Defending the National Strategy to Secure Cyberspace

Completed under the supervision of Richard A. Clarke and Howard A. Schmidt, Chair and Vice Chair respectively of the President's Critical Infrastructure Protection Board, the 64-page document breaks out into a series of recommendations for cyberspace security at each of five levels: home users and small business, large enterprises, critical sectors, national issues, and global issues. You can find the document at http://www.whitehouse.gov/pcipb/

The strategy document is formidable. It's stuffed with dozens of recommendations designed "to empower all Americans to secure their portions of cyberspace"; the emphasis is on awareness and training, public-private partnerships, and federal leadership by example. Clarke
and Schmidt are clearly oriented toward consensus-building and collaboration, rather than the iron fist of law. I believe this kind of cooperative approach makes sense, especially given the collaborative development of the Internet over the past thirty years. Others, however, have criticized the proposed strategy as "toothless", "sixty pages of nothing" -- since it does not propose any new laws or information security regulations.

A good example of the criticism Clarke and Schmidt have received is delivered by Marcus J. Ranum, a security guru who was responsible for developing the first commercial firewall. In his article "Federal Cybersecurity: Get a Backbone", Ranum argues that market forces will not address the nation's vulnerabilities and that a "Napoleonic" regime of laws and regulations are needed. See http://www.tisc2002.com/newsletters/414.html

For example, Ranum suggests that a law be put in place that would "make it illegal to sell a PC that doesn't come with a full-licensed Antivirus product and personal firewall pre-installed on it." The idea is that home users are not smart, technical, or motivated enough to acquire and deploy these kinds of products on their own.

Ranum's example -- mandatory anti-virus and firewall products -- illustrates exactly why the government should NOT try to legislate good information security. From a naive perspective, it seems like a good idea. Anti-virus and firewall programs are like the motherhood and apple pie of information security: who can argue against them?

One counter-argument goes like this: The cybersecurity problem space has very little do with "virus" or "firewall" problems. Wouldn't anti-virus and personal firewall systems be obsolete if commercial operating systems were trustworthy? The anti-virus and personal firewall market niches, as they exist today, only exist because of the lack of trustworthiness in current operating systems, which promiscuously execute malware and promiscuously connect to the Internet. Perhaps a more suitable target of legislative action would be the operating system, with strict regulations on the functionality that OS vendors can include in their products. Alternatively, perhaps the money that Ranum would have everyone spend on anti-virus and firewall products would be more effectively spent on intrusion detection, encryption, access control, biometrics, "real" (vs. personal) firewalls, redundant DNS servers, etc.

The "problem space" problem aside, let's perform a thought experiment: Imagine that, poof, every new computer has an anti-virus program -- let's call it Foo -- and a personal firewall program -- let's call it Bar -- thus fulfilling Ranum's proposed law. The first question to ask: Do Foo and Bar work or are they snake oil? Developing good security products is tough and expensive work. There's a million ways to go wrong. There's lots of snake oil available in cyberspace and if Foo and Bar are snake oil, they may fulfill a regulatory requirement but still not improve cybersecurity.

For the purposes of this thought experiment, let's say Foo and Bar are well-designed and implemented. Anti-virus and personal firewall programs have to be configured, maintained, and updated. Given the assumption that users have to be legally coerced into acquiring the software in the first place, why would Ranum and the other would-be regulators think that users would properly configure, maintain, and update the software? There are few things more dangerous in infosecurity than a misconfigured firewall.

Assuming that Foo and Bar work, and that, somehow, they are properly maintained and configured, it's time to switch hats and imagine you're the bad guy, the cracker, the intruder: Will you give up? Of course not! You'll do what every attacker has done since the beginning of civilization: You will route around the counter-measure. The mandated security programs will be like a pair of thin stakes driven into the ground, a Maginot Line for computer security. You'll walk, march, and send armored columns right around them.

Computer security is a game in which the attacker makes the rules. This is the core reason why threats to computer security cannot be countered by legal fiat. A law mandating product type a, b, or c will just send the attackers to items d, e, and f. The slow-moving legislative system is no match for the fast-changing and polymorphous frontiers of cyberspace.

To illustrate the point: look at what's happened with the US government's attempts to enforce even long-standing and well-understood laws like the Sherman Anti-Trust Act in the context of cyberspace. By the time the Department of Justice identified Microsoft as a wrongdoer, the company had already smashed dozens of companies. The wheels of justice turned so slowly -- with extended debates about the meaning of words like "is", "browser", "platform", "bundle", and "market share" -- that the outcome was moot by the time it was rendered.

Does this mean that there's nothing the government can do about cybersecurity? Of course not. Read the National Strategy document's thoughtful, targeted, and non-coercive recommendations. The most powerful recommendations center on the imperative that the federal government demonstrate leadership by example in securing its own critical systems. Other good ideas revolve around improving and extending product certification schemes like the Common Criteria.

From a conceptual point-of-view, those concerned with cyberspace security should return to the original design criteria for packet-switching networks like the Internet: best-effort delivery,
peer-to-peer command and control, redundancy, and survivability. It's important to keep in mind that Paul Baran's original concept was a network of networks that could withstand a massive nuclear attack. While damaging cyberattacks by determined terrorists remain a possibility, cyberspace is probably far more robust than we realize, despite -- or maybe because of -- a low-key governmental regulatory regime.

See you next issue. 'Til then, keep your guard up!