ports plays this role for automobiles
and many other consumer products,
and it wields enormous power. The
same day Consumer Reports issued a
“Don’t buy” recommendation for the
2010 Lexus GX 460, Toyota took the
vehicle off the market. If the engineering and computer science professions
could organize a software security laboratory along the lines of Consumer Reports, it would be a public service.
federal action
Absent market- or liability-driven improvement, there are eight steps the
U.S. federal government could take to
improve Internet security, and none of
them would involve creating a new bureaucracy or intrusive regulation:
1. Use the government’s enormous
purchasing power to require higher security standards of its vendors. These
standards would deal, for example,
with verifiable software and firmware,
means of authentication, fault tolerance, and a uniform vocabulary and
taxonomy across the government in
purchasing and evaluation. The Federal Acquisition Regulations, guided by
the National Institute of Standards and
Technology, could drive higher security into the entire market by ensuring
federal demand for better products.
2. Amend the Privacy Act to make
it clear that Internet Service Providers
(ISPs) must disclose to one another and
to their customers when a customer’s
computer has become part of a botnet, regardless of the ISP’s customer
contract, and may disclose that fact to
a party that is not its own customer.
ISPs may complain that such a service
should be elective, at a price. That’s
equivalent to arguing that cars should
be allowed on the highway without
brakes, lights, and seatbelts. This requirement would generate significant
remedial business.
3. Define behaviors that would permit ISPs to block or sequester traffic
from botnet-controlled addresses—
not merely from the botnet’s com-mand-and-control center.
4. Forbid federal agencies from doing business with any ISP that is a hospitable host for botnets, and publicize
the list of such companies.
5. Require bond issuers that are
subject to the jurisdiction of the Fed-
eral Energy Regulatory Commission to
disclose in the “Risk Factors” section
of their prospectuses whether the com-
mand-and-control features of their
SCADA networks are connected to the
Internet or other publicly accessible
network. Issuers would scream about
this, even though a recent McAfee
study plainly indicates that many of
them that do follow this risky practice
think it creates an “unresolved security
issue.” 1 SCADA networks were built for
isolated, limited access systems. Al-
lowing them to be controlled via pub-
lic networks is rash. This point was
driven home forcefully this summer
by discovery of the “Stuxnet” computer
worm, which was specifically designed
to attack SCADA systems. 4 Yet public
utilities show no sign of ramping up
their typically primitive systems.
Political Will
These practical steps would not solve
all problems of cyber insecurity but
they would dramatically improve it.
Nor would they involve government
snooping and or reengineering the
Internet or other grandiose schemes.
They would require a clear-headed
understanding of the risks to privacy,
intellectual property, and national security when an entire society relies for
its commercial, governmental, and
military functions on a decades-old information system designed for a small
number of university and government
researchers.
Translating repeated diagnoses
of insecurity into effective treatment
would also require the political will to
marshal the resources and effort nec-
essary to do something about it. The
Bush Administration came by that will
too late in the game, and the Obama
Administration has yet to acquire it.
After his inauguration, Obama dith-
ered for nine months over the package
of excellent recommendations put on
his desk by a nonpolitical team of civil
servants from several departments
and agencies. The Administration’s
lack of interest was palpable; its hands
are full with a war, health care, and a
bad economy. In difficult economic
times the President naturally prefers
invisible risk to visible expense and is
understandably reluctant to increase
costs for business. In the best of times
cross-departmental (or cross-ministe-
rial) governance would be extremely
difficult—and not just in the U.S. Do-
ing it well requires an interdepartmen-
tal organ of directive power that can
muscle entrenched and often parochi-
al bureaucracies, and in the cyber are-
na, we simply don’t have it. The media,
which never tires of the cliché, told us
we were getting a cyber “czar,” but the
newly created cyber “Coordinator” ac-
tually has no directive power and has
yet to prove his value in coordinating,
let alone governing, the many depart-
ments and agencies with an interest in
electronic networks.
References
1. Baker, s. et al. In the Crossfire: Critical Infrastructure
in the Age of Cyber War, csIs and mcafee, (Jan.
28, 2010), 19; http://img.en25.com/Web/mcafee/
na_cIp_rpt_reg_2840.pdf. see also p. Kurtz et
al., Virtual Criminology Report 2009: Virtually Here:
The Age of Cyber Warfare, mcafee and good Harbor
consulting, 2009, 17; http://iom.invensys.com/en/
pdfLibrary/mcafee/Wp_mcafee_Virtual_criminology_
report_2009_03-10.pdf.
2. gertz, B. 2008 intrusion of networks spurred combined
units. The Washington Times, (June 3, 2010); http://
www.washingtontimes.com/news/2010/jun/3/2008-
intrusion-of-networks-spurred-combined-units/.
3. Halderman, J.Q. to strengthen security, change
developers’ incentives. IEEE Security and Privacy
(mar./apr. 2010), 79.
4. Krebs, B. “stuxnet” worm far more sophisticated than
previously thought. Krebs on Security, sept. 14, 2010;
http://krebsonsecurity.com/2010/09/stuxnet-worm-
far-more-sophisticated-than-previously-thought/.
5. mcafee. Unsecured Economies: Protecting Vital
Information. 2009, 4, 13–14; http://www.cerias.
purdue.edu/assets/pdf/mfe_unsec_econ_pr_rpt_fnl_
online_012109.pdf.
6. presidential Decision Directive 63, (may 22, 1998);
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.
7. The National Strategy to Secure Cyberspace 2003.
u.s. Department of Homeland security.
Joel F. Brenner ( jbrenner@cooley.com) of the law firm
cooley LLp in Washington, D.c., was the u.s. national
counterintelligence executive from 2006–2009 and the
Inspector general of the national security agency from
2002–2006.
copyright held by author.