Monday, September 08, 2008

Caring about cybersecurity or preparing the ground for an I-Patriot Act?

Few months ago in a talk given at the Institution of Engineering and Technology (very cool place) organised here in London by the Society for Computers and Law, Professor Lessig recounted a conversation he had with former US Counter Terrorism Czar Richard Clarke, where Larry asked the question that many had in the US Government managed to conceptualize, design and draft a piece of legislation as vast and complex as the USA PATRIOT Act in such a short period of time (a month and 15 days after 9/11), and the answer was what many people had imagined: that the act was ready in some desk’s drawer at the US Department of Justice from long before, just waiting for the action that would justify its implementation and that the attacks of September 11 gave that justification. Following that, Larry asked whether there was an I-Patriot Act dealing with Internet issues also ready and waiting for an action that justified its implementation and the answer was yes. However, since such an action is unlikely to happen in the way that would create the outrage necessary for people giving up privacy, data protection, 1st and 4th amendment rights, it seems that once in a while there are news created to instil, slowly and by stealth, the same level of fear that would justify the creation of such a law. Today, while scouting through technology news I’ve found a piece that fits exactly that profile.
Most of what the article says is true, but the combination and inferences may represent a “little” of overstretching to create the sensation that the US is in clear and present danger (the test created by the US Supreme Court in Near v Minnesota to justify the suppression of certain 1st Amendment rights)…
The first thing that one needs to take into account when reading/analysing articles like that is that those interviewed and giving their expert opinions have a vested interest in the matter. Some own Internet security companies that would benefit from an expansion in Internet security budgets, others are Internet security researchers who have to compete for research funds or justify those that already have been received. Of course, that doesn’t imply that they are wrong or they have any bad intentions; it should just lead us to ask for the facts that back up their assertions and to not take opinions by their face value (even if they are probably right).
Once that issue has been properly understood, it is necessary to dissect the arguments put forward to separate the wheat from the chaff, since it is true that cyberterrorism can cause havoc in a way that no plane or combination of them can, but it is not true that because something has happened in Georgia the same would happen in the US and, even if it did, it is not true that those are the actions to fear.
The story begins referring to some distributed denial of service attacks and some defacing directed to some Georgia’s government websites, to quickly link that to the US and the catastrophic consequences that such actions would have in the US…well, yes, denial of service attacks (specially distributed denial of service attacks that involve spoofing and/or smurfing) can cause damage and are a huge annoyance, but they can be controlled by a series of measures that, in the case of the US government, are supposed to be already in place (for example, I pay few pounds per month for my hosting and the measures to neutralize/limit the impact of at DdoS are supposed to be already in place in the hosting company). So, not much of Die Hard VI scenario there…but cyberterrorism could be nasty and very. In the mentioned Die Hard IV you can find some solutions to protect the critical national infrastructure from a cyberattack, like having the need of physical presence to modify certain features of power plants and the likes. Here, once again, the solution is regulation and making compulsory that companies dealing with resources deemed to be critical comply with some cyberterrorism protection scheme and that, instead of using resources to see who is downloading whose song, ISPs are put in charge of monitoring the existence of good practices within their users. However, there is no measure that can be effective if those in charge of the operation of the systems are not properly trained. The case of the English hacker mentioned few days ago gave place to some jurisdiction talk, but it was also the child poster of IT ineptitude: according with his original declaration, he entered into NASA and military computers by creating a very simple bot that looked for passwords that had been left blank (yes, a blank, empty password in NASA and the military, which means that you only need to hit enter to be inside)…so, not much hope of having grannies to deal with IT security if those in charge of securing the most powerful country in the planet leave the passwords of their systems blank (the most basic form of security). But this takes us to the grannies…
One of the central issues in Internet security is that the Net will not be secure enough until most, if not all, computers are also secure, which, taking into account that there are many people without the necessary knowledge to keep a system secure, implies that :
1) the computers by default must run safe and secure software
2) the software mustbe properly updated
3) everyone must have proper antivirus software
4) the antivirus must be always up to date
The first issue hits the wall when we realize that most computers in the world run software that is not very secure and that, every time that software developers/producers have been tried to be held responsible for their bad code, courts have ruled that due to the complexity of software it is expected that they would have mistakes and bugs…
The second, third and fourth issues interlink with developments in IP rights, their enforcement and the lack of coherence by many (most) governments in that respect (specially in developed countries and particularly the US). It is no secret that in many countries most computers run on software that has been copied, most times by the vendor, without acquiring the corresponding licence from the software producer. It is also publicly known that in order to counteract that trend, software producers have restricted to almost zero the updates available for those running non-official software, which leave them with the vulnerabilities that those pieces of software have had since they were originally made and that are later been discovered along the use of them. It is from those computers not running properly updated software that most attacks are perpetrated, without the owner being aware of it. So, you would imagine that, in a situation where governments are willing to trample over their own citizens constitutional rights to protect it national security , they would also be willing to interfere with the profits of these very large corporations (which are having profits reaching the obscene anyway) and make sure that the whole planet is running up-to-date and safe software in order to guarantee the safety of its citizens. However, while contending that the security of the nation is so important that 1st and/or 4th amendment rights can be set apart when needed, the US government also keeps pressing for stronger IP protection and enforcement around the world, which allows those same companies that produce faulty/unsafe software to not update it when in presence of a copy not complying with their licences (which have prices representing in some cases a sum representing almost the annual median income of some developing countries' families).
The solution could be found in having a global security standard for software security while having a multi-tiered Intellectual Property regime, where the level of IP protection relates to the level of development of a country and thus allowing updates on non-official software in developing countries , so the cyberterrorists have less, or none, unprotected computers where to prey on. This option could look like too interventionist and could be seeing as proposing that the governments and not the market make decisions about companies profits, but if that is the case, so be it: if when things go wrong the losses of huge corporations have to be paid and shared by the societies through their governments in order to prevent alleged bigger damage, it is only fair that the profits are also decided and shared by the society through their governments, specially if we take into account that we are not talking about preventing some market meltdown (although in my college years' textbook said correction of past excesses) but the security of whole nations…

No comments: