Vulerabilities - What's Needed To Secure Cyberspace? | Cyber War! | FRONTLINE

FRONTLINE




	Does the U.S. need a regulatory mechanism to get people to pay attention to cyber security? Would liability laws help? More encryption technology? Or a more robust government/private-sector partnership? Here are views on the measures needed and the challenges involved in improving cyber security, drawn from FRONTLINE's interviews with Amit Yoran of Symantec; James Lewis of the Center for Strategic and International Studies; John Arquilla of the Naval Postgraduate School; John Hamre, former deputy secretary of defense; Michael Skroch of Sandia National Laboratories; O. Sami Saydjari of Cyber Defense Agency; Scott Charney, chief security strategist at Microsoft; and Richard Clarke, former White House adviser on cyberspace security.

Vice President, Managed Security Services Operations, Symantec Corp.

How do we live, and how do we design [security] solutions which work successfully in an environment that has a large number of potentially unknown vulnerabilities?

It's through a number of things, like anomaly-based intrusion detection systems. We can find attacks that we don't even know exist, things like integrated security. Simplifying how easy it is to manage and monitor your security infrastructure today requires far too much expertise. It needs to be simplified, and it needs to be something that organizations can do more effectively. ...

I think that the emphasis for better security really comes from creating a culture. It's not a technical solution. I believe creating a culture where security is a requirement to do business would probably do more for us than any one piece of technology innovation. If we create the culture and the environment where security weaknesses will not be tolerated, and it's top-down driven, and it's supported, it will be supported from the bottom up. And we will be more successful.

Center for Strategic and International Studies

The issue that you need to confront is how much you're going to regulate the private sector. And there's a reluctance, certainly with this administration, but even with the previous one, to regulate the Internet. They aren't sure how to do it. People are always telling them it won't work.

But we need to think about some sort of regulatory mechanism to get people to pay more attention to cyber security. This doesn't have to be the big, heavy FCC-style regulation. It could be more like some of the things, perhaps, that were done in Y2K or some of the other alleged cyber menaces. ...

Naval Postgraduate School

Why aren't we more encrypted? I think there are several answers to that question. The first is that being more secure has an efficiency cost that goes with it. Your machine will be slower. Lord knows, everybody wants a fast machine. So in a business sense, it's probably seen as making you less competitive to have to create more secure systems. With that said, it was very heartening to see Microsoft stand down for a month a year ago, and say, "We're going to start thinking about security." That was a good thing.

Something else that has slowed the spread of strong encryption is the institutional resistance of our government. They have fought a rearguard action even after laws have been repealed that prevented the spread of strong encryption. And this rearguard action is simply in the form of not telling people to go get encrypted, and, to some extent, also in trying to maintain export controls, strong crypto products. This is simply because law enforcement and intelligence feel that they will be constrained if they can't read everybody's mail or e-mail.

Finally, I think that we don't have more encryption because it is a complicated issue. The average computer user wants to boot up, and be online, and doing what they're doing. And I think various research samples have shown that even when people try to encrypt, they don't implement it correctly about half the time. So it would take a really sustained effort to get people to practice real, safe, cyber surfing practices. And, so, for those combination of reasons, we're under-encrypted right now. ...

[The National Strategy to Secure Cyberspace] is out. Some people say it's not enough, that partnership with the private sector itself does not do it, does not cut it, that, in fact, this is a major failure of governance.

I think we have suffered something of a failure of governance in terms of moving toward good information security in this country. Part of it is the institutional resistance of the private sector and the government to work closely together on things that are sometimes apparently inimical to each other's interests -- undue intrusions in the private sector and the marketing of very sensitive systems by companies, private companies out there that the government perhaps doesn't want to see out there, which is why we have still export controls on supercomputers and some forms of encryption.

So there are some tensions there. But I think the greatest failure is in the lack of recognition, both in the private sector and in the government on the profound benefits that would come with strong encryption for all. This is the message the American people simply are not hearing. And the release of some legal constraints is a far cry from using the bully pulpit of government to encourage everyone to be properly protective.

Why shouldn't the government just go in and say, "Listen, the Internet is integral to our national security, and we're taking it over?" ...

One possible solution for the government would be to assert central control in an effort to solve the problem. I think this might actually impede the process of securing this because of the resistance it would generate. And I also think it would choke off all the wonderful ideas coming out of the private sector and into government.

I think the most serious problem in terms of getting the private sector, particularly the software developers, on board to a good security regime is that it will cost something on the bottom line. It will reduce profits, at least in the short run. And the answer to that may be that the first software designer to really build in good efficiency with great security, in the long run is going to generate enormous economic benefits. ...

Deputy Secretary of Defense (1997-1999)

I think that we've approached it by calling it cyber warfare, and frankly, that's turned off the bulk of the American business community, because they don't see it as warfare. To them, warfare is about dropping bombs, and they say, "That's your problem. That's you, the government. I don't do warfare. I'm no involved with this."

So our whole rhetoric of cyber warfare, I think, is counter-productive to getting the private sector to do what we want them to do, which is to improve cyber security in their operations. I think we'd be a lot better off to talk about continuity of operations, continuity of business operations, reliability of service. "You are going to lose money, CEO, if your computer system goes down and you miss two days' worth of sales." That has more resonance to the businessman than does rhetoric about cyber warfare. ...

So what's the government's role in all of this, then?

Well, you know, there are some classes of problem where you can define the problem but you can't ever solve it, [for example] adultery. We know it's wrong, and lecture against it, and you're never stopping. Murder -- I hate to say it -- it's illegal, you know, we execute people that do it, but murders keep happening. And I actually think cyber security falls into this category. We know it's wrong, we know it's disruptive, we know it can be destructive, and yet it's just a problem that you're never going to be stopping.

So I think what the government should be doing is stigmatizing cyber disruption. It is wrong; it's criminal activity. We need to stigmatize people that do this. We need to have in place a legal framework so that we can pursue legal recourse against people that do it. We need to prosecute anybody we can catch. ...

I think that's what the ultimate strategy is going to have to be, because I think a strategy that presumes we can force the people that own the infrastructure to do things that they don't see a need to do is doomed to failure.

The [National Strategy to Secure Cyberspace] that just got released last week, are you pretty much on board with the direction they're taking?

Well, I think it reflects the kind of inevitable balance the government has to take. You know, there is not a will to seize cyberspace, nationalize it and force the private sector to do it the way we want to do it. There's no will in the country to do that. Nobody thinks that's the right answer. ...

[What is] your opinion of the [notion] that this is a weapon of mass destruction, this is something the government has got to grab hold of?

I spend hours a day worrying about biological warfare. I spend hours a day worrying about nuclear warfare. I do not spend minutes a day worrying about cyber warfare as a means of mass destruction. I mean in the scale of things you want your government to worry about that can really cause existential threats to society, biological warfare and nuclear warfare are far, far bigger than cyber warfare.

Sandia National Laboratories

I think that all vendors that provide information technology should consider security in their design. This is really a change that's required.

I think the reason why industry hasn't included security in operating systems and communication equipment is that there's no bottom line. It doesn't add to their bottom line in sales, and therefore they're not going to look at security. This is only starting to change recently.

But this it the national security of the United States we're talking about. Isn't that a concern?

I think that industry doesn't consider national security because it's not their job. National security is the job of the United States government. And so we have the disconnect between the industry that's trying to serve a product and the United States that's trying to serve national security. And we've seen recently a merging of these. The communication is very encouraging. And I think that that'll have a lot of positive results. ...

President, Cyber Defense Agency

I think there is a failure to act [on security] for several reasons. One is there isn't a clear person in charge in Washington for this problem. Dick Clarke's position was one of an adviser to the president. He really didn't have authority to work this problem. This problem has people who have pieces of it across Washington. Twenty or so other different organizations and government agencies already have some stake in this, which makes it, in some sense, worse because they all fight over who ought to do this, or in pieces that they don't want to do. So nobody is in charge, I think, is the first problem.

The second problem is the resource level to solve this problem is large, and there isn't a willingness to step up to the resource level and the kinds of things we have to do, which may slow the economy down somewhat. It may be somewhat painful for us to do some of these activities, like regulation. So these are all hard pills to swallow, and I think that there is a belief within the government that the U.S. citizens wouldn't want to buy that, wouldn't want to do that. But I think part of the education process here is as people understand it, they not only will want to do it, but they'll demand that it be done. ...

I think there's also worry in Washington that to solve this problem might require us to develop sensor systems that might impede on privacy, and they feel that the citizens won't want that. The belief for the scientists in the community is that we, in fact, can develop these systems while being sensitive to privacy. ...

Chief Security Strategist, Microsoft Corp.

The private sector clearly has to partner with government to protect the Internet. ...

The really interesting point, though, is what we've essentially done is delegated public safety and national security to market forces. And, in fact, markets are not designed to do that. It is true that markets will provide a level of security, but it may not provide enough security to protect against low probability, but potentially very damaging threats.

And so what industry and government now have to do is to figure out how much security you'll get through the marketplace, figure how much security we need to protect public safety and national security, and the government and industry have to work together to bridge the gap. ...

The product liability question is actually a very difficult one. People tend to think well, we should just impose liability for software that has some sort of vulnerability. The reason it's so difficult is: What does that regulation or liability look like? And can you deploy it fairly?

So, first of all, it would be completely inappropriate to say you should have liability if there's any bug in software, because that's beyond any reasonable standard. But, also in terms of fairness, there's a huge difference between the software industry, for example, and other industries with liability, like the automobile industry. There is no group of automobile manufacturers who give away cars for free. There is no open source of automobile movement. There is, by contrast, an open source software community.

So, if you were going to impose liability on the software industry, how do you do it in a fair way, or are you only going to impose liabilities on companies that actually pay a lot of taxes and create a lot of jobs?

The other interesting thing is that if you impose liability, you have to ask if that's a cost-effective way to get where you want to go. Because when companies start paying liability claims and legal fees and everything that comes with it, where does that money come from? Well, you can raise the cost of the product, but that might be counterproductive. Because one of the great things about software is how the price has been driven down so it can be available to everyone.

Presidential Adviser for Cyberspace Security (2001-2003)

It is both a problem and a blessing that there are no liability laws on software. It's a problem because it means that there's been very little incentive for software companies to get it right. It's a blessing because, frankly, given the low quality of software these days, the software industry would end up looking like the asbestos industry. You know, the asbestos industry has been sued out of existence in liability courts. And frankly that would happen in software if there were a legal basis for suing software companies. ...

The government cannot alone defend this country. It has to be defended by the owners and operators of the information technology companies and has to be defended at your house and your office by what you do to defend cyberspace. ... I have never been in favor of federal regulation for cyber security. I think regulation creates a lowest common denominator approach, creates a homogeneous security environment, which is easy to attack, and politicizes the issue.

What we really want is not the government dictating to the private sector, as though the government knew better, because it doesn't. What we really want is cooperation. That's, I think, something we can achieve. But, if in the end we don't achieve it at an adequate level, we may be forced to go to some regulation. But, that would be an admission of failure that we had failed to get the cooperation of the private sector. ...

It's in the industry's best interest to get the job done right before something happens. Because after something happens, and our economy has been really badly hurt, there will be regulation.

home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

SUPPORT PROVIDED BY