Software [In]security: Computer Security and International Norms
Though the Obama White House has certainly had more to say about cyber security than previous administrations, much of the early policy and positioning work emanating from the White House did more to define the problem and present a number of plattitudes than it did to address the policy vacuum. Things seem to be turning around with the recently-released "International Strategy for Cyberspace," which the President himself said is "the first time that our Nation has laid out an approach that unifies our engagement with international partners on the full range of cyber issues." This is a promising development and one long overdue.
Regardless of the Internet's US provenance and its California-inspired vibe, today's Internet is a global phenomenon. Americans are usually surprised to learn that less than 15% of the population using the Internet is American and only around half of the Internet's traffic is American . The upshot should be obvious—if we as Americans intend the Internet to be used as a tool to promote democracy, corruption-free international commerce, and freedom of speech (and explicitly not to be used as a tool for Big Brother oppresion and the erosion of individual liberty and privacy) we need to make our goals explicit.
As it turns out, computer security has been used in widely different ways to justify widely different objectives internationally. For example, Russia has been rumored to use trumped up computer hacking charges to oppress political dissidents while at the same time encouraging grass-roots hacking efforts in support of national patriotic fervor . China has turned a blind eye to rampant piracy of digital content and has engaged in massive state-sponsored theft of intellectual property . The United States' well-developed military-industrial complex itself is using computer security and the threat of cyber war to ramp up spending on advanced cyber weaponry . Hopefully, a clear policy statement from the executive branch of the United States can counter some of these disturbing trends and help spark development of a set of acceptable international norms of behavior in cyber space that promote liberty, commerce, and cyber peace.
Obama's International Strategy for Cyberspace
The strategy document itself is very approachable and is worth a read. It serves as a policy statement and a future vision for the Internet and cyberspace divided into four sections: 1) building cyberspace policy, 2) cyberspace's future, 3) policy priorities, and 4) moving forward.
Section one emphasizes our dependancy as a global society on technology and the net. The notions of trust, trustworthiness, confidence, openness, and interoperability are used to emphasize the role of security and the rule of law (as opposed to, say, cyber menaces including war, terrorism, crime, espionage and the sordid underbelly of human society). American ideals such as freedom of expression and freedon of association are linked to the notion of freedom of information in cyberspace. The usual cyber bogeymen do rear their heads around page four in a paragraph about challenges, but this plays second fiddle (or maybe even viola) to the emphasis afforded three core US principals:
- Fundamental freedoms (freedom of expression and freedom of association paramount among them)
- Privacy (though frankly when it comes to the rule of law, the US is lagging behind other parts of the world in this domain)
- Free flow of information (underscoring instead of counterbalancing cybersecurity)
The "free flow of information" notion is worth a few extra words. The document declares, "States do not, and should not have to choose between the free flow of information and the security of their networks." This is an important and insightful view that is not commonly expressed in cyber politics. Security should enhance freedom, not trade off against it. Censorship is not good security.
Section two of the document provides a vision for the future of cyberspace and the net. As many technologists already know, the Internet can be a powerful force for peace and prosperity. The main idea in this section is to emphasize this vision for the net and to discuss preservation of "the Internet and its core characteristics." A concisely stated goal captures the essence of this section and seems to put the entire document in a nutshell:
"Our Goal. The United States will work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation To achieve that goal, we will build and sustain an environment in which norms of responsible behavior guide states' actions, sustain partnerships, and support the rule of law in cyberspace."
If there is a flaw in section two, it is a distinct underemphasis on security engineering and software security. Old school computer security emphasizes three things: protecting the broken stuff from the bad people, focusing on monitoring and network security operations, and sharing information about ongoing attacks. In my view, the only effective way to make these activities tenable is to build security into the very fabric of cyberspace. Simply put, our modern systems are still coming off the assembly line with too many security vulnerabilities. We need to fix that, and our national policy would do well to address this problem more explicitly. In fact, more broadly speaking, if as the document argues "distributed systems require distributed action" and "in an interconnected global environment, weak security in one nation's systems compounds the risk to others," then we need to make sure that the rest of the world builds security in as well.
The notion of international norms (State Department speak for rights and responsibilities) is an important one not familiar to most technical people. A clear statement of what the US believes are its cyber rights and a corresponding set of cyber responsibilities rounds out the section. But once again, building highly reliable, secure systems and system components needs more emphasis here.
The United States remains a superpower, and it puts this weight to use in the section on defense. One quote sums it up nicely: "the United States will defend its networks, whether the threat comes from terrorists, cybercriminals, or states and their proxies." Putting cyber miscreants on notice is important, but one of the main problems in cybersecurity is identifying exactly who is doing the attacking. Misdirected response can have severe and devastating consequences, and attribution is not something built into today's Internet. (It should go without saying that striking a balance between our desire for free flow of information, privacy, and the fundamental freedoms and the notion of attribution makes technical approaches to this aspect of policy thorny indeed.)
In my view, the section on defense needs the most attention. There is too much reactive computer security here and not enough proactive philosophy. We have an opportunity to up our computer security game to the next level and lead the way to more secure systems that in turn bolster our core principals, but that will require better engineering and implementation up front (not better operational defense). We can use our position of strength and leadership to move things in the right direction and take the beach.
Section three boils down the discussion of sections one and two into a set of policy statements in support of the political philosophy and the reality of the situation. From the perspective of international commerce, this policy statement both coheres with core principals and supports international business.
Section four sums things up with a description of the Internet and cybersace as a tool of democratization and freedom.
International Commerce and Computer Security
The word "security" is mentioned in the cyber strategy document more than 80 times, including on the title page, and yet the document does not fall into the usual Fear Uncertainty and Doubt trap all too common in discussions of computer security. Instead, the emphasis is on spreading American ideals and developing international norms that foster a secure and reliable cyberspace. As the document says, "the benefits of an interconnected world should not be limited by national borders."
It is particularly interesting that the strategy addresses "cyberspace," but without a close read of the document (especially the title page) any reader might come away with the feeling that this is a cyber security strategy document. From this, the direct impact that organized crime and cyber-miscreants have had on the Internet economy should be obvious. Security is now inextricably bound up with "cyberspace" and has become a necessary part of any way forward.
Many countries are much smaller and less wealthy than the US. Because of this fact, there are specific elements woven throughout the US cyberspace strategy that are critical enablers allowing smaller partners to contribute effectively to evolve, protect, and leverage the cyberspace we have in common. One of the main issues we face is how to both protect and empower our citizens simultaneously while avoiding the nanny state trap. As things stand, myriad competing international laws and regulations blur the already hard to discern boundaries between security, privacy, personal identity, and freedom. This makes cyberspace a difficult environment for businesses and their customers to operate in efficiently, while unfortunately making it trivial to be an "international" bad actor.
Multinational corporations and the people of the world who use their services will all benefit from a set of norms (some codified into law) that clearly demarcate the fractal boundary between privacy and attribution.
Any successful national strategy must necessarily provide benefit to all legitimate actors (including those outside the nation) if it is to be widely adopted. Private sector organizations have the ability to innovate and drive adoption much more effectively and quickly than any government can—in fact, adoption will happen organically under the invisible hand of the market if there is a benefit to the private sector actor. The upshot is that cyberspace strategy and emerging international norms of behavior should directly address global economic and cultural differences in a manner that benefits all constituents. Put more simply, good behavior in cyberspace should be rewarded and bad behavior not tolerated.
Last Word to the President
President Obama puts it best when he says, "By itself, the Internet will not usher in a new era of international cooperation. That work is up to us, its beneficiaries. Together, we can work together [sic] to build a future for cyberspace that is open, interoperable, secure, and reliable." We applaud the effort to make our national goals and policies clear when it comes to cyberspace, and we look forward to more of the incredible growth and progress that the Internet has delivered to date.
Early versions of this article benefitted directly from discussion with one particular international banker who specializes in computer security. He wishes to remain anonymous.