The Iranian nuclear effort was stunted by the the Stuxnet virus, and now Flame. Some believe that both of these were constructed specifically to slow Iran’s progress, and some call this “cyber war”. The drumbeat to “do something” is loud this week.
As I pointed out in my recent blog , so-called cyber war is not really war because it involves no violence and no coercion. A successful “cyber attack” is really just someone taking advantage of a security flaw in computers to gain some measure of control of those computers. The damage that can be caused by a successful attack can be substantial, but in many, if not all cases, the damage can be completely avoided with simple steps. The reasons those steps are not taken are sometimes out of ignorance, but much more often vulnerability is a conscious choice to gain convenient remote access, with full knowledge of the security risk it entails. There is tremendous value in enabling this access, saving billions of dollars in time, travel, and delay because people no longer have to be physically present to do their jobs.
This tradeoff is a classic case of security vs. convenience. The worldwide internet is a wonderful tool. Its utility flows directly from its worldwide, unfettered, unfiltered reach. Anyone on any continent can communicate with any computer system that is connected to the internet. This enables a vast and growing number of applications that allow people to do banking from home, and monitor their homes while on vacation. It also allows administrators to control and maintain computer equipment, and engineers to monitor power plants from home. With the advent of small, portable devices like the iPad, these things can be done from almost anywhere.
That very connectivity is also the danger. Can the “Bad Guy” break in and seize control?
The answer is “maybe”, and it always will be.
Truly secure computer systems are kept in a room-sized, lead-lined box. There is no “network access” at all. If you want access, you go in the room. You are searched on the way in, and searched on the way out. The ceiling tiles on the room are tied together to ensure that the “seal” is not broken, and every wire going to the room is inspected by the security officers to ensure that no unauthorized information can leak in – or out.
That is a secure computer system. It is also a computer system that is almost useless, because by severely limiting the data flow to and from the outside world, it cannot do what computers do best – digest and analyze data.
Almost every other computer system today has some sort of internet connection. Security experts recommend firewalls, proxy servers and anti-virus software, every one of which makes remote access more difficult and expensive. Every computer system administrator worth his salt knows that a break-in would be a disaster, but they make the difficult tradeoff of implementing enough security to stay “safe” without making usage “too difficult”.
I have several servers that I administer, and I regularly see “attacks” on my machines from Russia, China, India, South Africa, Brazil, and elsewhere. These “attacks” are constant, annoying, and consume network capacity and CPU power, but in general I do not block their access. Why? because I would rather accept the annoyance of the attacks than block a legitimate customer by accident. The lead-lined box is not an option, because my customers come to me specifically to get world-wide connectivity. It’s a package deal.
The same is true of the internet in general. Its power is in its connectivity and the absence of centralized control of any kind. Anyone can become the author of a viral YouTube video, or start a revolution with a Tweet. This also means that the Bad Guys also have unfettered access. It means that “cyber security” is the responsibility of each and every computer system administrator on the internet.
It’s a package deal.
All of the proposals being pushed to “fix” our vulnerability to “cyber attack” involve some measure of central control of the internet. It promises “safety” to computer system administrators in exchange for less internet freedom. Every one of these measures has the effect of ending the internet as we know it, because whoever controls that “authority” can unavoidably decide who the “Bad Guy” is. History teaches us that sooner or later, the “Bad Guy” will be “you”.