Vol. 43, No. 4

In This Edition

One of our goals for each edition of The Ripon Forum is to focus on a particular issue or theme. This current edition is no different. But as we began work on it, we began to wonder whether we had failed to accomplish this goal. This edition does, after all, feature as its cover story a terrific […]

Without Responsibility, There is No Reform

“If we can provide the proper incentives to encourage people to live healthier lives, there will be adequate money to help others deal with the cost of their care.”

The Consensus That Exists, and the Obstacles to Reform

“Once again, the nation is in the throes of debating health care reform. Although a perennial topic during Presidential elections, it has been a decade and a half since the country has been consumed by health care reform as a major issue — perhaps the major issue — of the day.”

Census and Sensibility

“In the great sea of partisanship that is the seat of federal government, a lone island of nonpartisan calm must always be the United States Census Bureau.”

The CFO Act 20 Years Later: A Smart Government Idea that is Being Ignored

“The CFO Act has raised the importance of proper accounting standards in government and increased the stature of the financial professionals. Now it is time to move to the next phase and substantially raise the bar by connecting financial accounting to better outcomes in government.”

The Invisible Battleground

“The government should legislate for the results it wants and implement the appropriate penalties, then step back and let the market figure out how to achieve those results.”

The Rise of Value Voters

“To reach independents, Republicans not only need to tap into the frustration they have over the growth of government, but tap into their desire to make government work.”

The Unbridled Growth of Federal Power and the Complacency of the States

Michael O. Leavitt states, “Without steady counter pressure from unified states, the momentum of Washington’s budget, influence and arrogance will inevitably grow.”

Right-Sizing Government

Donald Carcieri, Governor of the State of Rhode Island, discusses the fiscal challenges his state is facing, “Rhode Island doesn’t need higher taxes, it needs more taxpayers. It needs an expanding economy, not an expanding government.”

A Radical Solution for California’s Intractable Woes

“With California grappling with a crisis of historic proportions, many people feel it is time to draw upon the genius of what has always been the Golden State’s greatest resource — Californians themselves.”

A GOP Resurgence in the Northeast

Charles Bass, representative of New Hampshire, writes, “…if we are going to become the majority party again in this country, we must rise like Lazarus in the Northeast.”

Of Memoirs and Malcontents: Why the easy thing is not always the right thing to do

“With all the ingredients present for a political tell-all novel about my time as Governor Mark Sanford’s communications director, I’ve had a number of people ask when the book is hitting the shelves.”

The Ripon Profile of Jason Chaffetz

The GOP must, “Return to our true conservative principles such as a strong national defense, limited government, accountability, and fiscal discipline.”

The Invisible Battleground

Absolute security on the Internet is impossible, but we still have to try to get it right.

Security is one of the fundamental building blocks of the Internet. Everything we do on the Internet, from casual conversations to business transactions to our critical infrastructure, requires some level of security. And because we want to do everything on the Internet, and because so much of our nation’s critical infrastructure has migrated to the Internet, Internet security is critical for national security.

Absolute security is impossible. There’s no way to eliminate the risks of fraud, identity theft, espionage, or malicious attack. But that’s okay — it’s no different than the real world. We make security trade-offs all the time, finding acceptable levels for risks like privacy loss, theft, large-scale financial fraud, and even terrorism. The dangers on the Internet are really no different than those in the real world.

But there are differences, and they trip us up again and again. We understand how the real world works, so we try to apply that understanding to the Internet. We want to prevent copyright infringement, so we try to make bits so they can’t be copied. We want to know where data comes from, so we try to enforce attribution. We think we can design computer voting machines because we know how mechanical voting machines work. We build electronic banking systems that mimic the brick-and-mortar bank branches they’ve replaced, and social networking sites that try to capture all the richness of human interaction. But these things don’t work as we envision, because the world of bits is unlike the world of atoms — and the same rules don’t apply.

This isn’t to say that Internet security is impossible, only that we tend to go about it all wrong. But as more and more of our critical infrastructure moves to the Internet, we need to start getting it right.

…as more and more of our critical infrastructure moves to the Internet, we need to start getting it right.

First, two observations.

One: details matter. There are lots of serious issues that we have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It’s not enough to get the broad policy goals right. We can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Two: the Internet is global, and any security solutions have to take that into account. One of the reasons anti-spam legislation has so little effect is that most spam comes from overseas. Laws attempting to regulate anonymity will fail for similar reasons.

Now, four concrete policy recommendations.

1) The government needs to secure its own networks. This will take money, and it will take coordination. We need a cybersecurity coordinator, and he needs to have budgetary authority. This should be done openly, with commercial products, and not behind classified doors. Despite what the NSA might say, we should not weaken security by building systems to facilitate eavesdropping. We’re all safer if information technology is more secure, even though the bad guys can use it, too. And the NSA should not be in charge of this in any case — these are common problems with common solutions, and secrecy doesn’t help.

2) The government should use its immense buying power to improve the security of commercial products and services. Most of the cost of these products is in development rather than production. Think software: the first copy costs millions to develop, but subsequent copies are essentially free. Additionally, the government has to buy computers for all its employees, and secure all its networks. It should consolidate those contracts, and include explicit security requirements. This will motivate vendors to make serious security improvements in the products and services they sell to the government, and everyone else will benefit because vendors will include those improvements in the same products and services they sell commercially.

3) We need smart legislation to improve security in places where critical infrastructure is in private hands. We shouldn’t make the mistake of thinking the market will magically solve Internet security. There are lots of areas in security where externalities cause security failures. For example, software companies that sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. Good laws regulate results, not methodologies. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating liabilities for software vulnerabilities is good; detailing how to avoid them is not. The government should legislate for the results it wants and implement the appropriate penalties, then step back and let the market figure out how to achieve those results. That’s what markets are good at.

The government should legislate for the results it wants and implement the appropriate penalties, then step back and let the market figure out how to achieve those results.

4) We need to invest broadly in security research. Basic research is risky; it doesn’t always pay off. That’s why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup. But the root cause of its demise was a desire for higher efficiency and short-term profitability—not unreasonable in an unregulated business. Government research can be used to balance that desire by funding long-term research. We should let the NSF and other funding agencies decide how to spend the money with minimal micromanagement from Congress; the same with the national laboratories. Yes, some research will sound silly to a layman. But no one can predict what will be useful for what. And compared to corporate tax breaks and other subsidies, this is chump change.

Security is both subtle and complex, and — unfortunately — it doesn’t readily lend itself to normal legislative processes. The legislative process is used to find consensus, but security by consensus rarely works. On the Internet, security standards are much worse when they’re developed by a consensus body, and much better when someone just goes ahead and creates them.

The point is that we won’t get good security without annoying some lobby – be it the information broker industry, the voting machine industry, the telecommunication companies or some other group. In the current political climate, I don’t know if this is possible.

Bruce Schneier is an internationally renowned security technologist and author. For additional writings on cybersecurity and terr0orism, please visit his website at www.schneier.com.

Other writings

by Bruce Schneier: 

Federal cybersecurity regulations

Security and externalities


Chinese hackers

Software liabilities

The NSA and cybersecurity

Privacy and the Internet