Over the last few years, the rhetoric if not the actuality of cyberwarfare has been escalating. Every day, it seems, the media report on alleged cyberattacks--by nations, terrorist organizations or criminal gangs--against U.S. governmental institutions and corporations. Many of these allegations are being made by individuals or groups that stand to benefit from increased funding for cybersecurity, and whose claims cannot be verified because details are classified.
Seeking guidance, I turned to legendary computer scientist Dave Farber, a professor at Carnegie Mellon who has also worked for or with Bell Labs, Rand, the FCC, the Electronic Frontier Foundation and many other institutions. Farber is sometimes called the "Grandfather of the Internet" both because of his pioneering work in distributed computing and his mentoring of graduate students who helped build the Internet. He remains deeply involved in debates over how to maximize benefits and minimize risks of the Internet. (See Farber's resume on Wikipedia.)
I have gotten to know Farber because he is an active alumnus of Stevens Institute of Technology, where I teach. I am also on a listserve that he moderates, "Interesting People." What follows is my summary of our recent conversation in New York City.
Although some cyber-threats may have been exaggerated, Farber said, the Internet is "very vulnerable. There are a whole host of potential threats. I characterize it as walking on a sheet of ice on top of a sheet of ice." He and others who helped create the first computer networks could not possibly have anticipated all the security problems that would arise as the Internet evolved.
"The network was not built to be secure," he said. "You have to remember the Internet was an experiment. It was hard enough building it without worrying about security. We knew there were some serious flaws, early on. But it's like any other system: once you lay the groundwork there are very few opportunities to change it."
Farber warned that that many "solutions" to cybersecurity, especially those offered by commercial firms, are bogus. "What you have to watch out for is when people talk about their particular cure, which usually translate as, 'Give us money and we will cure the problem.' But in fact the cures probably won't cure anything." Products that supposedly provide protection against viruses and malware "are well known not to work inside the trade. Nobody but the most blatant amateurs write viruses that those products will catch. The sophisticated ones, they will never catch."
Farber added that "patchwork fixes hardly ever work. We know in principle how to build a secure computing environment, but none of that is cheap. Part of the problem is, even if I build you a secure computer network and secure operating system, you have millions of computers out there that are not retrofittable."
Farber identified two approaches that could boost Internet security without huge effort and expense. One would be tightening up the issuance of security certificates, which supposedly guarantee that online purveyors of information are who they purport to be. Another approach would be to focus on reforming the domain-name system, which now makes it too easy for hackers to mount denial-of-service attacks against websites.
One terrible idea, Farber said, floated recently by the Commission on the Theft of American Intellectual Property, a private group, is for companies to mount counter-strikes against suspected cyber-attackers. Far from inhibiting cyberattacks, this tactic could lead to many more of them, Farber said. Moreover, a company might decide, "That guy is too much competition, let's put him out of business" by falsely accusing him of a cyberattack and counterstriking.
Farber said that the U.S. is undoubtedly the target of cyber-espionage by many other nations, including allies, seeking industrial trade secrets. "I assume North Korea, China, France, the United Kingdom and everybody else has tried to penetrate our computer systems. They have been doing [espionage] for many years in the physical world. Years ago France was caught doing that, looking for commercial advantage."
But Farber suspected that the threat from China has been exaggerated. "I find it hard to believe that China invests a lot in [industrial espionage], considering that we give them everything as is. We put plants over there, we teach them how to build things." Moreover, just because attacks originate in China does not mean the government sponsors them. "I'm sure there is some stuff being done by the government. But some is just being done because there are piles of people who have the tools to do it."
Farber compared the escalating threat of cyberattacks to the nuclear arms race that followed the end of World War II. Farber said that, just as prominent physicists once led efforts to contain the risks of nuclear weapons, so should leading computer scientists help devise policies to reduce the risks of information technologies.
Preventing cyberwar, Farber said, is in some ways a much more complex task; few nations have the resources to build nuclear weapons, and they know who their potential nuclear foes are and hence can deter attacks with the threat of retaliation. In contrast, there are countless potential threats, and you often can't be sure who is attacking or threatening you.
"You really have to do good forensics," Farber said, to trace attacks to their actual source and avoid false accusations and unjustified counterattacks. "If nations were willing to cooperate, there's a lot more you can do" to identify attackers.
Farber's greatest concern is cyberattacks not by nations but by freelance criminal hackers. "There is no way to get at them easily, there are an awful lot of them, and their motives are highly varied. They may be doing it to get information they can sell. They may be hired by someone to do it. They may be protesting something or other, and there is nothing like a major incident to get their cause publicity."
Farber feared that "the problem of hackers for hire is going to get maybe worse, because we are graduating kids who can't get decent jobs but are well trained." Cyberattacks could pose a direct threat to peoples' lives. "Modern hospitals now are hooked up to networks. What would a denial of service attack on a major hospital do? An intelligent attack on our power system would be a nightmare."
If he was "Cyber Czar"--in charge of all cybersecurity--Farber would form a group of experts to "dig really deep into what the problem is." The group would determine how much of the threat to cybersecurity "is real, how much is not real," and would propose how to boost security "with a relatively short amount of work." The group would consist of people "who had no ulterior motives, no conflicts. They may tend to be older, more experienced, people who don’t feel they have to get their point of view across whether it's right, wrong or indifferent."
Farber said National Security Agency personnel could provide technical guidance. " Do I think they have very good people? Yes. Do I trust them? Not as far as I can throw them. But I trust NSA more than I would trust a company" selling security services. Farber and I spoke shortly before reports that the National Security Agency is "collecting the telephone records of millions of US customers of Verizon."
Farber has concerns about digital privacy as well as security. "I worry a lot about Google Glasses," he said. "When you're coupled directly to the net, and you have cameras, that's sort of scary." Farber suggested that if Senator Joe McCarthy, who led anti-communist "witch hunts" in the 1950s, had had "the tools we have now, he wouldn't have to say, 'Somebody said you met with…' He would just be able to say, 'You wrote this note to this guy 10 years ago.'"
I hope Dave Farber's views provoke constructive responses.
Photo: Stevens Institute of Technology