On April 27 the New York Times published a blog in the 'Your Money' section (The PlayStation Breach: Why You Should Remain Calm, by Ann Carrns). What follows is my response. You can find the New York Times blog and my response at http://community.nytimes.com/comments/bucks.blogs.nytimes.com/2011/04/27/the-playstation-breach-why-you-should-remain-calm/?permid=20#comment20.
The 'don't worry be happy' message of Ms. Carrns absolutely misstates what the Sony PlayStation data breach represents. Given the state of cyber crime today, this data theft was the act of sophisticated cyber criminals motivated by greed, not bragging rights. And the magnitude of the breach -- and the fact that these types of thefts are becoming increasingly routine -- illustrates too that our current approach to 'securing' the Internet is not working. (My recent book, Creeping Failure: How We Broke the Internet and What We Can Do to Fix It (McClelland and Stewart, 2010) discusses both these observations in detail, what follows is the Cliff notes version).
First, while over a decade ago it was not uncommon for the proverbial teenage hacker to break into a computer system for the bragging rights those days are gone. Cyber crime and the associated cyber underworld are now big business, with multinational cartels like the Russian Business Network (its real name) competing for the top grads from computer science at top Eastern European universities. By all accounts cyber crime can be very lucrative, and it is a percentage game based on returns from small percentages of very large numbers. If 77 million accounts are stolen, then some of those cards are not going to be cancelled in time. Under US law the credit card holders liability is limited, but someone will end up with the bill, or, stated differently, the cyber underworld will reap a gain. If one does the math, it turns out that a vanishingly small number of credit cards have to remain 'hot' for an attack like that against Sony PlayStation to be very very profitable for the cyber criminal. And credit card numbers are not the only personal data that Sony's files contain -- all of which can be monetized by a sophisticated criminals using florishing cyber black markets.
This transmogrification of the 'lone hacker' into a sophisticated cyber underworld is one of the most obvious seismic shifts making the Internet increasingly unsafe. I have no idea where Ms Carrns hears that 'hackers in this type of situation are often looking for notoriety' but that statement runs counter to everything I know of what motivates data breaches today.
Second, the Sony data breach is just the latest example of the insecurity of cyber systems. Stuxnet illustrated that a computer worm can disable the physical operations of a sophisticated nuclear plant. WikiLeaks illustrated that amazingly large amounts of sensitive US Government data can be stolen by a single individual. And so on.
I like to think of the Internet today as being the cyber equivalent to the London that Charles Dickens described. The London of 1840's was, like today's Internet, an incredibly vibrant environment, a phenomenal city of unimagined proportions driven and created by new technologies. It was also unsafe, filled with garbage, and lacking any police, uniform law enforcement, or effective government. In other words. just like today's Internet.
The Sony data breach is just the latest criminal escapade illustrating what happens in the cyber equivalent of Dickens' London.
After 1840 London invested in creating and building the institutional infrastructures and public incentives that we take for granted in today's First World cities -- sewers, police departments, public health, some form of unified and effective government.
The message of the Sony PlayStation theft is that we need to do the same for today's Internet.
One can't help but think that McFate (as Nabokov called him) has a special place for Sarah Palin and Senators Lieberman and Collins. After Palin called for 'drill , baby, drill' McFate obligingly arranged for BP to have a spectacular oil spill. Then, no doubt pleased with himself, McFate arranges for Middle Eastern governments to hit the kill switch on the Internet a few months after the Senators introduce the so-called Internet kill switch bill.
The bill, now stripped of its kill switch provision (though the same authority still resides in Section 706 of the Telecommunications Act of 1934) has been reintroduced by Senators Lieberman, Collins, and Calpers)as the Cybersecurity and Internet Freedom Act (S413).
I'm not going to take up the refrain already coming from the privacy community (mafia would be a better term) -- I have my own issues with their perspective. My concerns about S413 are based on the boring reality of life-- that oftentimes it is the details that matter. (And, in the interests of full disclosure, the text of S413 is not available as I write this, so I'm basing my comments on provisions in the earlier bill).
Here's the problem: the heart of the bill is a well-meaning attempt to create a public-private partnership to protect 'the nation's most critical infrastructures' that will result in one of two outcomes:
- MOST LIKELY, it will mean little and accomplish nothing;
- IN THE WORST CASE (if McFate's evil twin has his way), the bill would create a system for national security- driven cybersecurity investments that will make Ptolemaic astronomical predictions look commonsensical by comparison.
As I said, the bill was written by well-meaning people. Within DHS it would create a National Center for Cybersecurity and Communication (NCCC) with a Senate approved Director. With the NCCC in place three things would happen:
1. Mandatory security requirements would be imposed on 'specific systems or assets whose disruption would cause a national or regional catastrophe.' These 'covered critical infrastructures' would be identified collaboratively, of course, with the private sector. And, in a version of the Lawyers and Lobbyists Full Employment Act, owners/operators of covered critical infrastructures could appeal their inclusion through 'administrative procedures' (unspecified?).
2. Hopefully a collaborative environment between the NCCC and the private sector would emerge. The bill seems to waffle a bit on this; according to the accompanying White Paper 'although owners/operators of covered critical infrastructures would be required to report on cyber attacks.. the NCCC would not have the authority to compel this disclosure.'
3. The NCCC would set risk-based security performance requirements for covered systems in conjunction with the private sector. The risk/mitigation profile would drive the choice of security measures that would, in ways unspecified, satisfy the risk-based security performance requirements.
In other words, some cyber systems would be designated as national security critical; owners/operators of these systems would have to invest in additional security to meet national security criteria.
This approach has many problems but here's two: first, that there is almost no data, let alone an agreed upon approach, for doing most cyber-based risk analysis; and second, the link between reducing risk and taking certain security actions is tenuous at best.
For instance, insider threats (say, security violations coming from people who have legitimate passwords) are widely acknowledged as being among the most serious threats, and certainly would be an important element in any risk-based security performance requirements. Two problems -- there are no -- repeat no -- records of insider threats other than anecdotes or those unfortunates who are not only caught but also prosecuted (a tiny number); and two, it is unclear (or more pedantically, 'a research challenge') as to what to do to address the insider threat.
Hence my observation -- we have in S413 a potential requirement that private owner/operators invest in additional security, but without any solidly based mechanisms to establish how, or why, the resources should be spent.
This is a recipe for bringing forth numerology and astrology dressed up as analysis, with a solid foundation of lobbying, as the basis for decisions.
I'm all in favor of the goal of S413 -- solid risk based investment to secure critical national infrastructures. I just wish policy makers would embark on this process with their eyes wide open.
(These comments also appear on cybersecuritycommunity.org -- a website promoting more meaningful dialogue about making cyber security partnerships actually work. Come or participate via webcast to the Symposium "Cybersecurity: Shared Risks, Shared Responsibilites" at the Moritz College of Law, Ohio State University April 1, 2011)
I'm very critical of the sloppy way in which many of the discussions about 'cyber war' have presented the issue.
Read the report Cyber war and Cyber Power: Issues for NATO Doctrine that I wrote for the NATO Defence College at
I hope the following will help clarify the discussion; :
1) For the US and Canada, their allies, and NATO, cyber war as the focus of concern is a misnomer; the real or potential use of cyber power by nations or terrorist groups should be the principle focus. Cyber war is just one outcome of the exercise of cyber power betwee nations.
To draw an analogy from naval thinking, since the writings of Alfred Mahan, sea power rather than naval war has been the preferred strategic frame of reference for the projection of state power on the oceans. Like 'naval war', cyber war conjures up legal, policy, military, and diplomatic considerations that inappropriately narrow the scope of relevant issues. Cyber space is better thought of as a new theater for states to exercise cyber power and not just to conduct cyber war.
In nuanced ways perhaps not yet seen, cyber power can involve both the projection of state power as well as the creative use of active defenses, all in concert with other military, diplomatic, information and economic tools. The projection of cyber power with both offensive and defensive elements must be a component of national and NATO security doctrine for the future.
2)In large-scale warfare it doesn't make much sense to launch disruptive cyber attacks without any 'kinetic' (bombs and bullets) accompaniment. In other words, I totally disagree with the scare-mongers who predict a full scale cyber war waged only with computers. Disruptive cyber attacks can destroy important data and disrupt communications, and perhaps seriously affect physical operations like transportation and the management of large scale networks like electric power. But even now major electric blackouts or communications systems failures are not unknown, and yet advanced countries manage to carry on. While the impact of cyber attacks may be hard to gauge in advance -- a consideration of concern to the attacker every bit as much as to those attacked -- the effect of disruptive cyber attack is to throw sand in the gears.
The November 2010 issue of Scientific American recommends reading Creeping Failure.
From the book's cover:
The Internet is often called a superhighway, but it may be more analogous to a city: an immense tangle of streets, highways, and interchanges, lined with homes and businesses, playgrounds and theatres. We may not physically live in this city, but most of us spend a lot of time there, and even pay rent and fees to hold property in it.
But the Internet is not a city of the 21st century. Jeffrey Hunker, an internationally known expert in cyber-security and counter-terrorism policy, argues that the Internet of today is, in many ways, equivalent to the burgeoning cities of the early Industrial Revolution: teeming with energy but also with new and previously unimagined dangers, and lacking the technical and political infrastructures to deal with these problems. In a world where change of our own making has led to unexpected consequences, why have we failed, at our own peril, to address these consequences?
Drawing on his own experience as a top expert in information security, Hunker sets out to answer this critical question in Creeping Failure. Hunker takes a close look a the "creeping failures" that have kept us in a state of cyber insecurity: how and why they happened, and most crucially, how they can be fixed. And he arrives at some stunning conclusions about the dramatic measures that we will need to accomplish this.
This groundbreaking book is an essential first step towards understanding the Internet in a larger context as we try to build a safer Internet "city." But it also raises issues that are relevant far outside the online realm: for example, how can we work together to create not just new policy, but new kinds of policy? Creeping Failure calls for nothing less than a basic rethinking of the Internet -- and of how we can solve problems together.