Learn more about how information technology is changing
our lives and our world. PLUS NEWS + EVENTS

Cybersecurity Nosebleed

Security is the newest over-hyped commodity in the United States. I keep visualizing driving down highway 101 past billboards that read: “Big government wants big security” along with a picture of an ape beating on its chest. Somehow as seriously as they say they are, I’m not convinced.

Most Americans reacted positively to heightened security last year, but I kept asking myself: why is the United States Government Hype Machine (hereinafter shortened to UGH) only now getting a clue? Why were the people in Washington snoring at the wheel? I have this flaw of wanting to understand ineptitude because it just does not compute. I knew all too well from working as a network consultant that it’s rare to get upper management to even listen to requests for increased security let alone sign-off on funds to make anything truly secure. UGH is just a bloated corporation in its reactive response. Nobody ever pays attention to security until after they get hacked or some catastrophe occurs.

Here’s the latest on the policy side: Airsick bags are located in the pouch in front of your seat. The Department of Homeland Security has yet to be officially defined. The Cybersecurity plan is weak. Nobody has faith in Tom Ridge or Richard Clarke, the new poster boys. Also, the USA PATRIOT Act (USAPA) is losing steam. (It expires in December, 2005 but much damage can still be done.)

Some of the proposed changes make sense, but they’re still buried in UGH buzzwords. “Homeland security.” Groan. That sounds like a 2am infomercial for a cheap alarm system. “Cybersecurity.” Oh please…I doubt William Gibson had this in mind when he wrote Neuromancer. Next, the UGH commanders will claim they invented the Internet. How can we take their plans seriously if everything is buried in a mishmash of hype? How can we have any confidence in the future success of these projects? Why do they think they’ll be able to succeed where they’ve failed before?

I’m not an anarchist and I’m not crying “Big Brother.” I’ve had a U.S. government security clearance. I take national security extremely seriously. This is precisely why I feel that the powers-that-be just don’t seem to get it.

Take biometrics for example. I’ve been studying this topic lately and the security of most biometric technologies is a joke. Everyone who knows anything about biometrics will state as a disclaimer: “well, this biometric is pretty effective but only under certain conditions with small groups.” That really sums it up. There have been some successful applications for biometrics in various governments and military organizations, but all under test groups who had no real choice in whether to participate and all under limited conditions.

One saving grace Ð there is a growing contingent of people out there who are realizing that security’s not something we can attach to the grinding cogs of government and make work smoothly or immediately. Privacy activists began raising red flags as soon as the USAPA passed. After the mourning period ended, a few congress members dared to peep. Now more people are rallying for the government to be smart about security. And the Cybersecurity plan is about to be laughed out of town —Bruce Schneier wrote in this week’s Crypto-Gram that the plan’s recommendations don’t do squat—solid laws mandate action; touchy-feely requests are useless.

I attended an event last week where the speakers discussed the topic of “Silicon Valley Technology and Homeland Defense.” The panel of speakers included former Senator Gary Hart, Co-chair of the U.S. Commission on National Security/ 21st Century, U.S. Army Lieutenant General Joseph Kellogg, and representatives from Cisco, IBM, and Siebel. Hart explained what national security really should be and made sense where most UGH descriptions failed. (Hart and former Senator Warren Rudman put together an extensive document a couple of years ago warning of future terrorist attacks on the magnitude of that which occurred September 11, 2001. Their document didn’t get any attention then, but it is now.)

Hart’s allegory is simple: picture a room with 40 computers monitored by 40 different people, each from different arms of the U.S. government, such as FEMA, the FBI, Secret Service, and U.S. Customs. I guess this really exists. None of the computers are on the same network, none use the same software, and the people who use these machines change shifts at random times without ever updating each other on their states. The concept of one department to consolidate these activities and act as a sort of national security project manager is not a bad idea. The problem is that nothing is really defined as of yet, so we’re just stuck in the mud spinning our wheels.

So what is the reason for the hype machine? The short answer is fear. The reactive response is often a necessary evil, but there’s a time and a place for getting on with business as usual. The U.S. government is an organization like any other. It just happens to be bigger and even more powerful than Microsoft. So the result is that the usually sluggish reaction to adversaries means that people got scared, people rallied, but the time is up for responses. Let’s deal with the security issues and move on.

Sane Security

While UGH goes about fluffing up its feathers in some territorial ritual, let’s be realistic —security is not a simple undertaking. No matter how committed a government is, real national security is not a simple goal to achieve. It’s a simple concept, yes. Protect the people of the nation. Protect the children (because that always gets sympathy points). Protect the crops. Protect the businesses…whatever the special interest groups require. Simple concepts, however, do not always have simple solutions. Here are the first problems that come to mind when exploring a stronger national security infrastructure:

First off: loss of privacy. Doubtless, we’ve all heard about this one. Nobody wants personal information stored in massive databases used by mass numbers of people. It’s not safe. Something like a National ID will not fly if every local policeman in the country can spot check our identity when we’re walking the dog, requesting fingerprint checks of both Ralph and Fido. Identity theft is rampant. Along with the annoyance factor comes a loss in dignity when personal information is stolen.

Along the same lines, surveillance did increase after the USAPA passage. It’s oddly mystifying to find actual numbers as most government agencies are tight-lipped on this one, but I know for a fact that sales spiked at the International Spy Shop. (They do have nifty gadgets. Who wouldn’t want to use one now that wiretaps are easier?) We all know the adage: “Absolute power corrupts absolutely.” Try “Who’s gonna babysit the babysitter?” The result of privacy concerns is decreased faith in government. True security should instill confidence in government.

The next problem: implementation. Training of government staff, airport staff, national guard, and even regular citizens is expensive. It’s also time-consuming and it must be done for every person who is at all a part of the system. We’ve all seen how airport security is a joke. A friend of mine got through with 8-inch sewing scissors. A pilot friend of hers got through with a 9mm handgun. Truly. He resigned that day. I don’t blame him.

Mass systems always have backdoors and security holes. Not on purpose. They just do. If authorized users can get in, so can unauthorized users somehow. Plugging the holes will take a lot of time and money. And let’s not forget Murphy’s Law. It usually strikes twice in any system implementation. Security is no exception.

Finally, UGH needs a reality check. Any system is only as secure as its weakest link. The weakest link is nearly always human error. Of course tired security personnel can’t perform up to snuff. And who always loses their passwords? I can assure you —it’s not the computer. Someone will always screw-up. Also, someone will always be offended. It’s impossible to make everyone happy. The transition will not be smooth or quick. It seems UGH is beginning to catch wind of this, which is slightly refreshing, but we still have a long way to go.

What’s the solution?

One thing the US Army Lieutenant General said during last week’s Silicon Valley panel was: “sometimes we know too much about security…sometimes you have to take a little risk. We make the mistake that they’re bigger than they are.” In other words, we don’t need perfection. We do, however, need something that works. A serious look at security is overdue for the U.S. and many other countries. If the leaders of the world are to be continually threatened by those who begrudge their status in world affairs, they must take national security seriously. Strong security at the price of fear, privacy, and serenity is a joke because the human link will break down. Citizens won’t participate. What we need now is confidence, not fear – and focus, not hype.

This post originally up at Mindjack.com.

References:

Analysis: Cybersecurity plan too drafty, by Scott R. Burnell, UPI Science News, September

Cybersecurity Debate Hits the Road, by Paul Roberts, IDG News Service, October 17, 2002

Department of Homeland Security home page

EFF Analysis Of The Provisions Of The USA PATRIOT Act

National Strategy to Secure Cyberspace, by Bruce Schneier, Cryptogram, October 15, 2002,

Shredding the Paper Tiger of Cyberterrorism, by Richard Forno, SecurityFocus, September 25, 2002

Silicon Valley Technology and Homeland Defense Event, Palo Alto, California, October 10, 2002

USA PATRIOT Act Text