One of the RSS feeds that I read is Reason magazine, which is a web site for libertarians. In general, libertarians want less government intervention both in our personal lives and in the economy. The idea behind libertarians is that today’s Republicans want less government intervention in our economy but are perfectly fine to have them dictate some aspects of morality. Similarly, today’s Democrats want less government intervention in our personal lives but are perfectly fine with creating government bureaucracy to deliver social services. That’s an oversimplified summary, but is more or less correct.
About two months ago I got an article in my RSS feed where Reason was commenting on the government’s response to the cyber war threats. The summary of the article is that the government is using the threat of cyber attacks to increase its power to control, regulate and/or spy on the Internet… and the threat is overblown. I’m going to reproduce the article here and add some comments.
Sensible "Cyber War" Preparation, Or Just More Government Snooping?
Ryan Singel at Wired has a great, detailed article warning us of the growing dangers of the military-security complex and its hyping of "cyber war" to give government more control over monitoring the Internet, and private companies more money helping sell the government the means to do it. Read the whole thing, and here are some choice excerpts:
The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.
McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.
And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton. He’s out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.
And now he says we need to re-engineer the internet.
We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.
Re-read that sentence. He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation if the U.S. government doesn’t like what’s written in an e-mail, what search terms were used, what movies were downloaded….
The NSA dreams of “living in the network,” and that’s what McConnell is calling for in his editorial/advertisement for his company. The NSA lost any credibility it had when it secretly violated American law and its most central tenet: “We don’t spy on Americans.”
Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net. Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts.
So do the libertarians have a point? Is the government proposing this in order to expand its influence and shut down dissenters? Or is Singel unaware of the nature of the threat?
The problem that we have today in cyber security is exactly what McConnell is talking about. Attackers can hide behind anonymity in order to launch DOS attacks, host phishing, send spam, create malware, and so forth. This inherent in the design of the Internet. For example, SMTP is the protocol we use to send email. In its basic form, SMTP does not require authentication and anybody can send as anybody else. For sure, we have built identity technologies like SPF, DKIM and SenderID. However, email receivers still have to support unauthenticated email. And because the cost of email is borne by the receiver and not the sender, there is plenty of incentive for spammers to spam. They can hide behind that anonymity, or fake identity. We can attempt to back trace some spammers but it doesn’t always work. Tracking down a spammer is a non-trivial task and it’s made easier because there is no inherent identity or authenticity.
If we were to start all over again, the designers of the Internet would not design it so that anyone could do anything. The reason that the Internet is open and anonymous (to some degree) is because when it was created, it was only intended to be used by a very small user base. It wasn’t anticipated that it would be launched for widespread use, and it wasn’t foreseen that the types of abuses that we see today would occur. Geeks all trust each other and they don’t always understand that if you give something away for free, spammers will abuse it. If the geeks who built the original Internet would have taken into account all of the ways that the Internet could be abused, they wouldn’t have been so loosey-goosey with it.
Unfortunately, we are now stuck with all of this existing infrastructure. Microsoft has revamped its image since launching its Trustworthy Computing Initiative in 2002. Going forward, newer versions of Microsoft software is more secure than the older one. Unfortunately, there is still plenty of old software out there with security vulnerabilities that Microsoft has to support. This software accounts for the majority of exploits. Over time, it’s being replaced with more secure versions but it takes time.
And so it is for the Internet, but worse. When it went public (or privatized, depending upon how you look at it) in 1995, people built applications. And applications upon those applications. Protocols were developed. And online communication was established. And they built dependencies upon these open protocols that were so easy to exploit. And so, we now have a big problem – reinventing the Internet means having to redo a lot of work that’s already been built. Who wants to redo everything when the current version is already working?
That the Internet is anonymous is not by intentional design, but a byproduct of something that wasn’t originally designed to become as widely used as it is today. There was no Secure Development Lifecyle back then. The Internet then became popular and its “anonymity” became trumpeted as one of its strengths as if this was the intention all along. That’s doubtful that it’s true, but culturally, because freedom of speech is a Western value, that anonymity translated into a core requirement for the ‘net.
It would kind of like if I had a home and one side of it was sinking into the ground so I put a few cinder blocks under the corner to prop it up. It’s there for a utility to serve its purpose and nobody other than me cares about it. But one day, my neighbor decides to build a duplex and uses those same cinderblocks as part of the foundation. This isn’t the optimal purpose but hey, it works. And besides which, we can fix it later. But then a developer builds another duplex, and then an apartment complex. Pretty soon, it becomes very difficult to replace those cinder blocks. My house has a dependency on those cinder blocks and so does everyone else. But by no means is my short term fix intended to be the optimal way of holding up a house. Cheapskate me should have replaced the foundation when I had the chance. Cinder blocks are not a good way to hold up a house.
It’s not a perfect analogy, but the way I see it, the Internet’s inherent insecurity is not the optimal way to go about designing a network.
More in another post.