Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Pondering Cybersecurity in the Real World

   Jeff Porten

   About five minutes into U.S. Secretary of Homeland Security Janet
   Napolitano's speech to a large banquet hall full of security
   professionals, watching her over the plated tiramisu I was socially
   restrained from eating, I was struck by the mental image of 2,000
   Dobermans sitting patiently in rows, each with a doggie treat balanced
   on its nose.

   The speech was long and unilluminating, and the tiramisu tasted like it
   came out of the world's largest Sara Lee box, but even bad tiramisu is
   better than no tiramisu.

   Napolitano was addressing the combined conventions of [1]ASIS and
   [2]ISC2 ' which aren't officially acronyms, but which focus on
   generalized security issues and information security respectively. My
   press pass admits me to a dizzying and somewhat chilling [3]range of
   talks and panel discussions; for example, one afternoon's 'Security in
   the Cloud' was counter-programmed against 'Analyzing Verbal Statements'
   and 'Mass Homicides in the Workplace.'

   I'll freely admit: it's odd to be at this conference. On the one hand,
   any number of private companies and governmental organizations have
   serious security concerns, and you would expect (and want)
   professionals in the industry to band together to share best practices
   or take certification programs. On the other hand, the category list of
   the exhibit floor reads like the signs at the Post-9/11 World
   OfficeDepot: Access Control, Biometrics, Blast Mitigation, Bullet
   Resistant Systems, Citywide CCTV, and so on. Browsing through the
   catalog, I found a full-page ad encouraging exhibitors to advertise in
   two security trade periodicals in India ' 'a US$1 billion... huge
   opportunity.' This is why I'm opening with coverage of how the security
   industry talks to itself, with the impressions I got from Napolitano's
   speech.

   By way of introduction, suppose you asked a Mac expert, 'Hey, how safe
   is my hard drive?' Almost all of us will say, 'Extremely reliable,'
   especially if we've been around long enough to remember Jaz cartridges,
   floppy disks, or even punch cards. But we experts will all immediately
   add, 'but be sure to back up regularly, preferably in several different
   ways.' That's because the expert is considering everything ranging from
   hardware crashes and firmware malfunctions to theft and fires.

   A file on a hard drive or SSD can be rendered unreadable by a cosmic
   ray from outer space. [4]Yes, really (PDF). When dealing with that kind
   of problem, security experts develop a healthy sense of paranoia, and
   that's what you pay them for, so you can take just the sensible
   precautions and get on with your life.

   Now ramp that up so instead of dealing specifically with computer
   security, you're approaching all kinds of security threats, including
   small arms and large conventional explosives. It's natural to want to
   have experts in society whose job it is to protect against these
   attacks, and to have well-informed laypeople know what to do in the
   event of trouble. But at the same time, it's smart to be aware of
   whether assessing everyone as a potential threat can lead to the sort
   of professional paranoia that computer experts have about cosmic rays
   and electromagnetic fields.

   This brings me to Napolitano's speech. I'm on record criticizing
   political speeches to expert communities (see '[5]CFP 2011: Shine On,
   You Crazy Senator!,' 16 June 2011), and here I was disappointed by more
   of the same: congratulating the audience on being themselves, without
   discussing the topic at an expert level. Public-private partnerships
   are crucial to the nation's security, and the assembled experts in the
   room are an important part of that. The DHS is working with private
   companies and nonprofit organizations to protect national
   infrastructure and promote cybersecurity. The DHS Computer Emergency
   Response Team (CERT) responded to over 100,000 incidents last year and
   issued over 5,000 alerts.

   Napolitano opened her speech by calling cybersecurity 'one of the most'
   important issues facing the nation, but closed in a less-qualified way,
   saying (I'm forced to paraphrase here) that these virtual attacks are
   the biggest threat we face. As I see it, there are three ways we can
   respond to such a statement:

   First, we can be very scared by this ' surely our biggest threat must
   be countered by the public and private groups who protect us ' and we
   can invest large amounts of time, money, and resources into protection.

   I'm not going to argue against this ' but at the same time, some
   problems shouldn't be solved with billion-dollar hardware. The best
   encryption in the world won't help you when [6]you don't bother to use
   it at all. Critical infrastructure attacks over the Internet [7]are up
   17-fold ' to which one might justly reply, 'Wait, why exactly is a
   power grid control system connected to the Internet at all, rather than
   being isolated on a private network?'

   More to the point, without some details about the 160 attacks on
   'critical infrastructure' in 2011, it's impossible to evaluate whether
   the solution is stronger hardware, better training, or advanced
   deep-breathing relaxation techniques. Some Internet attacks are the
   equivalent of knocking on a door and trying the handle to see if it's
   unlocked. These might be targeted against millions of computers in
   numeric sequence, and happen to include 'critical infrastructure' only
   by accident.

   Or an attack could be directed at specific targets with dozens of
   distributed expert criminals trying to crack into a particular control
   system. That's a different kettle of 'phish.' I think Napolitano's
   subtext is to say that CERT's 100,000 incidents are in this category,
   and we should all be very, very worried. But the track record of
   several administrations is to lump both meaningless and terrifying
   attacks together into the biggest possible number, which leaves me
   skeptical of sweeping statements about the risks we actually face.

   Second, we can give some thought to what private resources we need to
   increase, and whether it's a weakness in our national security that the
   general population isn't educated on these issues. Napolitano cited the
   'If You See Something, Say Something' program, which has alerted the
   public to report suspicious behaviors to the police, [8]without
   providing much training on what an expert would deem suspicious.
   Anecdotally, I've seen a large bag left unattended by a passenger for
   over 20 minutes in front of one of those 'Say Something' videos on an
   endless loop at a major train station, and had a dispiriting
   interaction with that Amtrak police force at that same station when my
   own bag was stolen a few months later.

   Not to put too fine a point on it, but when [9]half of your neighbors
   think bad weather can affect their iCloud, there's also some basic
   education necessary before we can secure the millions of computers
   being used for crucial everyday activities. Most of the increased
   security we're enjoying today comes from the simple design decision to
   make higher security the default in new operating systems; likewise, a
   lack of security in a common protocol like Wi-Fi [10]leaves many people
   vulnerable. Few people are aware that anything they send or receive
   over their corporate email system is legally owned by their employers,
   or can be read by the IT department pretty much whenever, even if the
   corporate encryption strategy protects against outsiders.

   Personally, I'm more encouraged by security that stems from widely
   disseminated education. We can (and should) spend the next 20 years
   improving our anti-spam methods to near-perfection, but if you know
   basic English business grammar, then you can spot today when that email
   purporting to be from PayPal wasn't actually written by someone at
   PayPal.

   Third and finally, there's one major response we can have to 'our
   biggest threat is cybersecurity,' and that is wild cheering.

   I rarely make friends by saying this, but the biggest revelation I had
   after 9/11 was just how powerful and safe people in Western nations
   actually are. The most significant attack on the United States since
   Pearl Harbor was emotionally devastating, but we got through it, and we
   were back to some semblance of normal far faster than many people would
   have predicted. All of our societal changes to the new post-9/11 normal
   were of our own choosing ' and it's past time we had a more complete
   and open debate about which of these actually make us safer.

   I grew up during the end of the Cold War, and learned military
   strategies involving nuclear weapons that would cause deaths in the
   tens or hundreds of millions. America has faced non-nuclear existential
   threats in at least three wars. Compared to the experience that most
   adults over 40 have lived through, or what a sixth-grader should know
   about history, terrorism doesn't come close as a danger to who we are
   or what we value. Contrast that with the daily experience of many
   people in the rest of the world; as an Argentinean friend once told me,
   'I can always tell who's American when I travel; they're the ones who
   will walk up to a police officer to ask for directions.'

   If the biggest threats we face are to our data, then we should take a
   moment to enjoy the security of our persons. Certainly, when the way we
   use data affects our physical security (whether we're talking about the
   power grid or air traffic control), that's a problem we need to fix '
   but let's focus on whether that lack of security is caused by
   incompetent or inattentive management before we blindly hand more money
   to the managers.

   [11]Quoting Bruce Schneier: 'More people are killed every year by pigs
   than by sharks, which shows you how good we are at evaluating risk.'
   The same applies when our worst fears are Internet-based and
   Internet-restricted. Let's pay the experts to be paranoid on our
   behalf, so we can live differently.

References

   1. http://www.asisonline.org/
   2. https://www.isc2.org/
   3. http://www.asis2012.org/conference-program/Pages/
   4. http://www.ewh.ieee.org/r6/scv/rl/articles/ser-050323-talk-ref.pdf
   5. http://tidbits.com/article/12261
   6. http://www.wired.com/dangerroom/2009/12/insurgents-intercept-drone-video-in-king-sized-security-breach/
   7. http://www.huffingtonpost.com/2012/07/26/cyber-attacks-us-infrastructure_n_1708051.html
   8. http://www.aclu.org/spy-files/more-about-suspicious-activity-reporting
   9. http://www.cnet.com.au/51-of-americans-believe-storms-affect-cloud-computing-339341445.htm
  10. http://en.wikipedia.org/wiki/Firesheep
  11. https://en.wikiquote.org/wiki/Bruce_Schneier