Long Discussion Re: WH Cyberspace Security Review

[David Farber <dave () farber net>]

Begin forwarded message:

From: David Richardson <dsrich () ieee org>
Date: May 29, 2009 4:46:28 PM EDT
To: dave () farber net
Subject: Long Discussion Re: WH Cyberspace Security Review

David Farber wrote:
> WH Cyberspace Security Review:
>
> Assuring a Trusted and Resilient Information and Communications  
> Infrastructure

Dave:

(for IP if you wish)

While I appreciate the educational aims discussed in this paper, I can  
only wonder that most of the points and goals listed are in fact only  
cheerleading; until the *users* - individual and corporate - of the  
computers are educated about and responsible for what damage their  
computers and policies (or lack of) do, the only pressure that the  
Internet users of this world will feel to improve will be legal, and  
those that write the laws are completely at the beck and call of those  
who could not survive the advent of real, enforceable information  
security requirements - see your previous posts RE: Banker's Paradise  
- information security requirements would force the banking industry  
to spend large amounts of money to clean up its collective act.

Keeping sensitive systems from being connected to the Internet is one  
obvious issue.  As an example, the TVA power generation and  
distribution network is run by Windows-based computers.  Were those  
computers ever infected with one of the many malicious programs or  
viruses or even temporarily connected to the Internet, there would be  
no guarantee that a good portion of the United States would have  
lights tomorrow.  This means that the users of those systems must  
practice proper information hygiene - don't plug your personal flash  
drive into a work computer, and don't hook a critical system up to the  
Internet as obvious examples; these two basic violations happen all of  
the time in many places.  I single out the TVA because they do not  
even attempt to hide the nature of their systems, not because they  
have any known history of failures of this type.

Another issue that must be settled is ownership of information.  If  
the bank "owns" the personal information that I am legally required to  
give them to establish an account, than I as an individual am helpless  
in the face of the bank's business interests, and my identity is the  
bank's to do with as it wishes.  Allowing information holders - those  
who hold information as part of their business - to leak or improperly  
sell information without having strong penalties - whether legal,  
market driven or both - for doing so just guarantees that those  
organizations will sell as much as possible, and do nothing to prevent  
those other leaks; this all guarantees that individuals will have not  
security one way or the other.  So far the only penalties that these  
organizations face is the vanishingly small cost of damage control  
when they get caught.

Because of this, the organizations who have personal information must  
be capable of protecting that information, and they must be  
responsible for any "leakage" with suitably severe penalties in place  
for failure to do so.  Since some of the worst offenders are various  
governmental organizations, this means that the government must look  
inwards and instill information discipline on itself in its many  
guises - the Hydra must educate all of its "heads."  Likewise, the  
commercial interests who make their livings as information brokers -  
the credit bureaus are a prime example, here - must be forced to clean  
up their collective act.

Penalties on the order of "going to jail" on the individual level and  
"closing the business and taking all of its assets to pay for the  
damage" at the business level are going to have to be enforced before  
the information brokers will start to pay attention.  Something like  
*immediate* reimbursements on the order of $100K per record leaked to  
be paid to the proper owners of the leaked information (and no appeal  
until after the effected parties are paid to prevent the reimbursement  
being tied up in a legal circus) - penalties with real teeth, and  
imposed on both commercial and governmental entities.  If this sounds  
draconian, ask someone who has had to recover from identity theft what  
it cost them to do so, and include the value of the time and effort  
they had to put into the recovery.  If the group having to pay the  
penalty can show that it was due to insecure software, than it is up  
to them to recover damages; this nonsense that a restrictive EULA can  
protect the software 'manufacturers' from liability has to vanish like  
the complete chimera that it is.

One problem unique to the Internet is the phenomenon of the 'botnet' -  
a large group of computers operating at the behest of a malicious  
person or group, unbeknownst to their owners.  The argument has been  
frequently made that the many individual systems on the Internet that  
make up the 'botnets' are neither aware of their systems' activities  
nor capable of preventing those activities.  This is in large part  
sadly true, and a problem on the same order as that created by passing  
multiple loaded fully automatic weapons around a nursery school  
classroom.  Both cause large messes.  If the person responsible for  
the system that is creating the damage is held responsible, then in  
the long run the damage will be minimized.  For example, Microsoft has  
argued that the marketplace 'wants' the features in their systems that  
end up being such drastic security holes, but in almost all cases  
those features would be thoroughly UNwanted if the individual was  
responsible for the damage they cause.

If Granny's computer joins a botnet and participates in a DDOS attack,  
then Granny needs to be held responsible, regardless of the emotional  
appeal of the 'Granny' concept.  If Microsoft was held responsible for  
all of their security holes, they might actually test their software  
and document that testing, and probably work out a whole new way to  
test software in the process.  I would be willing to bet that patches  
would come out more than once a month, too, and would not be  
optional.  If those patches break other applications, that is another  
liability problem they would have.  Of course Microsoft (and Apple)  
don't want this responsibility, but the damage is being done, and  
unless they are held responsible for their quality, it won't change.

Granny needs the education, too, and if her computer were one of a  
hundred thousand (say) that participated in the DDOS attack that  
caused $10 million damage, then the $100 penalty she would have to pay  
as her portion of the damage would make a good wakeup call, or else  
she should not be using the Internet.  Likewise, charging every  
computer user $0.01 per spam that get sent from their machine would  
fix a great deal of that problem, and I am not talking about 'Internet  
postage', but provable botnet malware infections - a technically  
feasible approach.

This approach would end the botnet scourge quickly, but it would put  
Microsoft out of business - their customers would disappear almost  
instantly.  Ending the Windows OS monoculture would be extremely  
beneficial to the overall health of the Internet, as well, because it  
would be much harder to build a botnet on multiple malware strains  
directed against multiple OSes, and such a botnet would be easier to  
diagnose and eradicate.  Microsoft is not the problem, but their  
monopoly on the computer OS and application market is.  Their lobbying  
efforts, along with the medical industry's, the banking industry's,  
the credit industry's, etc. etc. etc. ad nauseum probably completely  
doom this or any other reality-based approach, but that political  
calculation does not change the face of the the reality,

Requirements like traceability - recording who has access to what  
information - and individual control of personal information - giving  
control to the people who will be effected by the transaction of when  
the information holder can sell what information  - are the next phase  
in this transformation, but until the responsibility for that  
information's security becomes clearly delineated, these steps cannot  
happen.  At the current pace of change, I cannot see this happening -  
ever - and yet it is what MUST happen.

Please note that very little of this has been 'about' the Internet.   
When I was a system administrator, the Internet as we know it today  
did not exist, but the problems that are currently being discussed and  
complained about did, just on a different order of magnitude.  The  
Internet is not the real problem, it has just exacerbated a whole host  
of other problems, and any attempt to 'fix' the Internet is ignoring  
the true problems of information security in our society at all  
levels.  Monopolies and their business practices have long been  
problems.  These problems have surfaced in the collective  
consciousness NOW because of the Internet, but were NOT caused by it,  
and they cannot be cured at the Internet level.  The Internet can  
never be trusted or secure by definition.  The reality is that only  
the individual and corporate users can decide what they are willing to  
trust, and they must have both the will and the ability to make those  
decisions, and the knowledge and desire to make them well to solve the  
real problems here.  This is a societal change, not a technical one.
--
David Richardson   \   Imagine Whirled Peas
dsrich () ieee org     \
These are my opinions - nobody else wants them.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com