IP: PFIR Statement on Legislating Internet Security

[Dave Farber <farber () cis upenn edu>]

> \\
>
>            PFIR Statement on Legislating Internet Security
>
>               (http://www.pfir.org/statements/02.12.00)
>
>         PFIR - People For Internet Responsibility - http://www.pfir.org
>
>         [ To subscribe or unsubscribe to/from this list, please send the
>           command "subscribe" or "unsubscribe" respectively (without the
>           quotes) in the body of a message to "pfir-request () pfir org". ]
>
>
> 2/12/00
>
> Greetings.  In the wake of the recent flurry of public concern
> over Internet denial of service (DoS) attacks (as discussed in
> http://www.pfir.org/statements/02.09.00), we are already hearing calls that
> Internet sites must somehow be "forced" to upgrade and maintain their
> security, probably through legislative mandates.  Information suggesting that
> otherwise innocent third party systems were hijacked to participate in
> these attacks has contributed to this viewpoint.
>
> Unfortunately, the history and practice of computer security suggest that
> attempting to legislate such security is usually akin to passing laws aimed
> at controlling the weather--we may know what we want, but our ability to
> influence events has severe practical limits!
>
> Unlike other areas (such as privacy policies) where legislation could
> establish rules which most firms and individuals could understand and
> implement without undue complexity or haziness, computer security is a very
> different sort of very complicated beast.
>
> In particular, few computer users, even amongst the most experienced, have a
> complete understanding of all installed security-relevant software on their
> systems--it may not even be clear which software would be involved!
>
> Since the most widely used operating systems and software applications are
> closed-source, the overwhelming majority of users are almost completely
> dependent on their software vendors for virtually all aspects of their
> computing environments, from secure default configurations to ongoing bug
> fixes.  Even with open-source systems such as Linux, an increasing
> percentage of users will not have the experience to personally discover,
> track down, or repair security problems by themselves.  Attempts to remove
> the user "from the loop" by automating software update procedures can
> introduce their own security and system stability risks, capable of
> causing new problems on previously stable systems.
>
> In the current rapidly changing Internet environment, most users are
> embedded in a continual cycle of downloading and installing new upgrades,
> drivers, and other software components on a frequent basis.  Even assuming
> no designed-in security trapdoors (not at all a safe assumption in the real
> world!) the ease with which accidental security flaws may be introduced
> through such downloads is alarming.
>
> Perhaps most at risk are the ever increasing numbers of home and small
> business computer users with full-time high speed Internet connections (via
> cable modems, DSL, or other technologies).  The users of such systems can be
> extremely vulnerable to outside attack, with the potential for untold damage
> to their privacy and systems, and to other parties' systems when computer
> hijacking occurs.  The ease with which such attacks can be developed,
> evolved, and launched is staggering, and protection is difficult to
> assure in the ever-changing software environment on most targeted systems.
>
> The vast array of software from different vendors, which can interact in
> unpredictable manners, guarantees that even with the best of intentions
> security problems are a fact of life, and will continue to be so.  No
> technological or legislative "magic bullets" will be forthcoming that can
> substantively alter this situation.  We need to come to grips with the fact
> that while we can do our darnedest to implement the best security possible,
> we are engaged in a perpetual cat-and-mouse game.  This has profound
> implications both for the Internet itself and for all of the applications,
> however trivial or critical, which we choose to host upon it.
>
> The sooner we begin to meaningfully factor these realities into our
> thinking throughout industry, government, and the consumer world,
> the better for us all!
>
> --Lauren--
> Lauren Weinstein
> lauren () pfir org or lauren () vortex com
> Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
> Moderator, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy