“Ideas that matter,
since 1965.”

Absolute security on the Internet is impossible, but we still have to try to get it right.

Security is one of the fundamental building blocks of the Internet. Everything we do on the Internet, from casual conversations to business transactions to our critical infrastructure, requires some level of security. And because we want to do everything on the Internet, and because so much of our nation’s critical infrastructure has migrated to the Internet, Internet security is critical for national security.

Absolute security is impossible. There’s no way to eliminate the risks of fraud, identity theft, espionage, or malicious attack. But that’s okay — it’s no different than the real world. We make security trade-offs all the time, finding acceptable levels for risks like privacy loss, theft, large-scale financial fraud, and even terrorism. The dangers on the Internet are really no different than those in the real world.

But there are differences, and they trip us up again and again. We understand how the real world works, so we try to apply that understanding to the Internet. We want to prevent copyright infringement, so we try to make bits so they can’t be copied. We want to know where data comes from, so we try to enforce attribution. We think we can design computer voting machines because we know how mechanical voting machines work. We build electronic banking systems that mimic the brick-and-mortar bank branches they’ve replaced, and social networking sites that try to capture all the richness of human interaction. But these things don’t work as we envision, because the world of bits is unlike the world of atoms — and the same rules don’t apply.

This isn’t to say that Internet security is impossible, only that we tend to go about it all wrong. But as more and more of our critical infrastructure moves to the Internet, we need to start getting it right.

…as more and more of our critical infrastructure moves to the Internet, we need to start getting it right.

First, two observations.

One: details matter. There are lots of serious issues that we have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It’s not enough to get the broad policy goals right. We can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Two: the Internet is global, and any security solutions have to take that into account. One of the reasons anti-spam legislation has so little effect is that most spam comes from overseas. Laws attempting to regulate anonymity will fail for similar reasons.

Now, four concrete policy recommendations.

1) The government needs to secure its own networks. This will take money, and it will take coordination. We need a cybersecurity coordinator, and he needs to have budgetary authority. This should be done openly, with commercial products, and not behind classified doors. Despite what the NSA might say, we should not weaken security by building systems to facilitate eavesdropping. We’re all safer if information technology is more secure, even though the bad guys can use it, too. And the NSA should not be in charge of this in any case — these are common problems with common solutions, and secrecy doesn’t help.

2) The government should use its immense buying power to improve the security of commercial products and services. Most of the cost of these products is in development rather than production. Think software: the first copy costs millions to develop, but subsequent copies are essentially free. Additionally, the government has to buy computers for all its employees, and secure all its networks. It should consolidate those contracts, and include explicit security requirements. This will motivate vendors to make serious security improvements in the products and services they sell to the government, and everyone else will benefit because vendors will include those improvements in the same products and services they sell commercially.

3) We need smart legislation to improve security in places where critical infrastructure is in private hands. We shouldn’t make the mistake of thinking the market will magically solve Internet security. There are lots of areas in security where externalities cause security failures. For example, software companies that sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. Good laws regulate results, not methodologies. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating liabilities for software vulnerabilities is good; detailing how to avoid them is not. The government should legislate for the results it wants and implement the appropriate penalties, then step back and let the market figure out how to achieve those results. That’s what markets are good at.

The government should legislate for the results it wants and implement the appropriate penalties, then step back and let the market figure out how to achieve those results.

4) We need to invest broadly in security research. Basic research is risky; it doesn’t always pay off. That’s why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup. But the root cause of its demise was a desire for higher efficiency and short-term profitability—not unreasonable in an unregulated business. Government research can be used to balance that desire by funding long-term research. We should let the NSF and other funding agencies decide how to spend the money with minimal micromanagement from Congress; the same with the national laboratories. Yes, some research will sound silly to a layman. But no one can predict what will be useful for what. And compared to corporate tax breaks and other subsidies, this is chump change.

Security is both subtle and complex, and — unfortunately — it doesn’t readily lend itself to normal legislative processes. The legislative process is used to find consensus, but security by consensus rarely works. On the Internet, security standards are much worse when they’re developed by a consensus body, and much better when someone just goes ahead and creates them.

The point is that we won’t get good security without annoying some lobby – be it the information broker industry, the voting machine industry, the telecommunication companies or some other group. In the current political climate, I don’t know if this is possible.

–###–

Bruce Schneier is an internationally renowned security technologist and author. For additional writings on cybersecurity and terr0orism, please visit his website at www.schneier.com.

Other writings

by Bruce Schneier: 

Federal cybersecurity regulations
http://www.schneier.com/essay-141.html

Security and externalities
http://www.schneier.com/essay-141.html

Cyberwar
http://www.schneier.com/essay-201.html

Chinese hackers
http://www.schneier.com/essay-227.html

Software liabilities
http://www.schneier.com/essay-228.html

The NSA and cybersecurity
http://www.schneier.com/essay-265.html

Privacy and the Internet
http://www.schneier.com/essay-253.html