This guest post is written by Matt Rutherford, Web Strategist and technology producer for Charlie Rose. Matt focuses on the macro themes affecting the internet and the wider world. You can read Matt’s previous guest post, Larry Lessig Defends Copyright, Loves Charlie Rose Remixes, here.
Who protects the internet? In part, it’s this man – General Kevin Chilton, US STRATCOM commander and the head of all military cyber warfare. We’re broadcasting an interview tonight with General Chilton, in which he discusses the threat of cyber warfare, along with his other remits of space warfare and the US nuclear deterrent. Chilton is fascinating, and amongst other things has been a NASA space shuttle pilot, logging over 700 hours in space. You can watch the full interview here (and it is embedded below).
The discussion with General Chilton brings to light a crucial question, however. Is the internet actually protected? The military remit is to defend the .mil networks, prevent online espionage, and develop offensive strike capabilities. But who’s protecting the rest? Given its integration with every aspect of our lives and economy, it’s surprising just how little we know about who defends our electronic nervous system.
The Threat
There’s copious discussion about exactly how vulnerable the US is to online attack. The alleged Russian DoS attacks on Estonia in 2007, and on Georgia this summer, highlighted the potential damage of state sponsored attacks. China has also been developing cyber warfare capabilities for some time, mounting online intelligence operations against Taiwan, and almost certainly against the US. The Chinese military has openly stated that it plans to be able to win an “informationized war” by the middle of this century. Russia, Israel and Romania are also alleged to have high-level cyber warfare capabilities.
This developing threat from state actors led Sami Saydjari, CEO of Cyber Defense LLC, to testify (pdf) to the US House Committee of Homeland Security in 2007, saying: “The US is vulnerable to a strategically crippling cyber attack from nation-state-class adversaries.” Such an attack has the potential to turn the US “from being a superpower to a third-world nation practically overnight.”
I should point out that many have disputed the apocalyptic nature of Saydjari’s statement. Kevin Mitnick, the reformed hacker, noted in a recent phone call:
“Could we face a mass DOS attack, as in Georgia and Estonia? I don’t think so. I think it would be more of a surveillance operation to get intelligence. Technically you could have a mass attack against the thirteen root nameservers around the world. But as for cyber war, I don’t think we’re at that point yet, I think it’s over-stated.”
Regardless of the impact of an offensive cyber attack, everyone appears to agree on the insidious danger from online intelligence gathering. Former counter-terrorism chief Richard Clarke eloquently summarized this in Foreign Policy recently:
“People tend to think about attacks that change things—turn off power grids, or whatever. And while that’s possible, what is happening every day is quite devastating, even though it doesn’t have a kinetic impact and there are no body bags. What’s happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuff… and all that information gets stolen for one one-thousandth of the cost that it took to develop it.”
Who protects us?
The problem is that it isn’t clear who has the remit for comprehensive defense of the internet. The US military and intelligence agencies defend government networks and track targets online, both domestically and abroad. A new Bush-ordained funding boost in January this year will help them become more coordinated. However, as Richard Clarke goes on to note, “the problem is that much of what we need to protect is not in the U.S. government; it’s in our private companies and our private networks”.
The Department of Homeland Security’s National Cyber Security Division operates various public-private initiatives, such as the rather prosaic National Cyber Security Awareness Month. But beyond this, the general response appears highly fragmented with little grand oversight or public-private coordination. I emailed Jonathan Zittrain to ask his opinion on ‘who protects the internet’. He replied:
“Basically no one. At most, a number of loose confederations of computer scientists and engineers who seek to devise better protocols and practices — unincorporated groups like the Internet Engineering Task Force and the North American Network Operators Group. But the fact remains that no one really owns security online, which leads to gated communities with firewalls — a highly unreliable and wasteful way to try to assure security.”
Hackers to the rescue?
When Obama appoints a white house CTO, there will at least be an official figurehead in charge of this matter. Proposed candidates for the role currently include Eric Schmidt, Steve Ballmer, Jeff Bezos and Julius Genachowski from IAC.
However, perhaps the future of internet security really lies in the hands of the community. Indeed, Jonathan Zittrain talked about ‘good hackers’ on our show in May, and he argues the importance of community policing in The Future of the Internet. The last few years of the internet have been about empowering the masses, and removing intermediary apparatus – so why not leverage the community to defend its cyber territory? Indeed, this is already happening, to a certain extent. Just look at Dan Kaminsky, a computer consultant who discovered a fundamental flaw in DNS, allowing him control over any website online. This flaw was astounding in what it gave access to – yet Dan Kaminsky didn’t turn to a government agency or organization, or abuse the hack himself. Instead he made a phone call to Paul Vixie, one of the creators of the BIND9 DNS routing software, and they assembled a team of civilians and private companies to resolve this apocalyptic vulnerability.
It will be interesting to see what happens from here. And whilst it’s certainly entertaining to envision vigilante hackers and rag-tag groups of high school kids overcoming nation states, I think there’s more serious matters at stake. The way that the internet community reacts and operates with state apparatus in defending against cyber threats will be a crucial indicator of our future society. How reliant are we on the nation-state to protect us? Will it ever be possible for internet communities to erode the relevance of the nation state? Or will the internet turn out to be just as Hobbesian as the real world has been?
Charlie Rose’s discussions with General Kevin Chilton and Jonathan Zittrain are available at our website, charlierose.com. Matt Rutherford can be reached at matt@charlierose.com.
See all
Post
who is going to save us from Loren Feldman?
Anticybersquatting Consumer Protection Act
http://delicious.com/simonstud.....rsquatting
who is going to save us from Loren Feldman? {seesmic_video:{”url_thumbnail”:{”value”:”http://t.seesmic.com/thumbnail/p0HWvFl8Ng_th1.jpg”}”title”:{”value”:”who is going to save us from Loren Feldman? ”}”videoUri”:{”value”:”http://www.seesmic.com/video/e7GXnR8pSW”}}}
this will be interesting to sit and watch. thanks!
There were rumors that Obama might appoint Bill Joy as the CTO. That should be interesting.
–
New Site For College Students: http://www.inkampus.com
Or the secretary of the Internet: http://xkcd.org/494/
this should be interesting..imho, the story of Dan Kaminsky gives a good glimpse into what can be accomplished by the public
Waiting for Google Law for internet
Technically it is my bretheren that protect the internet - we network admins
And I notice the total lack of coverage over the biggest threat to the civillian portion of the internet - the abuses of DPI in the name of “protecting the children” (EU, China and Australia to name a few) and in the name of more money (Phorm and NebuAd).
And the worst thing is that network admins are allowing this to happen! If I were told to install that crap on any network I run I’d either sabotage it or I would post all the info I could about it onto wikileaks - no-one threatens free speech on my watch!
That may be so, alphaxion (if that is indeed your real name) - but if this were my view I wouldn’t post about it. Especially linking a dyndns url.
Although, iPiMP looks interesting, thanks for the link
dyndns url or not, a government can demand the info from either your ASP or ISP if it sees fit. Makes no difference to where you run your site from.
And I stick to my statement that I wouldn’t allow that kinda technology onto my network.
You could claim that I’m doing a similar thing anyway should I block access to certain sites using our proxy server or firewall, but this is inherently different to blocking access on a national level - on your home connection it is your time, at work it is the time of the company you work for.
Also, take note that the only people who are really screaming about the way governments are positioning themselves towards sanitising our vivid internet happen to be network admins or a few people who keep up with indepth IT news.
And for all intents and purposes, this is my “real” name - it’s the identity I choose to use rather than the one forced upon me by my parents. As rediculous as that sounds when read out loud.
Oh, and you’re welcome about iPiMP it certainly has a great potential as long as the makers of mediaportal can implement the right backend to support controlling a client via the app.
*Romania* ? wtf?
word wtf lol +1
It will eventually increase the number of attacks. The wannabes will never end. It’s like in the real world there is terrorism to distinguish security there is devil to distinguish God etc… There will be many many more attacks if such security action is going to be claimed. And right now the attacks are weak and not organized enough because they don’t know whom to go for. But with this big image of a high security layer they will take it as their greatest challenge, and most important they will know whom to go for.
Every excuse is good to take control over the Internet I guess…
So we have the NSA, CIA, Federal Agencies and probably other dark closet types, all are now scaremongering around the security, social dangers, likely terrorist mis-use and dangers of having freedom of expression (amongst others) without constraints and control.
Department of Homeland Security’s National Cyber Security Division’s real agenda is to control, monitor and begin to put more structure, order and identity management into the use of the internet - gently using the protection issue as a means to get under the ’skin of the internet’.
Next on the agenda would probably be identity management - how do we know who you are, what your doing and what you intentions are.
Well Google probably know more than you realise on this already, so i won’t be surprised to see Google VP’s and Exec’s in cahoots with some of the governments agencies as evangelists of the free speech piece.
dt
Just a little info.
The NSA already does all the things that DHS wants.
DHS must go public for those things and starts to cry like a 2 year old till they get want they want. They are just jealous that NSA does it already and does it better than any other agency, but they just don’t share all the info. It’s all about the power game for the Generals and Admirals.
Perhaps a Department of Internet Defense xD?
If Bin Laden really wanted to cripple the US economy, they could easily do it by damaging the internet infrastructure in the US, possibly the future of terrorism if US doesn’t act on it. Can lives be taken if the Internet goes down?
No, the Internet isn’t going to go down. It can’t go down by design. You might be temporarily disconnected from some sites like youtube.com was recently when MAJOR screw ups occur. Even in those instances the site was accessible by a large number of people. The fix was applied relatively quickly (days-not weeks or months). That’s about it. Lots of money can be lost- but this is only the result of neglect on the parts of administrators and companies developing software like Microsoft, Apple, and so on to do their job in applying security patches-and writing secure software in general.
Maybe it should rather be re appropriate sense of the Internet. A network precisely build to prevent external attacks or failures. But to save money and increase-left to lose its original concept - the network speed, we chose the opposite.
Adding that the U.S. remains central also for strategic reasons and do not want their other continents are equal on this subject…
Are there any organizations (formal or informal) that take an active role against bots, such as counter-hacking an infected machine to repair flaws (forced vaccinations)? I’ve read about the Air Force planning to have its own ‘bot network’ to do battle with other bots, but I’ve always been curious if it would just be easier to set up honeypots that repair infected machines.
Am I the only one concerned that the person in charge of military cyber warfare just talked about “double clicking on your mouse for the screen to refresh”? Does he do that on the series of tubes known as the Internets?
people who talk in seriousness about protecting “the Internet” as a whole betray an utter lack of understanding of the nature of the Internet. The statement makes no sense, if you understand that there is no single entity to protect, but rather a collection of tens of thousands of individual autonomous networks who agree to exchange traffic. The only way to protect “the Internet” would be to be the police force on each of those autonomous networks. Thanks, but no thanks - you want to protect something, protect your own network. I’ll take care of my own, and I expect my providers to do likewise.
I don’t expect, want or need the government to protect “the Internet” or my network, any more than I want a tank stationed outside of my house: even if it were warranted, the tradeoffs are quite a bit more than I’m comfortable with.
Well, it’s not as if you don’t want a tank on a base somewhere, ready should the need arise, no? Or a police station somewhere in your town? I think people who have serious discussions about protecting the Internet do in fact understand its nature but also understand the theoretical possibility that large-scale coordinated efforts by powerful coherent state-sponsored entities could be effective in bringing down a significant portion of the “tens of thousands of individual autonomous networks” you talk about, or at least the networks that are important for strategic reasons. When they talk about protecting “the Internet,” they understand that “the Internet” is not a coherent, centralized entity. What they are talking about is protecting the ability for basically any person or organization to get online and use a network to do their business.
I’m just saying that this is a completely rational discussion to be having. Whether the government is the most effective way of dealing with this problem and whether the civil-libertarian concerns are too great is of course a different question altogether.
The closest thing you could do to taking out the “Internet” is taking out the 13 root DNS servers. In practice this isn’t really going to take down the Internet. You can still connect to other users based on the IP address. It might prevent people from typing in addresses based on a domain name, but even that is questionable due to the nature of DNS. Lets not forget everybody relies on these 13 servers throughout the world. Your ISP caches the requests to these servers also- which means that not only would you have to take out these servers, but also every ISP’s servers- including every home wifi router to effectively disable all communication- that requires a user entered domain name to be entered. This has never happened and isn’t likely to ever happen. It is easier to take out the physical connections then take out the world’s core systems that make the “Internet” happen.
The idea that the Internet somehow needs protection is an error in the understanding of how it all works. Unless you are refering the the physical security of the lines and connections between the networks (which is clearly not what is being discussed). It is the desktop computers and servers connected to the networks that make up the Internet that need to be secured. The way a computer or server is secured is by removing the bugs in whatever internet accessible software is running-and GOOD education. The state of insecurity on the computers connected to the Internet is primarily the fault of Microsoft, Apple, users, and some administrators/decision makers. Any company selling “Internet Security ” software is fraudulent. Security is not a product you can buy. Anti-virus/Anti-malware may be a necessity of proprietary operating systems and operating systems without package management systems such as MS Windows and Mac OS X, but these programs do not improve the security of your system. The physical equivalence would be like you leaving your doors wide open in a dangerous neighbourhood with a welcome sign and then simply checking every person wanting to enter against a list of people recently released from state prison- a list which isn’t accurate, complete (other state prisons), or sufficient. You will catch some of the bad guys- but completely miss anybody who lies to you or doesn’t show up on your list.
The solution is to switch to a better software distribution model. We need software repositories- or white lists and anything outside of these repositories should not be easy to install by the ill-qualified. That software distribution system must then be connected to an security update system. The only operating systems that come close to this model are GNU/Linux based solutions. While a minority of users are currently using such secure systems these systems have proven to be both reliable & practical.
Great information
Thanks