Communications - September 2011

conceivably become adequately secure into a “cloud” of networked computers of unknown ownership, location, management, and security. Should users enquire of the cloud’s gatekeepers about such matters, they are told to “trust us,” though one can hardly refrain from asking, “But why should I?” Technology is an enabler for the first three necessary components of protection of the commons but like the others is insufficient. It is both part of the problem and part of the solution. Most important, behavioral adjustments by users of the commons are also needed to break the cycle of self-destructive technology:

Connections. Users should revisit the premise that any two devices are better connected than unconnected;

Conceptual errors. Managers should recognize that entrusting the fixing of flaws to the people who created them has natural limits, and that, perhaps, the security problem is not a matter of minor execution errors but of major conceptual errors;

Any computer. Decision makers should recognize that any computer can be penetrated, just as any building can be entered and any object can be stolen; and

Distrust as default. All users are well advised to replace trust with distrust as a default condition in all computer-mediated interactions.

These should not necessarily deter technical innovation but call for adjustment in the expectations of managers and users of the technologies they adopt.

Bottom-Up Perspective

Voluntary legal user-controlled, self-defense efforts are also necessary but inherently on a smaller scale than their governmental counterparts. They are most easily accomplished when user organizations are large enough and smart enough to identify and implement cost-effective protection. They help establish a market for protection technologies and educate a new generation of security professionals who understand options and risks that often remain classified or proprietary and are difficult to share widely.

Voluntary self defense asks: Who does the volunteering and the defending? The answer depends on the tech-

one must recognize
that entities so
regulated will
accept it only after
they have avoided
it through every
possible legal and
political channel
available to them.

nical knowledge available to users and the resources they can devote to something that is not their professional focus. The newly emerging popularity of informal social networks points to an alternative to top-down processes.

Voluntary user-oriented mechanisms (such as the Internet Engineering Task Force, or IETF) have served the Internet well, developing protocols to provide greater security and fostering next-generation networks. 9 Computer emergency response teams (CERTs), industry-information-sharing-and-analysis centers (ISACs), informal regional system-administrator groups, software vendors, and the Forum of Incident Response and Security Teams (FIRST) all help but have difficulty staying ahead of aggressive attackers.

How can voluntary defense establish a trust mechanism? The seeds of today’s Internet security problems were planted when the ARPANET began to grow beyond its first small circle of researchers more than 40 years ago. 8 Early generations of network users were homogeneous, scientifically oriented, cooperative, dedicated to developing network technology and its applications, and had no reason to distrust or harm one another. With net growth has come many more users with no knowledge of one another and with divergent agendas. Distrust should replace trust, but the means of practicing distrust are poorly served by network technology created to support trusted users.

The National Strategy to Secure Cyberspace published in 2003 relied on the 1997 PCCIP principles: voluntary action, public-private partnerships, public awareness, international cooperation, and the central importance of critical infrastructure. 14 It viewed cyberattacks as crimes for which, through due process, perpetrators would be identified, prosecuted, and punished. Vulnerabilities were to be reduced through an unending search for flaws and their elimination through decisions by vendors, service companies, and computer owners and operators. It presumed software flaws could be reduced over time to acceptable levels. The defensive concept was to distribute response capabilities to user organizations acting on their own behalf and in their own best interests.