Defending the National Strategy to Secure Cyberspace
By Seth Ross
The National Strategy to Secure Cyberspace -- a roadmap for protecting
critical Internet infrastructure -- was released for comment last
September into immediate controversy.
Completed under the supervision of Richard A. Clarke and Howard
A. Schmidt, Chair and Vice Chair respectively of the President's
Critical Infrastructure Protection Board, the 64-page document breaks
out into a series of recommendations for cyberspace security at
each of five levels: home users and small business, large enterprises,
critical sectors, national issues, and global issues. You can find
the document at http://www.whitehouse.gov/pcipb/
The strategy document is formidable. It's stuffed with dozens of
recommendations designed "to empower all Americans to secure
their portions of cyberspace"; the emphasis is on awareness
and training, public-private partnerships, and federal leadership
by example. Clarke
and Schmidt are clearly oriented toward consensus-building and collaboration,
rather than the iron fist of law. I believe this kind of cooperative
approach makes sense, especially given the collaborative development
of the Internet over the past thirty years. Others, however, have
criticized the proposed strategy as "toothless", "sixty
pages of nothing" -- since it does not propose any new laws
or information security regulations.
A good example of the criticism Clarke and Schmidt have received
is delivered by Marcus J. Ranum, a security guru who was responsible
for developing the first commercial firewall. In his article "Federal
Cybersecurity: Get a Backbone", Ranum argues that market forces
will not address the nation's vulnerabilities and that a "Napoleonic"
regime of laws and regulations are needed. See http://www.tisc2002.com/newsletters/414.html
For example, Ranum suggests that a law be put in place that would
"make it illegal to sell a PC that doesn't come with a full-licensed
Antivirus product and personal firewall pre-installed on it."
The idea is that home users are not smart, technical, or motivated
enough to acquire and deploy these kinds of products on their own.
Ranum's example -- mandatory anti-virus and firewall products --
illustrates exactly why the government should NOT try to legislate
good information security. From a naive perspective, it seems like
a good idea. Anti-virus and firewall programs are like the motherhood
and apple pie of information security: who can argue against them?
One counter-argument goes like this: The cybersecurity problem
space has very little do with "virus" or "firewall"
problems. Wouldn't anti-virus and personal firewall systems be obsolete
if commercial operating systems were trustworthy? The anti-virus
and personal firewall market niches, as they exist today, only exist
because of the lack of trustworthiness in current operating systems,
which promiscuously execute malware and promiscuously connect to
the Internet. Perhaps a more suitable target of legislative action
would be the operating system, with strict regulations on the functionality
that OS vendors can include in their products. Alternatively, perhaps
the money that Ranum would have everyone spend on anti-virus and
firewall products would be more effectively spent on intrusion detection,
encryption, access control, biometrics, "real" (vs. personal)
firewalls, redundant DNS servers, etc.
The "problem space" problem aside, let's perform a thought
experiment: Imagine that, poof, every new computer has an anti-virus
program -- let's call it Foo -- and a personal firewall program
-- let's call it Bar -- thus fulfilling Ranum's proposed law. The
first question to ask: Do Foo and Bar work or are they snake oil?
Developing good security products is tough and expensive work. There's
a million ways to go wrong. There's lots of snake oil available
in cyberspace and if Foo and Bar are snake oil, they may fulfill
a regulatory requirement but still not improve cybersecurity.
For the purposes of this thought experiment, let's say Foo and
Bar are well-designed and implemented. Anti-virus and personal firewall
programs have to be configured, maintained, and updated. Given the
assumption that users have to be legally coerced into acquiring
the software in the first place, why would Ranum and the other would-be
regulators think that users would properly configure, maintain,
and update the software? There are few things more dangerous in
infosecurity than a misconfigured firewall.
Assuming that Foo and Bar work, and that, somehow, they are properly
maintained and configured, it's time to switch hats and imagine
you're the bad guy, the cracker, the intruder: Will you give up?
Of course not! You'll do what every attacker has done since the
beginning of civilization: You will route around the counter-measure.
The mandated security programs will be like a pair of thin stakes
driven into the ground, a Maginot Line for computer security. You'll
walk, march, and send armored columns right around them.
Computer security is a game in which the attacker makes the rules.
This is the core reason why threats to computer security cannot
be countered by legal fiat. A law mandating product type a, b, or
c will just send the attackers to items d, e, and f. The slow-moving
legislative system is no match for the fast-changing and polymorphous
frontiers of cyberspace.
To illustrate the point: look at what's happened with the US government's
attempts to enforce even long-standing and well-understood laws
like the Sherman Anti-Trust Act in the context of cyberspace. By
the time the Department of Justice identified Microsoft as a wrongdoer,
the company had already smashed dozens of companies. The wheels
of justice turned so slowly -- with extended debates about the meaning
of words like "is", "browser", "platform",
"bundle", and "market share" -- that the outcome
was moot by the time it was rendered.
Does this mean that there's nothing the government can do about
cybersecurity? Of course not. Read the National Strategy document's
thoughtful, targeted, and non-coercive recommendations. The most
powerful recommendations center on the imperative that the federal
government demonstrate leadership by example in securing its own
critical systems. Other good ideas revolve around improving and
extending product certification schemes like the Common Criteria.
From a conceptual point-of-view, those concerned with cyberspace
security should return to the original design criteria for packet-switching
networks like the Internet: best-effort delivery,
peer-to-peer command and control, redundancy, and survivability.
It's important to keep in mind that Paul Baran's original concept
was a network of networks that could withstand a massive nuclear
attack. While damaging cyberattacks by determined terrorists remain
a possibility, cyberspace is probably far more robust than we realize,
despite -- or maybe because of -- a low-key governmental regulatory
See you next issue. 'Til then, keep your guard up!