title: It does not take a village (or a country)

It does not take a village (or a country)

By: Scott Bradner

I mentioned Mike McConnell's Washington Post article (http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493_pf.html ) in my last column. Mr. McConnell wants to reengineer the Internet (and make it dictator-friendly) because the US, he says, is fighting a cyber-war against, he implies, hostile governments. It is far from clear that he understands who the real enemy is in the cyber-war (assuming we are engaged in one).

McConnell's article starts: "the United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking." I'll leave the assertion that the US is "the most wired nation on earth" aside for now, other than to note that few observers think the US is doing all that well in the wired-nation department. As I write this, the FCC is announcing tomorrow a plan to being the US up to the level of some other nations.

Mr. McConnell talks a lot about building an Internet deterrence ability to hit back if the US infrastructure gets attacked by a state. He does note that not all attacks come from states, some come from "criminal groups or extremists." His solution to fight against the non-state actors- he says that "we preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks" and my making our cyber infrastructure more attack resistant.

Not everyone agrees that the US is engaged in a cyber-war. For example, less than a week after McConnell's Washington Post article was published Howard Schmidt, the new US cybersecurity czar, was quoted in Wired stating that "there is no cyberwar." (http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/) He went on to say "I think that is a terrible metaphor and I think that is a terrible concept." Schmidt does think that there is a cyber threat that must be countered but he does not call it a "war." Note that what goes aground comes around, CNN just announced that Iran arrested 30 people for waging a US funded cyber-war on Iran.

To me, calling the threat a "war" misses the main threat. To date, essentially all cyber attacks where the perpetrators have actually been identified have been the work of small groups of individuals. Eleven people total, including Ukrainian Maksym Yastremski, in 5 countries for the breakins at TJ Max, OfficeMax BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, and Dave & Busters. Three people in Spain for the Mariposa botnet. Numerous cases of some teenaged kid half way around the world breaking into some corporate or government system. Even cases which looked at first like they were state sponsored have turned out not to be - for example the denial of service attacks on Estonian web sites which looked like they were directed by the Russian government turned out to be the work of a 22 year old Russian hacker acting with a few of his friends. (http://computer.howstuffworks.com/hacker-crash-country-network1.htm)

It is certainly possible, and perhaps likely, that there have been some state sponsored attacks but, at least to date, that has not been shown to be the normal case. Focusing the US effort on state actors and figuring out how to counter attack states leaves us wide open for the common case - some crook or individual actor (maybe in sympathy with some state position). We need to do far more to harden our infrastructure and I do not think that will happen until there are real consequences to corporations that do not do so. In the US today you can expose the SSNs of 100s of thousands of people and not receive any meaningful penalty because the courts have ruled that actual damages have to be shown and proof that a particular breach as at fault first. Thus we have an essentially incentive free zone.

disclaimer: The claim is that their future position in life is incentive enough for students at Harvard, bough not a few find learning new things also an incentive. Thus Harvard is not an incentive-free zone and has no opinion on the role of incentives in data protection so the above is mine.