Fatal System Error (34 page)

Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

BOOK: Fatal System Error
4.16Mb size Format: txt, pdf, ePub
Peer pressure could help the demand for accountability, possibly setting the stage for new legal requirements. “Embarrassing these guys is the future,” said a longtime Secret Service agent. “There has to be more due diligence from Internet service providers, some verification of information from their customers. We have the technology.”
In some ways, the easiest part of the puzzle is how to best protect the victims, especially once everyone realizes what is possible and what is not. There is no point wasting resources fighting things that the Internet has changed forever. That includes poker. People have shown that they will continue to gamble on the Internet, even if they must entrust their money to obvious crooks operating in shady jurisdictions, and even if they have to transfer money from PayPal to some shadier company and then to an offshore account. At a time when industry after industry is coming to Washington seeking bailout money, the gambling industry could offer billions of dollars in new tax revenue. The market could be closely regulated, protecting players from cheating. And more money would stay in the U.S., increasing employment. Even if the professional sports leagues manage to block legalized sports betting, many American mobsters would have to move from poker companies to a new line of work. In May 2009, U.S. Representative Barney Frank, head of the House Financial Services Committee, introduced a bill to legalize and regulate the market. A Senate equivalent was introduced over the summer, though top poker company executives didn’t expect action before 2010.
Next, consumers need to do a much better job of educating themselves. The people who won’t let their lawns go uncut out of respect for the neighbors need to realize that turning on a home PC without a strong firewall and without an operating system and antivirus software that each update automatically is like leaving a loaded shotgun on the front porch for passersby; it almost guarantees that their computers will be compromised and used for nefarious activities. The population must change what it does online and develop a habit of checking credit reports and guarding personal information more closely on social networks. Another major effort should educate children about safer online practices. If they are going to be taught in public schools how to drive a car, they should most certainly be taught how to operate a computer responsibly. Furthermore, the government should heed the desperate pleas of the National Academy of Sciences for a vast increase in U.S.-funded computer security research.
Poorly designed software carries a great deal of the blame for the disintegration of network security. Commercially, large software buyers, including the federal government, should use their leverage to demand fewer flaws in their goods and greater disclosure when flaws are discovered. They must implement rapid patching procedures. The threat of litigation over poor security must be increased, both against the banks and retailers that hold personal information and against the software producers. As it stands, the latter companies are all but immune from product liability suits. That’s because courts have adopted the technology industry’s argument that software is “licensed,” not sold, so the usual rules regarding shoddy merchandise do not apply. The combination of such a lopsided legal construction and what is in some cases monopoly market power is disastrous for quality. If the courts remain sluggish in allowing lawsuit threats to be consummated, they should be encouraged with new legislation.
A modest step toward establishing minimal standards of responsibility came in 2009 from SANS, the nonprofit security training institute. Working with the National Security Agency, the Department of Homeland Security, and others, SANS published a list of the twenty-five most serious types of programming errors, along with guidelines for how to avoid making them. Just two of the errors were responsible for 1.5 million breaches of websites, many of which in turn infected thousands of site visitors. Some state governments immediately pledged to write into their purchase agreements a requirement that software be certified free of the top twenty-five mistakes. Other big buyers, including the federal government, should follow suit.
Other new laws would certainly help, as long as they are the right ones. The Cyber-Security Enhancement Act of 2008 was a start. Among other things, the law made it a crime to access a computer without permission and remove personal information, and it eliminated a requirement that prosecutors establish $5,000 in damages before charging someone with a computer attack. Mandated national disclosure by companies that lose personal financial information should be enacted as well. So should requirements for encryption of such sensitive data.
Beyond that, banks should demand greater proof of identity before approving transactions and before granting credit to people in the first place. They haven’t to date because they don’t bear the brunt of the fraud: the retailers do, and they have nowhere near the financial industry’s clout in Washington. Both the banks and the merchants that operate online should stop relying on credit and debit card numbers alone, instead making phone calls and taking other steps to confirm customer identities, such as issuing tokens with passwords that automatically change every minute. And banks should be forced to admit the depth of the problem. Hathaway told the CSIS panel that the amount of online fraud had quadrupled in the previous six months. But the public was never told. The banks should be required to separate fraud losses from credit losses on their balance sheets, so investors and others could see what is happening and the banks would have to focus on it.
More important, the executive branch has to get its act together. Starting with the FBI, law enforcement agencies need to learn that they don’t have all the answers and that cooperation is better than secrecy. The Department of Homeland Security needs to follow through on its professed commitment to cybersecurity, encouraging the development of email authentication standards and perhaps an equivalent to verify that websites are actually hosted by the people who claim to be hosting them. The department needs to end the bickering among agencies and spend what it takes to hire talented technology specialists and start catching criminals. It needs to communicate better with the public, with companies, and with Congress. The Defense Department and NSA need to protect federal networks and offer assistance to commercial operators without compromising customer privacy.
This last is no small concern. As the gravity of the threats posed by Internet attackers becomes increasingly stark, pressure is growing for more inspection of traffic before it reaches its destination. Private network operators should continue such efforts to thwart denials of service, but they should disclose what they are doing, and any government involvement must come with oversight. Anything more intrusive, secretive, or uncontrolled puts us on the road to the destruction of Internet privacy, the consequences of which are on view in such places as China and Iran.
THE AREA WITH THE MOST COMPLEXITY—and the greatest short-term potential—lies in the nascent communities of private sleuths like Barrett, the team that identified the suspected author of the SoBig virus, and those tracking the RBN. There should be more of a coordinated movement to save the Net, which should set out credos with the moral force that has driven the development of Linux, the Firefox Web browser, and other open-source projects. Those efforts attracted thousands of volunteer programmers to help develop alternatives to commercial products that were riddled with flaws. Certainly protecting the public is a higher calling still.
Such campaigns could simultaneously aid law enforcement and shame them into action. And they should be opened up as much as possible, allowing more people to contribute their time and expertise. If a loose collection of bloggers could together find fraud in documents about Bush’s military service that misled CBS News, surely the world’s several thousand cybersleuths can identify those behind the code that comprises the greatest engine for mob-driven fraud in the world today.
Joe Stewart, the researcher who fingered the Bagle suspect, thinks dedicated clusters of paid specialists in and out of law enforcement should work together on specific gangs or new types of malware. Like Andy, he thinks that every country should have a Computer Emergency Response Team (CERT) that can order service providers to shut down rogue websites. As of now, South Korea’s CERT is the largest with that authority.
In the longer term, the chances for serious improvement in Internet security depend on an initial hard look at where things are and how they got there. Not only is the system broken, but it was never supposed to be particularly secure in the first place. “We didn’t design the network to defend against these things,” said Vint Cerf, who was co-author of one of the core Internet protocols before chairing ICANN. “My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I couldn’t even tell if the basic ideas would work.” Cerf, who has a generally upbeat tone about most things, gives the impression that he remains pleasantly surprised that the Internet has continued to function and thrive—even though, as he put it, “We never got to do the production engineering,” the version ready for prime time.
Even after his years on the front line, Barrett found such statements amazing. “It’s incredibly disturbing,” he said. “The engine of the world economy is based on this really cool experiment that is not designed for security, it’s designed for fault-tolerance,” which is a system’s ability to withstand some failures. “You can reduce your risks, but the naughty truth is that the Net is just not a secure place for business or society.”
Cerf listed a dozen things that could be done to make the Internet safer. Among them: encouraging research into “hardware-assisted security mechanisms,” limiting the enormous damage that Web browsers can wreak on operating systems, and hiring more and better trained federal cybercrime agents while pursuing international legal frameworks. But he conceded that those steps wouldn’t constitute a cure. “Multilateral agreements depend on the goodwill of the parties,” Cerf said. “If the parties lack goodwill, one wonders if the situation will become so severe that the benefits of being connected will be sufficiently eroded that the international community will say it’s not worth it to be connected anymore.”
That’s pretty much Cerf’s biggest fear: that networks in America, for example, will stop accepting traffic from Russia or Kazakhstan, the way some companies won’t accept credit cards from fraud-riddled countries. But the truth is that even such an amputation wouldn’t work. If the Russians can continue to shepherd hundreds of thousands of computers inside the U.S., they can fool the networks into thinking they are locals. “There is no light at the end of the tunnel. There isn’t a secret team working in a bunker that knows the answer,” said one top security expert who ought to know, since he’s on a secret team that’s been looking for one.
One possibility, treated with caution by Cerf, by the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency, and by virtually everyone else who has studied the idea seriously, is for a mandatory identification system for Internet users. “If everything you did had public scrutiny, we would probably have a safer country,” Cerf said. “On the other hand, you probably wouldn’t want to live in that country.” The CSIS commission called for a government-supported ID that companies would adopt. “You need to have a government-issued ID of some sort that gets you onto critical infrastructures,” said Bruce McConnell, a commission member who went on to join Obama’s Department of Homeland Security. “Without that, I don’t see how we’re going to make real progress.”
Barrett said he found the notion of an Internet ID card “terrifying,” both for privacy reasons and the false sense of security it might engender. The bad guys would still be able to impersonate others, and with a fake Internet ID they would be farther inside the trusted network, able to do more damage.

Other books

Losing My Religion by Lobdell, William
Pleasure Prolonged by Cathryn Fox
0764213512 (R) by Roseanna M. White
Restore My Heart by Cheryl Norman