• Home
  • About
  • Blog
  • News
  • Events
  • Media
  • Video
  • Glossary
  • Contact
  • Download
  • RSS

Federalizing cybersecurity?

April 2nd, 2009  |  by jz  |  Published in cybersecurity, Future of the Internet  |  2 Comments

The Washington Post has reported that the U.S. Congress will shortly take up a bill to “empower the government to set and enforce security standards for private industry for the first time.”

Today’s conventional wisdom in cybersecurity circles is that:

  • we’re very much open to attack (defined lots of ways; often people mean: PCs attached to the Internet can be compromised by outsiders and then put to bad uses, turned into spies, or made to self-destruct).  Virtually no one takes cybersecurity as seriously as he or she should, in part because the costs of compromise are not always charged back to the person who should take measures.  (Many people don’t care if their PCs are sending spam in the background, so long as it doesn’t disrupt their Doom game.)
  • “perimeter defense,” the basic idea behind firewalls, doesn’t cut it.  If just one bad bit of code gets past the wall dividing a PC or a network from the rest of the world, it’s all over.  (This makes Senator Rockefeller’s soundbite a bit inapt: “You have to keep making higher walls.”)
  • for the first time, our defense establishment is genuinely not in a position to be able to “defend the homeland.”  That’s because much of the vulnerable infrastructure — PCs — is entirely in private hands and then connected to the world at large.  There’s no place for a fighter jet or Border Patrol agent to intercede.

Given these articles of faith, one can see how tempting it is — indeed, nicely bold — to propose a government official who can mandate certain security standards across the board.  But there are many potential problems with this approach.

First — could they realistically be made to apply to individuals?  What penalty should obtain if I fail to secure my computer?  Perhaps the thought is that operating system and software vendors could be regulated, the way that cars must have seat belts and air bags — precisely to deal with the problem of irresponsible individual drivers.  But that’s dicey: there are many clearly wrong ways to code operating systems, but that doesn’t mean there are obvious right ways to do it.  Many of the vulnerabilities we face come not from hidden exploits that take advantage of some literal bug in the way, say, Windows works, but from our own acquiscence in running new code.  We click “yes” to “are you sure you want to run this?” because we are impatient, and because so many times during the day we’re typically asked to make a snap decision like that.

Second — any standards process would quickly become the purview of security firms with something to sell.  Tens of millions of dollars or more could rise or fall on whether one’s security suite is made the obvious way to satisfy a particular regulatory requirement.  With no scale to determine how much security is enough — especially when risk aversion will vary so much from one firm or computer owner to the next — we run the risk of overregulation.  Too easily security standards will just amount to vendor selection.

So, what should we do?

Well, one fruitful point of dampening security problems is at the ISP level.  Computers that have fallen prey to an active worm or virus can frequently behave in predictable ways — sending out certain traffic patterns, or having vulnerabilities that can be detected at a distance.  ISPs know this, but are reluctant to tell their own subscriber that they have a problem, much less to quarantine them.  To do so means a customer service event — someone has to coach the user through fixing the machine.  But that incentive can be changed.  If ISPs were asked — well, required — to take more reasonable responsibility for zombie computers located on their networks, they could rise to the occasion.

Another underexplored strategy is to build our systems so that they can recover gracefully from problems.  Wikipedia isn’t designed to prevent all vandalism; instead it has technical tools that make it easy to revert a page to the state it was in before someone came along and vandalized it.  If the Wikipedia entry for Britney Spears is resilient to defacement, shouldn’t our valuable spreadsheets be the same way?  Imagine a history file automatically generated so we could see changes as they have happened and revert to an older version.  Then we need only deal with the problem of viruses that try to tamper with a document’s history — something that can be made very difficult to do.  Similarly, researchers like Butler Lampson have proposed PCs with “red” and “green” zones in them.  Stuff in the red zone can’t affect what’s going on in the green.  Trusted software ready for prime time goes in the green zone; experimental or new stuff goe sin the red.  If there’s a problem in the red zone, it’s at least confined.  None of these approaches is a cure-all, but they can help a lot.

Finally, we can work to build collective solutions, neighborhood watches in cyberspace.  Right now each PC has a metaphorically autistic experience: it surfs from one site to the next with no awareness of what other PCs are doing.  Imagine having a little software on your PC that reports its vital signs to other participating PCs.  Collectively we could generate a map of the health of cyberspace, an early warning system — and a means of answering some very useful questions.  Before running new code, you could say: How many machines in the herd are running it?  How many self-proclaimed experts run it, versus neophytes like me?  Is the code brand new, or has it been around for months or years?  These questions are not beyond the expertise of most PC users, and the answers can help them make much more informed decisions about what code to run.

There’s a lot of work to be done to secure cyberspace — work that goes beyond any one set of regulatory “best practices” that we know won’t be uniformly implemented.

Responses

Feed
  1. Bertil Hatt says:

    April 2nd, 2009 at 3:02 pm (#)

    Many important truth in that post — but an important element is missing: most hacks still go through traditional channel (human engineering, physical access). Recent failures (droping USB keys on NSA parking lot, loosing laptops) plead for more central control too.

  2. Seth Finkelstein says:

    April 2nd, 2009 at 11:00 pm (#)

    I find this post a bit confusing, since it lumps so much together as “security” – I kept thinking, but what is it that the bill was talking about in the first place? (in terms of “security standards”) And how does that relate to the items discussed?

Blog

  • Dropbox Ran Afoul of Apple’s App Store Review Guidelines: So What?

    • Last week, a number of developers reported that Apple was rejecting iOS applications that used Dropbox, a popular cloud file storage and backup system. An initial thread on the Dropbox developers’ forum has led to a outpouring of tech news full of hyperbolic claims. However, none of this reporting has covered the real problem – Apple is now more concerned about protecting its business model than serving its users or its developers.  Read more »

  • Help pioneer Casebook: The Next Generation

    • We at the H2O project are seeking a full-time Project Manager. H2O is an online platform for textbook development and distribution, currently in a pilot stage. H2O is based on the open source model – instead of locking down materials in formalized textbooks, we believe that course books can be free (as in free speech) for everyone to access and, equally important, build upon.

    Using H2O, professors can freely pull together materials for a course by selecting cases, editing those cases to the sections that are most relevant, and grouping them into readings. Once the materials are assembled, they can be copied in part or in whole by other interested faculty and then edited further.  H2O has been successfully piloted in JZ’s 1L Torts class, and will be rolling out further over the coming year.

    H2O’s project manager will play a leading role in shepherding H2O into its next phase, which will focus on developing new materials and incorporating additional features, in order to expand the platform beyond its law school roots.

    H2O is a  joint project of the Berkman Center for Internet & Society and the Harvard Law School library.  The Project Manager will be housed at the HLS Library and work in close collaboration with lead members of the Library Innovation Lab team; he/she will also work closely with the Berkman Center and current H2O teams. More info and job posting here.

  • Meme patrol: “When something online is free, you’re not the customer, you’re the product.”

    • I participated in the Berkman Center’s fascinating HyperPublic symposium in the summer of 2011.  When moderating a panel I invoked the aphorism that “When something online is free, you’re not the customer, you’re the product.”  It’s a way of encapsulating the idea that online free services usually make money by extracting lots of data from users — and then selling that data, or using it for targeted availability of those users for advertising, to advertisers.  In that sense, the advertisers are the clients, and the users enjoying free content are what’s being sold.  (Of course, sometimes that happens even when the user pays.)

    I didn’t coin the phrase, and since it was featured (and attributed to me!) in wordsmith.org’s wildly popular “word a day” as a thought for the day accompanying the word “enceinte” — I sought to nail down its provenance.

    The first use of the quote that we can find is as a comment within the famed MetaFilter community  in August 2010. The user’s name is blue_beetle, who might be someone named Andrew Lewis.  It’s entirely possible I saw it there, as MeFi is one of my five favorite sites on the Web.

    Similar sentiments (whether drawn from that source or independently invented) have been expressed by Bruce Schneier in October 2010 and by Douglas Rushkoff in September ’11.

    The phrase “you’re the product” also apparently appeared in a 1986 speech by President Reagan about the drug war.

    Just say know.

    –KA and JZ

  • OS X Mountain Lion and Gatekeeper

    • This week, Apple announced that it was moving to a new, faster OS X operating system development cycle, starting with the release of Mountain Lion next summer.  It previewed a number of features for the OS, and released some parts in beta.

    Mountain Lion is slated to include a feature called Gatekeeper as part of the security and privacy settings. Gatekeeper allows administrators (those with full privileges on a Mac) to limit the applications that can run on the Mac.  They can choose among allowing apps downloaded from the Mac App Store only, or apps from outside the Store so long as they are digitally signed to Apple’s satisfaction by their developers, or apps from anywhere.  (The latter has been the way both Mac and Windows PCs have worked, for better or worse, since the introduction of the Apple II in 1977.) Read more »

  • GPS-based Insurance Rates: The Devil is in the (Data) Details

    • A British insurance company called Motaquote has teamed up with TomTom, the GPS manufacturer to offer insurance prices based on data gathered by GPS. Fair Pay Insurance, Motaquote’s new program, is an opt-in insurance pricing scheme where drivers will get a free GPS unit in return for potentially lower (but possibly higher) premiums. The GPS unit will provide all the traditional navigational services as well as warn drivers when they corner too sharply or brake too hard. Read more »

About Jonathan Zittrain

jonathan zittrain

Jonathan Zittrain is Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet and Society at Harvard Law School

RSS Tweets from Z

  • An error has occurred; the feed is probably down. Try again later.

Blog Archives

Creative Commons BY-NC-SA Jonathan Zittrain unless otherwise noted.
Powered by WordPress using Gridline Lite.