This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2010/031710bradner.html

It does not take a village -- or a country

'Net Insider By Scott Bradner, Network World
March 17, 2010 11:30 AM ET

Agency Director Mike McConnell wants to re-engineer the Internet (and make it dictator-friendly) because the United States is fighting a cyberwar against hostile governments, or so he implies.

It is far from clear that he understands who the real enemy is in the cyberwar, assuming we are engaged in one.

McConnell writes in a recent Washington Post article that: "The United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking."

I'll leave the assertion that the United States is "the most wired nation on earth" aside for now, other than to note that few observers think the country is doing all that well in the wired-nation department. As I write this, the FCC is announcing a plan to bring the United States up to the level of some other nations.

McConnell talks a lot about building an Internet deterrence ability to hit back if the U.S. infrastructure is attacked by a state. He does note that not all attacks come from states, some come from "criminal groups or extremists." His solution to fight against the non-state actors is to "pre-empt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks" and by making our cyber infrastructure more attack resistant.

Not everyone agrees that the United States is engaged in a cyberwar. For example, less than a week after McConnell's Washington Post article was published, Howard Schmidt, the new U.S. cybersecurity czar, was quoted in Wired stating that "there is no cyberwar."

He went on to say: "I think that is a terrible metaphor and I think that is a terrible concept." Schmidt does think that there is a cyber threat that must be countered, but he does not call it a "war." Note that what goes aground comes around: CNN just reported that Iran arrested 30 people for waging a U.S.-funded cyberwar on Iran.

To me, calling the threat a "war" misses the main threat. To date, essentially all cyberattacks where the perpetrators have been identified have been the work of small groups of individuals. Eleven people, including Ukrainian Maksym Yastremski, in five countries were pegged for break-ins at TJ Maxx, OfficeMax BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21 and Dave & Busters. Three people in Spain were responsible for the Mariposa botnet. There are numerous cases of some teenager halfway around the world breaking into a corporate or government system. Even cases that looked at first like they were state-sponsored have turned out not to be -- for example, the denial-of-service attacks on Estonian Web sites that looked like they were directed by the Russian government turned out to be the work of a 22-year-old Russian hacker acting with a few of his friends.

It is certainly possible that there have been some state-sponsored attacks but, at least to date, that has not been shown to be the typical case. Focusing the U.S. effort on state actors and figuring out how to counterattack states leaves us wide open for the common case -- some crook or individual actor, maybe in sympathy with some state position.

We need to do far more to harden our infrastructure and I do not think that will happen until there are real consequences to corporations that do not do so. In the United States today you can expose the Social Security numbers of hundreds of thousands of people and not receive any meaningful penalty because the courts have ruled that actual damages have to be shown and proof that a particular breach was at fault first. Thus we have an essentially incentive-free zone.

Disclaimer: The claim is that their future position in life is incentive enough for students at Harvard, though not a few find learning new things also an incentive. Thus Harvard is not an incentive-free zone and has no opinion on the role of incentives in data protection, so the above is mine.