I am usually a fan of Heritage Foundation products. So it is with regret that I disagree with their argument that “information sharing” will solve the problem of national level threats to cyber security. (http://blog.heritage.org/2012/11/15/cybersecurity-act-of-2012-defeated-but-a-similarly-flawed-executive-order-is-around-the-corner/ ). However, my 15 years of teaching and writing in homeland security convince me they are wrong. Here’s why.
Many people think of a computer like a telephone. You use it to connect to only those you want to talk to. Not so.
Unless you actively intervene, when you connect to the internet, your computer is potentially connected to every other computer in the world. Your friend’s computer, your bank’s computer, the Russian mob’s computer – every one can call you and listen in, whether you know it or not. It is like living in a house without walls. Unless you put up curtains, everyone can see what you are typing, sending, and filing on your computer. And everyone who you contact needs curtains, else the computer at your doctor, your bank, the credit card company, etc. are all subject to having their information (which now includes your information) compromised as well. Unless you all put up walls, outsiders can even hijack your computer to use it as a weapon against others, or they can use someone else’s computer against you – all without your knowledge. In fact, without special protection, every computer connected to the internet – at hospitals, chemical plants, police stations, airports, nuclear power plants – every one is open to attack and hijack. This threatens the entire nation, not just you and your personal computer.
Remember, the internet was designed to let a few trusted military stations communicate during a nuclear war. Security was provided by controlling access to the few computers available, and the few connections that linked them. Now, with a much expanded internet and no security features designed in from the start, security against attack must be added on, like a roof rack and trailer hitch added to a sports car. And that’s not easy, because the whole idea of the internet it to connect quickly and smoothly to many other computers.
So the security measures you apply – that everyone applies -- must be able to recognize quickly innocent computers and “open the door,” while instantly identifying malevolent computers and shutting them out. Meanwhile, this challenge changes constantly – many times a day – as attackers routinely develop new ways to use the doors you must open in the course of normal internet operations.
Meeting this challenge is difficult and expensive, and nobody wants to pay the price in time and money. This is true of individuals, who rarely know exactly what to do to fully protect their computers. It is true of government, where small budgets and long procurement times almost always produce outdated systems with outdated protection schemes. And it is especially true of business, where security is perceived as all cost while creating no new profit.
Now the situation is becoming critical with vulnerabilities mounting to the point that the Secretary of Defense has a warned of a “Cyber Pearl Harbor” which might cripple the nation as a whole.
What to do? How to ensure people and organizations improve their security daily as threats mount?
Some are pressing for government mandated standards, and centralized government power to monitor who is meeting the standards and punish those who don’t. Heritage rejects this as a sole solution, and so do I – plodding traditional government bureaucracies alone just can’t keep up with the changing means of attack.
But Heritage and some others think voluntary “information sharing” will be enough to encourage everybody to protect themselves (and you and the nation in the process). I don’t. Experience is clear– most people, most agencies and most businesses simply will not learn what needs to be done, pay for it, and do it, unless there is some direct reward for being good, or direct penalty for being bad. Voluntary compliance on something so important poses an extraordinary risk.
And so the solution is . . . well . . . some experts say the only solution is to rebuild the internet from scratch, incorporating security from the ground up. Good luck with that.
Before I offer my solution to patrolling the information highway, let’s consider how we reached an acceptable level of security on the real automotive highways we all use every day.
Automobile use began with maximum freedom – design anything you want, go anywhere you want, use any driver you want. No headlights, no safety glass, no car seats for children, no licenses for drivers. Everybody just cooperate and share information on auto safety. Result: mayhem, injury and death – and excessive hazards to ourselves and others.
Eventually, however, we ended up with a system that combined essential government regulation with a reasonable amount of freedom. Today we accept design regulations, speed limits, drivers licenses, safety inspections, etc., but within those rules we drive when and where we want. How did we reach this balance? How did we arrive at a system where my neighbor is allowed a reasonable degree of freedom in using a tool that can threaten my life, and yet we all stay reasonably safe?
Answer: through a system that includes reasonable government regulations, fines and penalties for violating those regulations, and stiff civil judgments against those who ignore the regulations and cause harm to others. Individual freedom balanced by both civil and judicial punishment for those who act irresponsibly.
Perhaps this is not a bad way to think about how we are going to control traffic and irresponsible drivers on the information highway. Not government over control. Not libertarian bumper cars with public safety and security at risk. But a balance of rights and responsibilities, bounded by minimum safety regulations, punishments for violation of those regulations, and civil penalties for damages inflicted on others.
Drivers Ed anyone?