Cyber security expert Eugene Spafford, a professor of computer sciences at Purdue University and former member of the President’s Information Technology Advisory Committee, responds to GPS readers’ questions. The views expressed are his own, based on publicly available information, and do not necessarily reflect those of any other organization.
“Danish Ahmed” notes we have laws governing the high seas and space – should governments be doing more to implement rules in cyber space?
Definitely, yes. Unfortunately, there are many significant obstacles in the way. We’ve had governments for thousands of years and we are still working out how to balance national interests against each other with simpler technologies, and to understand and enforce the laws and norms those governments set for their populations. The whole notion of international computing networks is about 35 years-old – about one human generation. That isn’t enough time for us to get the experience necessary to really understand what needs to be done and what will work.
We have need of better agreements on behavior about what might be considered illegal, for instance. But to do that, we need to come up with some norms or appropriate use to which (almost) everyone can agree. This will not be simple or quick because there is such a variety of national and cultural standards that must be bridged. As one particular case, there are broad general protections in the U.S. for political and religious expression. However, that is not the norm everywhere else. For example, references to Nazi symbols are criminal offenses in Europe, Christianity is effectively banned in some Muslim countries with proselytization a capital offense, any criticism of the king is a crime in Thailand, and discussion of the failings of the Communist Party is blocked in the People's Republic of China. The situation may be even more complex as we consider images, video, and sound. Cartoons that purport to be of the Islamic prophet Mohammed will generate violence in many countries and be seen as valid speech in others. Posting pictures of naked people will be (boring) art in some countries, scandalous pornography in others, and possibly generate a death sentence in a few more. How do we begin to define norms for everyone to use?
It might seem to be the case that viruses, spam, break-ins, fraud, phishing, botnets, and espionage would all be obvious cases, but they aren't if you look closely. For instance, spam is defined as "unsolicited, unwelcome email" in some places. But can you tell ahead of time whether a particular email will always be unwanted? And how do we define "unsolicited" when people regularly click thru on "I agree" buttons everywhere without reading the agreements? Sometimes the fine print includes an agreement to accept marketing emails. Espionage is against local law, but almost every major country practices it and treats it as patriotic service; there is no general agreement internationally that espionage is a crime, nor will there likely be one anytime soon. And so on for the rest.
We have conflicts between security and privacy, and national privilege versus individual rights within countries as well as between countries. It is often simpler to invade privacy to collect information for law enforcement, especially if people are frightened by terrorism (which, is effectively saying that the terrorists have won). Privacy, once sacrificed, can’t really be reclaimed without incredible effort and time, if at all. And some countries do not believe that individuals have rights that are the equal of (or greater than) that of government officials, political parties, religious institutions or preaching, royalty, or companies.
Getting agreement about what kinds of online behavior and postings are allowed and which ones are criminal (or simply rude) is going to take time and negotiation. Then there is also the discussion that needs to be conducted about evidence, about extradition, and about punishment. Reconciling civil courts with military tribunals with sharia councils with royal decree is not going to be simple, for instance. Standards of evidence, too, is a problem when we need to collect it in different countries for presentation in prosecution. What are the appropriate standards? Who does the collection? Keep in mind there are concerns of national sovereignty, privacy, individual rights, and technological capacity – what may be the expected norm in Canada is going to be very different from Sierra Leone, Vietnam, and Bolivia.
That isn't to argue that it can't be done. The Hague Conventions and the United Nations have made some progress in international consensus, but it has been slow going. We do have international agreements on investigating forms of fraud, extraditing thieves and murderers from some countries, and there is a patchwork of laws against narcotics and human trafficking. Those laws and treaties work imperfectly, and not all countries respect them, but we do have some in place. One problem with the "cyber domain" is tying acts back to specific people (attribution) and the fact that we are concerned with people able to act at a distance. If a theft occurs at my business, I can perhaps tie it back to a person who was in the building. In cyber, that same theft may be occurring at the behest of someone half the globe away…sitting in a cyber café using a stolen identity and remote access software. We have a long way to go to understand and develop better controls and laws.
At a level of nation-to-nation we also have issues. Countries gathering information, infiltrating infrastructure, and possibly sabotaging critical systems are all a concern. But consider – if a country has an advantage in what its personnel can accomplish, why would they want to have limits in place? If a country is so small or weak that it’s dominated physically and economically already, what good will controls do for them? As it stands now, there aren't many incentives to put in place new rules. And even if we did, how would they be enforced? What would the penalty be for breaking them?
So, yes, governments need to be doing more about developing common rules for better behavior, but it is going to be a long, difficult process.
“Jamie Robinson” asks on Facebook how confident the U.S. public can be that the government won't pass new cyber security laws that conflict with the public interest? Essentially, how much do you trust lawmakers to do the right thing?
We can't be confident of this at all. Think about some of the bad laws that have been passed – or the lack of action on things that should be obvious to address!
First, consider that we elect almost no scientists or engineers to public office. Instead, they are primarily lawyers or business owners. This means that the majority of elected representatives are unlikely to know the fine details of the technology, among other things. Take the late Senator Ted Steven’s "series of tubes" description of the Internet in 2006, and the overwhelming lack of understanding of SOPA/PIPA effects last year. This lack of fundamental knowledge presents a huge obstacle to explaining the nuances of complex issues posed by cyber (and space science, and quantum physics, and genetic engineering, and many other cutting edge areas). Furthermore, officials and representatives who are operating according to an agenda based on political zealotry, religious ideology, or similar extreme views are not likely to really care about highly nuanced technical issues. However, those are the people who we, the people, elect to a large number of important offices.
Those elected officials – including both the zealots and the ones who are more open to discourse and thoughtful consideration – are responsible for decisions across a great many areas, so they depend on advice from staff and outside sources. Congressional and many state staff are often quite good, but the pay for those positions does not always attract the best and the brightest, nor does it keep them there long. The lure of better-paying jobs with more reasonable hours takes the majority of them away after a few years. Sometimes other governmental organizations have deep expertise, but they are officially part of the executive branch and so Congress often keeps them at arms' length; state governments seldom have access to that expertise.
So where does guidance come from? Three of the main sources are constituents (you), non-partisan organizations, and lobbyists. The lobbyists often get heard the most and earliest because they have money to spend and a tight focus on a few outcomes. They can be very persuasive, and often the lobbyists are "trusted" because they are former legislators, staff, or officials themselves, and because they can afford to bring in cherry-picked, impressive-sounding experts to back their points of view. Lobbyists also make donations to campaign funds, and that helps get them in the door to talk to the officials. Few non-partisan organizations can afford to make similar donations, and they don't necessarily have the gravitas of a group representing multi-billion dollar businesses.
Constituents are really important here. The voters (you do vote, right?) should carefully research issues and facts (and that means MUCH more than believing radio or TV talk show hosts, who sometimes "spin" a story to make it more interesting – media needs to attract an audience to stay in business, after all). As voters, you should participate in the process of nominating and then electing representatives who understand important issues and who are willing to address them. This means people who have had real careers in STEM (science, technology, engineering, mathematics) so they can tackle important issues affecting computing, space science, education, and high tech industry – don't automatically vote for someone based on political party affiliation unless that’s more important to you than everything else!
But it doesn't stop there. No matter who is elected, it’s important to regularly communicate your concerns and views to your elected representatives. An online petition is easily ignored these days, as are form emails. A personal email is given more weight, a paper letter more attention than email, a telephone call to the office means more than a letter, and a visit to your official’s office to talk to someone (staff usually, but that's their job) is even more notable. And if an official does take actions contrary to what you view as public interest, DON'T vote them back into office and DO tell them about it!
There is much more that could be said about this topic, but it’s important that you take it on yourself to investigate and educate yourself rather than listen to only one or two outside voices, no matter how expert. I also hesitate to recommend any groups or sources, because I don't want people who disagree with some of my points of view to label those sources as immediately suspect. However, as a start, you can easily find I’m associated with three organizations that do attempt to educate officials about computing technology, so mentioning them shouldn't make a difference; I believe all three are all politically neutral, but technology savvy: USACM (usacm.acm.org), the Computing Research Association (cra.org), and the Electronic Privacy Information Center (epic.org).
The United States refused to sign the United Nations WCIT Internet Peace Treaty, writes “John Bingham.” Do you think this hands off approach by the U.S. government is the right one?
I'm not aware of a "peace treaty." The WCIT agreement that I know about that was not signed was about Internet governance and a possible attempt to assign that to the ITU. I think it was correct to not ratify that agreement. If you are asking about something else, my apologies for not understanding.
China’s cyber hacking activities date back at least a decade. Why do you think the Pentagon chosen now to call more attention to it? “Jim Goltz” asks if something happened recently, the proverbial "game changer," or is this merely being used as domestic political leverage?
Espionage and crime (and that is what "cyber hacking" really is) have been going on for decades in computing. It has been getting worse every year. Where it has been getting more noticeable is the targeting of private companies to steal their intellectual property, and (to some extent) the targeting of some private citizens (e.g., advocates for Tibetan independence). The loss of economically important data, and its use to advance non-U.S. industries that then compete with the United States, has become increasingly acute, especially when we look at the health of the US economy and the balance of trade.
There have been people inside and outside of government who have been warning of the problems for decades, first as potential threats then as actual problems. Those warnings were largely ignored both because they weren’t well understood in context, and because to act on them might hurt the economy. Now, more decision makers (and the public) are beginning to understand some of the deeper issues, and the economy is clearly being hurt by inaction.
China has been called out because it appears groups within China have been particularly aggressive about such acts, and also are indulging at intrusions and theft in a grand scale (perhaps a function of their large population). I’ve heard some officials refer to it as "large scale hoovering of information." I imagine that some U.S. officials hoped that the public condemnation might cause second-thoughts by the perpetrators and a lessening of the brazen intrusions, but that doesn’t appear to have happened – at least, news reports indicate that not much has changed.
I should note that the government of the PRC has firmly denied any such activity by their government. However, I also don't know of any modern country that has admitted to large-scale espionage when accused of such. You may draw your own conclusions.
So, specifically to your question, I don’t believe it was a result of a specific "game changing" event, nor is it being used as domestic leverage. I think it’s simply a case of the weight of evidence and the increasing pace of loss finally getting to a point where officials had to act. It’s a serious issue that probably has been ignored for too long and can't be ignored any more.
Because not much has changed, I wouldn’t be surprised if the level of rhetoric on this issue is increased in coming months. When – or if – visible action will be taken, and in what form, are active topics of speculation on some of the policy blogs and mailing lists I follow.
“Richard H” asks if we are focusing too much on China?
I believe that is possible, at least as far as public appearances. And by "we" I assume you mean the USA, although it appears from recent news reports that at least Canada, Australia, the U.K., Germany, France and India have all been victimized by attacks emanating from China, too.
Many countries around the world have been indulging in espionage via "cyber" for years. That is to be expected as they’ve been indulging in espionage of all sorts, and cyber is simply one more means. Entities in the USA.(government and military) continue to be a target for nearly all of those countries because of our advanced industries and prominent world position. If you look through news reports of break-ins and theft over the last few years you will find incidents in the U.S. that suggest ties to actors in Russia, Cuba, Syria, and Iran (among others).
An even bigger problem is that of criminal activity – theft, fraud, and vandalism. For instance, in the news recently were reports of a major $45 million fraud that was enabled by cyber hacking. Cyber criminal activity is going on all the time, and it’s a large drain on the economy. It has traditionally been easier to get Congressional attention for existential threats (e.g. military threats) than criminal activities, so it’s not particularly surprising that the military has taken an early lead in getting funding and attention despite the sizable criminal activity. (Note that in the U.S., the uniformed military is not involved in criminal investigations, so support for one does not equate to support for the other.)
There is a grey area between the espionage activities of nation-states and private criminals. Theft of the latest aircraft designs from a major manufacturer is theft no matter who does it. It doesn’t matter if it is done by a gang to sell to a competitor, by agents of that competitor, or by members of some country's intelligence service to give to one of their domestic companies – it’s still theft. From our viewpoint, the result is basically the same: the foreign company gets a new design without investing in any of the R&D or testing necessary to validate it, so it can better compete against our domestic manufacturer. From an investigation standpoint, we may never be able to tell who was involved.
Not all espionage is conducted by national governments, however. Some of the criminal activity we have seen over the years is not state-sponsored – it’s state tolerated. Criminals are allowed to operate within national borders so long as their victims are in certain other countries, and perhaps the criminals are required to pay a percentage to local officials. The national leadership is not directing the activities, but neither is it prohibiting them. When the results lead to increased intellectual and economic advantage, or a decrease in the capacity of "competitors," why would they try to stifle such behavior?
China is probably an issue simply because there are so many people there, and so much criminal activity online appears to originate from there. There’s also likely growing concern over trade imbalances, and the weak intellectual property laws in the PRC that enable the use of intellectual property stolen from the U.S. without much recourse.
As I noted in the answer to the previous question, the government of the PRC has denied any involvement in these activities.
All of this also ties back to the first question, and my answer to it: The international norms of behavior and the methods of enforcing them need a great deal of work.
How prepared overall do you believe the U.S. government is in terms of cyber security?
This is a very ambiguous question, covering a lot of ground. So, I'll try to give brief answers to a few selected components:
a) Although I don't know specific details, I suspect we have an outstanding military capability for offense, should that ever be needed. Our military isn't limited to cyber, either, so it seems unlikely anyone would want to provoke us enough to cause a military response.
b) Defensively, the government is in good shape some places, but in quite poor condition in most places. I'm led to believe that the most common computing operating system still in use in the U.S. government (across all branches and agencies) is Windows XP. If you know anything about cyber security (or computing!) that should be worrisome. It’s also indicative of the level of overall cyber preparedness.
c) Law enforcement has been neglected for years, so we have too few investigators and too few tools to respond to many things. Courts aren't prepared to handle too many cases, both because of their level of complexity and because most Federal courts are simply overloaded. (Also, the Senate has done a very poor job of confirming judges to fill vacant seats in Federal courts. You might contact your senators about why that is so and encourage them to speed this up.) State courts and investigators are generally in even worse shape for similar reasons of cost, manpower, tools, and capacity.
d) At the Federal level there is insufficient support for education in this area, and insufficient funding for advanced (not applied) research that would get us away from the massive, ongoing "catch-up" patching we have been doing for years. In the states, support for education at every level has been declining. State universities have been hard hit by shrinking budgets. K-12 education has also been under incredible financial and political strain. Computing is not even considered a core science in the majority of states – if anything, cyber is taught beyond how to type, it’s offered as a vocational skill such as auto mechanics or home economics!
Computing is not the only technology/science shortfall. I recommend finding online the two (free) reports "Rising Above the Gathering Storm" and "Rising Above the Gathering Storm: Revisited" by the National Academies Press. These didn’t get much public attention when they were published, but what they have to say is important for the future of the country (if not the world), and they aren't too long or difficult to read.
e) By various estimates, between 75 percent and 95 percent of the critical computing infrastructure in the USA is owned and operated by the private sector. Government attempts have failed to pass cyber security regulations to cover what the private sector operates. The operators/owners claim that it’s too expensive to take even some basic security measures; neither do they understand the incredible cost of failures, unfortunately, nor the likelihood of risk. Thus, by failure to educate and regulate, the government isn't ready here, either.
f) The U.S. government is of the people, for the people. The citizens of the U.S. don't apply patches to their own systems, don't run good security software, and don't bother to learn about basic cyber hygiene. The citizens don't press their vendors for better security and privacy. The citizens (the minority who vote) continue to elect people to Congress who don't understand the issues, and in some cases appear to be completely incompetent – but manage to appeal to extremism enough to be elected by energizing a core of extremists who vote. The lack of citizen concern and informed participation is another aspect of the overall picture, and by this measure the U.S. is definitely not prepared.
So, we aren't really well prepared. Fortunately, probably no other country is better situated, so it isn't all doom and gloom.