and presumably the book, is threat exaggeration and distortion, wrongly characterizing the wide variety of security issues pertaining to computers, communications, and data as having to do with “war.”

Washington Rakes in the Money

The Washington Post launches a new weekly today, Capital Business, covering business in the Washington area. The cover of the first edition is striking:

As the cover line exults, “There’s a wave of government money headed our way – bringing opportunities in health care, green energy, cybersecurity and education.” Of course, it’s not actually “government money” – it’s money taxed or borrowed from those who produce it in the 50 states and then sprinkled liberally around the Washington area, which now contains 6 of the 10 richest counties in America.

If the Capital Business cover image had a few more arms, it would look like the logo for this year’s Cato University, “Confronting Grasping Government”: