Cybersecurity

"Network Based Security Is In Our Future" is an outstanding must-read analysis by Tom Tovar, CEO of Nominum.

Please read his full piece, its brief. Let me highlight some excellent points he made:

"All our information is being sucked into the cloud. Privacy is over." That was the bold declaration of Attorney Steve Masur at DCIA's P2P Media Summit per Washington Internet Daily.

• Wow. As stark an assessment that that is, what really disturbs me is the thought process and tech ethic that underlies this view.
• Mr. Masur is not alone, he is part of a growing publicacy mentality/movement that looks at privacy as:
  • A neandrethal expectation in the Internet Age,
  • Buzz-kill for Internet innovators, and
  • Road-kill for the cloud-computing bus speeding down the information super-highway.

My pushback here is the blind worship of technology or tech-determinism.

• I define tech-determinism to be:
  • if technology or innovation can do it, it must be good; and
  • if something stands in the way of technology and innovation, like privacy, it is in the way and should be terminated. 

Did it ever occur to the tech determinists that if there is no privacy in the cloud, many won't go there?

• Most users appreciate that technology should work for them, they don't work for technology.

Privacy isn't over. 

New evidence continues to spotlight the Open Internet's growing security problem. 

• The growing catalogue of evidence from mainstream sources is getting harder and harder to ignore. See previous parts of the series:  I, II, III, IV, V, VI, VII & VIII.

"Internet security threat report finds malicious activity continues to grow at a record pace -- Web based attacks evolve as hackers target end-user information; Underground economy continues to thrive." Symantec

High profile Internet security/safety/privacy problems continue to spotlight the Open Internet's growing security problem.

"Computer hacking attacks soar as gangs focus on financial data" -- FT

• "Computer hackers stole more sensitive records last year than in the previous four combined, with ATM cards and Pin information growing in popularity as targets, according to a study..."

"Computer Attackers target popular sites in quest for profit" IBD

• Symantec...  "found new varieties of malware rose 265% last year vs. 2007."
• "This is about fraud and theft — I don't think there's any doubt in anyone's mind," said Dean Turner, director of Symantec's global intelligence network unit. "Where this is headed is not good for anybody."

"Computer Spies Breach Fighter Jet Project" WSJ

• "...He spoke of his concerns about the vulnerability of U.S. air traffic control systems to cyber infiltration, adding "our networks are being mapped." He went on to warn of a potential situation where "a fighter pilot can't trust his radar."

"New Military Comand to Focus on Cybersecurity" WSJ

Why is one of the most-serious identified internet/cybersecurity risks currently affecting the Internet and network operators not on the FCC's radar screen?

• More specifically, why does a search of the FCC's website for the term "conficker" return zero results? (see below)

A Google search on "conficker"returned 4.86 million results.

The open Internet's inherent vulnerability to bad actors made the front page of the Wall Street Journal today in an important-to-read article: "Electricity Grid in U.S. Penetrated by Spies." 

Now we better can much better appreciate why Senate Commerce Committee Chairman Rockefeller is so concerned about cybersecurity and committed to making protection of the Nation's critical cybrastructure a much more urgent priority for the Internet.

The WSJ article hit the core internet problem on the head in the article -- its a lack of accountability:

• "It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace."

This problem in this article spotlights why cybersecurity and online safety are very real and pressing problems on the Internet today. It is surprising and alarming why there is not as much public focus on the very real problems of the Internet as there is on potential unproven Internet problems.

Part V

Wow. Daily Internet traffic in Sweden immediately fell more than 40% after a new Swedish law went into force cracking down on illegal file-sharing. The new law obligates ISPs to to report the IP-addresses of suspected copyright violators to copyright owners.

• Per an AP story: "Statistics from the Netnod Internet Exchange, an organization measuring Internet traffic, suggest that daily online activity dropped more than 40 percent after the law took effect on Wednesday. Henrik Ponten of the Swedish Anti-Piracy Bureau welcomed the plunge in Internet traffic as a sign that file-swappers are reducing their activity for fear of getting caught. "There's no other explanation for it," he said."

Seldom is there such glaring evidence of direct cause and effect between a policy-change and behavior-change on the Internet. To the extent that this initial effect is lasting and proves applicable to other nation's circumstances, what can we learn from this Swedish precursor/example?

Lesson 1: It proves people act more responsibly on the Internet when there is an increased liklihood of getting caught and prosecuted for illegal behavior. More accountability equals more deterrence.  

Lesson 2: It may turn out to be much cheaper and more effective for the U.S. to simply enforce copyright law than to continue overbuilding bandwidth capacity in order to keep pace with the near bottomless bandwidth appetites of the very small minority of users that are serious illegal file-sharers.

My point here is not at all anti-innovation, but simply that all innovation is not good, because innovation is a means not an end. People can innovate for both good, and bad, purposes. 

• Cyber-criminals, hackers, predators, terrorists and other malfactors, constantly innovate on the open Internet with malware, viruses, spam, botnets, p2p piracy and phishing, denial of service attacks, etc.
• Cyber-security experts marvel at the innovation and ingenuity of these multiplying malfactors.    

My big point here is that the push for the Government to maximize innovation by mandating an "open Internet" is a knife that can cut both ways. Just like an open Internet enables well-intentioned innovators, it also can enable innovative cyber-crooks and bad actors. 

Anything good can become bad or a problem, if it is taken to excess.

Evidence continues to mount that the real problem on the Internet is that it is not as safe and secure as it needs to be -- not that it is not open enough. (Parts: I, II, III, IV) 

"Cyber Security: The Achilles Heel of U.S. Might?" Washington Post

• "...the fact that the nation's cyber vulnerabilities continue to grow, and fast."
• "Both the high-profile attacks and more routine infiltrations have shed light on the vulnerability of critical information infrastructures. For example, the Defense Science Board noted that the U.S. military's information infrastructure is the "Achilles' heel of our otherwise overwhelming military might."

"Smart Grid May be Vulnerable to Hackers" CNN

• "A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout."

'Website-infecting SQL injection hitting 450,000 a day" USA Today

Free Press in its latest report: "Deep Packet Inspection: The end of the Internet as we know it?" continues to mischaracterize "reasonable network management" practices (that ensure quality of service and filter out harmful traffic like spam, viruses, and other malware) as bad practices and misuse of technology that threatens users' privacy and freedom of speech.   

It is inaccurate and unfair to mischaracterize reasonable network management this way.

The Free Press report uses a common analogy about "deep packet inspection" (DPI) technology. It analogizes that use of DPI technology by an ISP would be like the post office going beyond reading the address of a letter and looking inside the letter to read the private contents.

• This partial analogy is designed to lead people to believe that DPI is only a privacy-invading technology without any merit or useful function. 

Let's explore the letter and post office analogy more fairly and accurately.