Communications - November 2010

ports plays this role for automobiles and many other consumer products, and it wields enormous power. The same day Consumer Reports issued a “Don’t buy” recommendation for the 2010 Lexus GX 460, Toyota took the vehicle off the market. If the engineering and computer science professions could organize a software security laboratory along the lines of Consumer Reports, it would be a public service.

federal action

Absent market- or liability-driven improvement, there are eight steps the U.S. federal government could take to improve Internet security, and none of them would involve creating a new bureaucracy or intrusive regulation:

1. Use the government’s enormous purchasing power to require higher security standards of its vendors. These standards would deal, for example, with verifiable software and firmware, means of authentication, fault tolerance, and a uniform vocabulary and taxonomy across the government in purchasing and evaluation. The Federal Acquisition Regulations, guided by the National Institute of Standards and Technology, could drive higher security into the entire market by ensuring federal demand for better products.

2. Amend the Privacy Act to make it clear that Internet Service Providers (ISPs) must disclose to one another and to their customers when a customer’s computer has become part of a botnet, regardless of the ISP’s customer contract, and may disclose that fact to a party that is not its own customer. ISPs may complain that such a service should be elective, at a price. That’s equivalent to arguing that cars should be allowed on the highway without brakes, lights, and seatbelts. This requirement would generate significant remedial business.

3. Define behaviors that would permit ISPs to block or sequester traffic from botnet-controlled addresses— not merely from the botnet’s com-mand-and-control center.

4. Forbid federal agencies from doing business with any ISP that is a hospitable host for botnets, and publicize the list of such companies.

5. Require bond issuers that are
subject to the jurisdiction of the Fed-
eral Energy Regulatory Commission to
disclose in the “Risk Factors” section
of their prospectuses whether the com-
mand-and-control features of their
SCADA networks are connected to the
Internet or other publicly accessible
network. Issuers would scream about
this, even though a recent McAfee
study plainly indicates that many of
them that do follow this risky practice
think it creates an “unresolved security
issue.” 1 SCADA networks were built for
isolated, limited access systems. Al-
lowing them to be controlled via pub-
lic networks is rash. This point was
driven home forcefully this summer
by discovery of the “Stuxnet” computer
worm, which was specifically designed
to attack SCADA systems. 4 Yet public
utilities show no sign of ramping up
their typically primitive systems.

Political Will

These practical steps would not solve all problems of cyber insecurity but they would dramatically improve it. Nor would they involve government snooping and or reengineering the Internet or other grandiose schemes. They would require a clear-headed understanding of the risks to privacy, intellectual property, and national security when an entire society relies for its commercial, governmental, and military functions on a decades-old information system designed for a small number of university and government researchers.

Translating repeated diagnoses
of insecurity into effective treatment
would also require the political will to
marshal the resources and effort nec-
essary to do something about it. The
Bush Administration came by that will
too late in the game, and the Obama
Administration has yet to acquire it.
After his inauguration, Obama dith-
ered for nine months over the package
of excellent recommendations put on
his desk by a nonpolitical team of civil
servants from several departments
and agencies. The Administration’s
lack of interest was palpable; its hands
are full with a war, health care, and a
bad economy. In difficult economic
times the President naturally prefers
invisible risk to visible expense and is
understandably reluctant to increase
costs for business. In the best of times
cross-departmental (or cross-ministe-
rial) governance would be extremely
difficult—and not just in the U.S. Do-
ing it well requires an interdepartmen-
tal organ of directive power that can
muscle entrenched and often parochi-
al bureaucracies, and in the cyber are-
na, we simply don’t have it. The media,
which never tires of the cliché, told us
we were getting a cyber “czar,” but the
newly created cyber “Coordinator” ac-
tually has no directive power and has
yet to prove his value in coordinating,
let alone governing, the many depart-
ments and agencies with an interest in
electronic networks.

References

1. Baker, s. et al. In the Crossfire: Critical Infrastructure in the Age of Cyber War, csIs and mcafee, (Jan. 28, 2010), 19; http://img.en25.com/Web/mcafee/ na_cIp_rpt_reg_2840.pdf. see also p. Kurtz et al., Virtual Criminology Report 2009: Virtually Here: The Age of Cyber Warfare, mcafee and good Harbor consulting, 2009, 17; http://iom.invensys.com/en/ pdfLibrary/mcafee/Wp_mcafee_Virtual_criminology_ report_2009_03-10.pdf.

2. gertz, B. 2008 intrusion of networks spurred combined units. The Washington Times, (June 3, 2010); http:// www.washingtontimes.com/news/2010/jun/3/2008- intrusion-of-networks-spurred-combined-units/.

3. Halderman, J.Q. to strengthen security, change developers’ incentives. IEEE Security and Privacy (mar./apr. 2010), 79.

4. Krebs, B. “stuxnet” worm far more sophisticated than previously thought. Krebs on Security, sept. 14, 2010; http://krebsonsecurity.com/2010/09/stuxnet-worm- far-more-sophisticated-than-previously-thought/.

5. mcafee. Unsecured Economies: Protecting Vital Information. 2009, 4, 13–14; http://www.cerias. purdue.edu/assets/pdf/mfe_unsec_econ_pr_rpt_fnl_ online_012109.pdf.

6. presidential Decision Directive 63, (may 22, 1998); http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.

7. The National Strategy to Secure Cyberspace 2003. u.s. Department of Homeland security.

Joel F. Brenner ( jbrenner@cooley.com) of the law firm cooley LLp in Washington, D.c., was the u.s. national counterintelligence executive from 2006–2009 and the Inspector general of the national security agency from 2002–2006.