Defending the
National Strategy to Secure Cyberspace
By Seth Ross
The National
Strategy to Secure Cyberspace -- a roadmap for
protecting critical Internet infrastructure -- was released for
comment last September into immediate controversy.
Completed under
the supervision of Richard A. Clarke and Howard A. Schmidt, Chair
and Vice Chair respectively of the President's Critical
Infrastructure Protection Board, the 64-page document breaks out
into a series of recommendations for cyberspace security at each of
five levels: home users and small business, large enterprises,
critical sectors, national issues, and global issues. You can find
the document at http://www.whitehouse.gov/pcipb/
The strategy
document is formidable. It's stuffed with dozens of recommendations
designed "to empower all Americans to secure their portions of
cyberspace"; the emphasis is on awareness and training,
public-private partnerships, and federal leadership by example.
Clarke and Schmidt are clearly oriented toward consensus-building
and collaboration, rather than the iron fist of law. I believe this
kind of cooperative approach makes sense, especially given the
collaborative development of the Internet over the past thirty
years. Others, however, have criticized the proposed strategy as
"toothless", "sixty pages of nothing" -- since it does not propose
any new laws or information security regulations.
A good example
of the criticism Clarke and Schmidt have received is delivered by
Marcus J. Ranum, a security guru who was responsible for developing
the first commercial firewall. In his article "Federal
Cybersecurity: Get a Backbone", Ranum argues that market forces will
not address the nation's vulnerabilities and that a "Napoleonic"
regime of laws and regulations are needed. See http://www.tisc2002.com/newsletters/414.html
For example,
Ranum suggests that a law be put in place that would "make it
illegal to sell a PC that doesn't come with a full-licensed
Antivirus product and personal firewall pre-installed on it." The
idea is that home users are not smart, technical, or motivated
enough to acquire and deploy these kinds of products on their
own.
Ranum's example
-- mandatory anti-virus and firewall products -- illustrates exactly
why the government should NOT try to legislate good information
security. From a naive perspective, it seems like a good idea.
Anti-virus and firewall programs are like the motherhood and apple
pie of information security: who can argue against them?
One
counter-argument goes like this: The cybersecurity problem space has
very little do with "virus" or "firewall" problems. Wouldn't
anti-virus and personal firewall systems be obsolete if commercial
operating systems were trustworthy? The anti-virus and personal
firewall market niches, as they exist today, only exist because of
the lack of trustworthiness in current operating systems, which
promiscuously execute malware and promiscuously connect to the
Internet. Perhaps a more suitable target of legislative action would
be the operating system, with strict regulations on the
functionality that OS vendors can include in their products.
Alternatively, perhaps the money that Ranum would have everyone
spend on anti-virus and firewall products would be more effectively
spent on intrusion detection, encryption, access control,
biometrics, "real" (vs. personal) firewalls, redundant DNS servers,
etc.
The "problem
space" problem aside, let's perform a thought experiment: Imagine
that, poof, every new computer has an anti-virus program -- let's
call it Foo -- and a personal firewall program -- let's call it Bar
-- thus fulfilling Ranum's proposed law. The first question to ask:
Do Foo and Bar work or are they snake oil? Developing good security
products is tough and expensive work. There's a million ways to go
wrong. There's lots of snake oil available in cyberspace and if Foo
and Bar are snake oil, they may fulfill a regulatory requirement but
still not improve cybersecurity.
For the purposes
of this thought experiment, let's say Foo and Bar are well-designed
and implemented. Anti-virus and personal firewall programs have to
be configured, maintained, and updated. Given the assumption that
users have to be legally coerced into acquiring the software in the
first place, why would Ranum and the other would-be regulators think
that users would properly configure, maintain, and update the
software? There are few things more dangerous in infosecurity than a
misconfigured firewall.
Assuming that
Foo and Bar work, and that, somehow, they are properly maintained
and configured, it's time to switch hats and imagine you're the bad
guy, the cracker, the intruder: Will you give up? Of course not!
You'll do what every attacker has done since the beginning of
civilization: You will route around the counter-measure. The
mandated security programs will be like a pair of thin stakes driven
into the ground, a Maginot Line for computer security. You'll walk,
march, and send armored columns right around them.
Computer
security is a game in which the attacker makes the rules. This is
the core reason why threats to computer security cannot be countered
by legal fiat. A law mandating product type a, b, or c will just
send the attackers to items d, e, and f. The slow-moving legislative
system is no match for the fast-changing and polymorphous frontiers
of cyberspace.
To illustrate
the point: look at what's happened with the US government's attempts
to enforce even long-standing and well-understood laws like the
Sherman Anti-Trust Act in the context of cyberspace. By the time the
Department of Justice identified Microsoft as a wrongdoer, the
company had already smashed dozens of companies. The wheels of
justice turned so slowly -- with extended debates about the meaning
of words like "is", "browser", "platform", "bundle", and "market
share" -- that the outcome was moot by the time it was
rendered.
Does this mean
that there's nothing the government can do about cybersecurity? Of
course not. Read the National Strategy document's thoughtful,
targeted, and non-coercive recommendations. The most powerful
recommendations center on the imperative that the federal government
demonstrate leadership by example in securing its own critical
systems. Other good ideas revolve around improving and extending
product certification schemes like the Common Criteria.
From a
conceptual point-of-view, those concerned with cyberspace security
should return to the original design criteria for packet-switching
networks like the Internet: best-effort delivery, peer-to-peer
command and control, redundancy, and survivability. It's important
to keep in mind that Paul Baran's original concept was a network of
networks that could withstand a massive nuclear attack. While
damaging cyberattacks by determined terrorists remain a possibility,
cyberspace is probably far more robust than we realize, despite --
or maybe because of -- a low-key governmental regulatory
regime.
See you next
issue. 'Til then, keep your guard up! |