The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Cyber security challenges and windmills


[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.]

I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it then or since. I know it faded from my memory! Other than CERIAS WWW sites and the AAAS itself, a Google search reveals almost no references to it.

As background, in early April of 2002, I was asked, somewhat at the last moment, to prepare a paper and some remarks on the state of information security for a forum, Technology in a Vulnerable World, held on science in the wake of 9/11. The forum was sponsored by the AAAS, and held later that month. There were interesting papers on public health, risk communication, the role of universities, and more, and all of them are available for download.

My paper in the forum wasn't one of my better ones, in that it was somewhat rushed in preparing it. Also, I couldn't find good background literature for some of what I was writing. As I reread what I wrote, many of the points I raised still don't have carefully documented sources in the open literature. However, I probably could have found some published backup for items such as the counts of computer viruses had I spent a little more time and effort on it. Mea culpa; this is something I teach my students about. Despite that, I think I did capture most of the issues that were involved at the time of the forum, and I don't believe there is anything in the paper that was incorrect at that time.

Why am I posting something here about that paper, One View of Protecting the National Information Infrastructure, written seven years ago? Well, as I reread it, I couldn't help but notice that it expressed some of the same themes later presented in the PITAC report, Cyber Security: A Crisis of Prioritization (2005), the NRC report Towards a Safer and More Secure Cyberspace (2007), and my recent Senate testimony (2009). Of course, many of the issues were known before I wrote my paper -- including coverage in the NRC studies Computers at Risk: Safe Computing in the Information Age (1991), Trust in Cyberspace (1999) and Cybersecurity Today and Tomorrow (2002) (among others I should have referenced). I can find bits and pieces of the same topics going further back in time. These issues seem to be deeply ingrained.

I wasn't involved in all of those cited efforts, so I'm not responsible for the repetition of the issues. Anyone with enough background who looks at the situation without a particular self-interest is going to come up with approximately the same conclusions -- including that market forces aren't solving the problem, there aren't enough resources devoted to long-term research, we don't have enough invested in education and training, we aren't doing enough in law enforcement and active defense, and we continue to spend massive amounts trying to defend legacy systems that were never designed to be secure.

Given these repeated warnings, it is troubling that we have not seen any meaningful action by government to date. However, that is probably preferable to government action that makes things worse: consider DHS as one notable example (or several).

Compounding the problem, too many leaders in industry are unwilling to make necessary, radical changes either, because such actions might disrupt their businesses, even if such actions are in the public good. It is one of those "tragedy of the commons" situations. Market forces have been shown to be ineffective in fixing the problems, and will actually lead to attempts to influence government against addressing urgent needs. Holding companies liable for their bad designs and mistakes, or restricting spending on items with known vulnerabilities and weaknesses would be in the public interest, but too many vendors affected would rather lobby against change than to really address the underlying problems.

Those of us who have been observing this problem for so long are therefore hoping that the administration's 60 day review provides strong impetus for meaningful changes that are actually adopted by the government. Somewhat selfishly, it would be nice to know that my efforts in this direction have not been totally in vain. But even if nothing happens, there is a certain sense of purpose in continuing to play the role of Don Quixote.

Sancho! Where did I leave my horse?

Why is it that Demotivators® seem so appropriate when talking about cyber security or government? If you are unfamiliar with, let me encourage you to explore the site and view the wonderfully twisted items they have for sale. In the interest of full disclosure, I have no financial interest or ties to the company, other than as a satisfied and cynical customer.

On a more academic note, you can read or purchase the NRC reports cited above online via the National Academies Press website.


Posted by Terran Lane
on Sunday, March 29, 2009 at 04:49 PM

I agree that we’re facing a tragedy of the commons problem here (like in so many other places in the economy).  So the question becomes: how to fix it?  How can we really get from where we are to a better state?  While Spaf has been among the leaders of the charge to raise awareness and influence public policy on these issues, the progress has, sadly, been glacial.

In my (admittedly naive and relatively uneducated) reading of economics and history, my impression is that the only two ways to really overcome a tragedy of the commons are centralized control (e.g., government regulation) or collectively enforced agreement on policy (e.g., large-scale boycott or unionization).  In principle, I guess, a third choice is to shift the incentives so that the commons problem is eliminated at the source.

So here, the first would be something like government-enforced safety standards for systems and software (analogous to those for cars).  To date, it seems like there’s not a lot of excitement for that course.  As you say, there’s a lot of industry pressure against it, and little public support for it.  And lacking a massive, and probably massively fatal, disaster attributable to software/systems, that seems unlikely to change soon.  Ditto for collective boycott—the consumer base is just not educated enough to really appreciate the issues at stake, nor to recognize quality when making buying decisions.

So, what can be done to shift the incentives?  Lacking more regulatory solutions (e.g., Congress forcing companies to assume the financial risk of their systems’ errors), all I can see is consumer-driven lawsuits.  I could envision a sequence of successful lawsuits that push some of the risk back on the manufacturers.  That’s an effort that I could envision being grass-roots, not requiring central regulation, and being individual-driven (and not requiring massive, simultaneous buy-in by a large fraction of the consumer base).  And it would seem that individuals injured by system failures or security breaches would have incentive to sue.

So why haven’t we seen more prominent instances of such suits?

Posted by Robert Elder
on Sunday, March 29, 2009 at 09:20 PM

You deserve much credit for highlighting these issues.  One can hope that we will take action in a deliberate way rather than find ourselves reacting to a crisis!

Leave a comment

Commenting is not available in this section entry.