Tackling Cyber Security: Should We Trust the Libertarians?

By Terry Zink
Terry Zink

One of the RSS feeds that I read is Reason magazine, which is a web site for libertarians. In general, libertarians want less government intervention both in our personal lives and in the economy. The idea behind libertarians is that today's Republicans want less government intervention in our economy but are perfectly fine to have them dictate some aspects of morality. Similarly, today's Democrats want less government intervention in our personal lives but are perfectly fine with creating government bureaucracy to deliver social services. That's an oversimplified summary, but is more or less correct.

About two months ago I got an article in my RSS feed where Reason was commenting on the government's response to the cyber war threats. The summary of the article is that the government is using the threat of cyber attacks to increase its power to control, regulate and/or spy on the Internet… and the threat is overblown.

Ryan Singel of Wired is referring to this statement of Mitch McConnell's, former director of national intelligence:

We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.

So do the libertarians have a point? Is the government proposing this in order to expand its influence and shut down dissenters? Or is Singel unaware of the nature of the threat?

The problem that we have today in cyber security is exactly what McConnell is talking about. Attackers can hide behind anonymity in order to launch DOS attacks, host phishing, send spam, create malware, and so forth. This inherent in the design of the Internet. For example, SMTP is the protocol we use to send email. In its basic form, SMTP does not require authentication and anybody can send as anybody else. For sure, we have built identity technologies like SPF, DKIM and SenderID. However, email receivers still have to support unauthenticated email. And because the cost of email is borne by the receiver and not the sender, there is plenty of incentive for spammers to spam. They can hide behind that anonymity, or fake identity. We can attempt to back trace some spammers but it doesn't always work. Tracking down a spammer is a non-trivial task and it's made easier because there is no inherent identity or authenticity.

If we were to start all over again, the designers of the Internet would not design it so that anyone could do anything. The reason that the Internet is open and anonymous (to some degree) is because when it was created, it was only intended to be used by a very small user base. It wasn't anticipated that it would be launched for widespread use, and it wasn't foreseen that the types of abuses that we see today would occur. Geeks all trust each other and they don't always understand that if you give something away for free, spammers will abuse it. If the geeks who built the original Internet would have taken into account all of the ways that the Internet could be abused, they wouldn't have been so loosey-goosey with it.

Unfortunately, we are now stuck with all of this existing infrastructure. Microsoft has revamped its image since launching its Trustworthy Computing Initiative in 2002. (Disclaimer: I'm a Program Manager for Microsoft Forefront Online Security.) Going forward, newer versions of Microsoft software is more secure than the older one. Unfortunately, there is still plenty of old software out there with security vulnerabilities that Microsoft has to support. This software accounts for the majority of exploits. Over time, it's being replaced with more secure versions but it takes time.

And so it is for the Internet, but worse. When it went public (or privatized, depending upon how you look at it) in 1995, people built applications. And applications upon those applications. Protocols were developed. And online communication was established. And they built dependencies upon these open protocols that were so easy to exploit. And so, we now have a big problem — reinventing the Internet means having to redo a lot of work that's already been built. Who wants to redo everything when the current version is already working?

That the Internet is anonymous is not by intentional design, but a byproduct of something that wasn't originally designed to become as widely used as it is today. There was no Secure Development Lifecyle back then. The Internet then became popular and its "anonymity" became trumpeted as one of its strengths as if this was the intention all along. That's doubtful that it's true, but culturally, because freedom of speech is a Western value, that anonymity translated into a core requirement for the 'net.

It would kind of like if I had a home and one side of it was sinking into the ground so I put a few cinder blocks under the corner to prop it up. It's there for a utility to serve its purpose and nobody other than me cares about it. But one day, my neighbor decides to build a duplex and uses those same cinderblocks as part of the foundation. This isn't the optimal purpose but hey, it works. And besides which, we can fix it later. But then a developer builds another duplex, and then an apartment complex. Pretty soon, it becomes very difficult to replace those cinder blocks. My house has a dependency on those cinder blocks and so does everyone else. But by no means is my short term fix intended to be the optimal way of holding up a house. Cheapskate me should have replaced the foundation when I had the chance. Cinder blocks are not a good way to hold up a house.

It's not a perfect analogy, but the way I see it, the Internet's inherent insecurity is not the optimal way to go about designing a network.

By Terry Zink, Program Manager. Visit the blog maintained by Terry Zink here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Internet Governance, Policy & Regulation, Privacy