The Pentagon is trying to CyberAttack our way to a more secure future. But Security comes from Defense, not attack.
Thousands of years of human experience have shown that destruction is easier than creation. One man can quickly destroy something that takes a community months to create. It may be that "To every thing there is a season; and a time for every purpose under heaven." But, if you don't spend more time on creation than destruction, you end up a lonely, starving scavenger. Any stable, prosperous society must provide more rewards for creation then destruction.
Modern economies of manufacture and transportation have made many things better, but this is not one of them. In almost every way, the modern economy favors attack:
- * The huge advantage granted to market leaders guarantee that we all, government, corporate, and private, foreign and domestic, use the same computers and software.
- * There are great economic incentives to ship quickly, with many features, rather than spend time and money to create secure products.
- * Our sales and advertising driven economy has convinced us that new stuff, with new features and vulnerabilities is always better than old stuff.
- * Products are deployed LONG before understanding. Most of the issues, bugs, and vulnerabilities are discovered after things go into production.
The Internet has made many things better, but this is not one of them. In almost every way, the Internet favors attack over defense:
- * The Internet makes everything more complex. This provides the attacker with a vast array of attack surfaces.
- * The Internet makes it easier to extend influence. This allows attackers to greatly extend their list of victims. An attacker can easily apply a viable attack strategy to every eligible Internet target.
- * The Internet increases the pace of attack. Usually attack can easily outrun any possible warning.
The transition to digital has made many things better, but, again, this is not one of them. In almost every way, being able to make effortless, accurate copies favors attack:
- * It is easy to automate attack. This greatly reduces the cost of attack. It also removes the economic cost of scaling up attack against multiple victims.
- * It is easy to make self-replicating attack. This allows attack to spread itself beyond any previous control or limit.
- * It is easy to capture, analyze and reproduce somebody else's attack. If somebody drops a bomb on you, it is hard to reassemble all the bits, unburn the chemicals, and reuse it. But, if somebody develops an Internet attack, it is easy to copy the attack and repurpose it. Internet attack efficiently spreads destructive knowledge and capability direct to your enemies.
The reality is, Internet attack is like poisoning a common watershed, and hoping that your enemy dies first. There is no "Win" in "CyberWar". We all have to defend the same stuff. Every successful attack weakens us all.
We have a fairly clear understanding of how to increase security through defense. Almost every Internet Security expert agrees on the general shape of the necessary changes. But, the changes are HARD and EXPENSIVE. So, we keep hauling out the "Security Through Destruction" fantasy. If we were really serious about improving Defense, we would make changes like:
- 1) Change US politics and policy toward CyberWar. Our long-held belief is that Internet attack is less devastating than conventional attack. But now, all economies are so dependent on the Internet, that a sustained Internet outage would kill more people than a nuke. We need to lead the world to the negotiating table and impose strategic limits on Internet Attack. This needs to be enforced by cooperative International Internet monitoring and meaningful penalties.
- 2) Separate the Defenders from the Attackers. Defense needs it's own budget. Internet Defense must be prioritized OVER Attack. While Attack can inform Defense, it can't create Defense. Successful Defense requires entirely different skills and attitudes than Attack. And currently the supporters of Attack keep trying to kill any effective Defense measure in it's infancy.
- 3) Impose Product Liability on Software. The model proposed by Dan Geer could be a good start: https://www.youtube.com/embed/...
- 4) We also must have International rejuvenation of consumer protection standards. Manufacturers must be held accountable for dangerous defects in their devices. Even when the sale is across national boundaries.
- 5) Update our regulatory requirements to create large mandatory penalties for "Failure to Defend". Currently we have slight penalties for "Failure to Comply". In response everybody is encouraged to achieve minimal compliance and no more. New regulations must push us to REAL security, not the illusion of false security.
- 6) Create meaningful Internet/Cyber epidemiology. Schneier has discussed this a couple times. Government must compile accurate, available statistics that allow us to determine: The actual nature of current threats; The likelyhood of threat; The effectiveness of various "treatements" to counter the threat.
- 7) We must adopt a more consistent understanding of the "First Sale" doctrine. We need to consistently apply the rights and responsibilities of ownership to all our internet connected devices. There should be no question that we are responsible for our internet connected devices.
- 8) We must understand that connecting to the internet effects everybody. We must accept that our internet-connected devices can effect everybody. We must accept responsibility to properly configure and maintain our devices.
- 9) We must allow our ISP's to act for the good of ourselves and our communities. We must require them to properly handle abuse reports. We must require them to properly pass abuse reports to the owners of internet connected equipment. We must require them to disconnect misbehaving internet equipment if an abuse report doesn't result in timely mitigation.
- 10) We must update copyright law to aggressively mitigate orphaned code. We need to understand that code is orphaned, once disclosed vulnerabilities and exploits are not promptly addressed. When code is orphaned, ownership (and full code publication) must quickly pass to the community.
- 11) In order to enable the previous point, we should require the Copyright Office to escrow source code before granting extended (beyond a few weeks) copyright protection.
Our culture has turned away from Defense and Security on many fronts. We need to make progress on many fronts, if we wish to have meaningful improvements in Internet Security.