Posts Tagged ‘cybercrime’

A new type of narrative is taking hold among the coverage of the military conflict between Russia and Georgia. A number of sites are writing about the “cyberwarfare” being waged by pro-Russian forces against the Georgian government. It seems that, like Estonia a year ago, entities evoking the ire of Russia must be forced to combat widespread botnet-based DDoS attacks. I think there is little doubt that such occurrences will be increasingly part of real-world conflicts, but people are rushing into framing this as warfare, which will only lead to military-based reactions – something I fear.

But before we irrevocably frame the issue as one of war, we need to ask if it even is so. Last year during the Estonia attacks, Tim Lee wrote a post arguing that what was happening was little more than petty vandalism. While the media reported that the government, banks and media in Estonia were being targeted, it was really only their public websites. He asked, would the average American even notice if Congress’s website was down?

“I suppose it would be a bit of a pain if I wasn’t able to check CNN or my bank account balance. But that’s not “cyber war.” It’s petty vandalism. It deserves the attention of network security experts at the companies whose websites were targetted, of course, but it’s ridiculous to get NATO involved or to act as though Russia engaging in this kind of “cyber warfare” is even remotely on par with Russia launching cruise missiles against Estonian targets.”

Although in Georgia, obviously, real war is taking place, the cyberattacks don’t seem to be taking down critical infrastructure. Instead, the websites of government ministries have been compromised. In response, the Georgian Ministry of Foreign Affairs has created a blog using Google’s hosted service. With Google’s network engineers protecting the integrity of the site, the ministry can use it to provide information updates. Will other governments come to depend on hosted solutions for their websites? So far consumers and commerce have taken to cloud computing with a vengeance, and one wonders if government, too, will do so. The same benefits of outsourcing internal IT will make it useful for governments to host their websites at specialized hosting services.

While cleaning out my old feeds yesterday, I came across an article from May about a new group which hopes to become “the CDC of cyber security.”

“The group calls itself the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), and its advisory board features tech luminaries like Google’s Vint Cerf and Symantec CEO John Thompson.”

As the Ars Technica writer points out, this CDC-like approach of cooperating and sharing information and strategy to avoid catastrophic network-based attacks is probably a smarter approach to cybersecurity than the “nation-state-centric “cyber warfare” paradigm that is also emerging.” Although I’m still wary that an organization like IMPACT, which doesn’t include China and Russia, will be too centralized, it is certainly closer to the “rough consensus and running code” approach which characterizes the net.

Another approach to Internet security I recently learned about is OpenDNS which aims to speed up web-surfing and block malware sites. Unfortunately, because it is marketed as a solution to businesses, libraries and schools, administrators can also block innocuous sites like popular social networks. However, they have had great success so far (commercially) and use an intriguing community-based model to label suspicious websites – something which is much better than the secret blocklists of many filtering companies.

Finally, another approach which has gained some traction is StopBadware.org which is a partnership between academia, private enterprise and non-profits to identify “badware sites.” Most interesting is their partnership with Google who now warns search users that they may be visiting a badware site. In the coming months, expect more out of StopBadware.org, including the Herdict project which seeks to crowdsource security.

[See previous thoughts on cybercrime here.]

Update: See Cory Doctorow’s word of caution regarding unintended consequences of fighting malware (in this case spam).

Update II: More news on Federal involvement in cybersecurity.

The growing menace of Internet crime is really astounding. Phishing. Malware. Spam. The volume of attacks and deceptions are extraordinarily high. Estimates of the number of personal computers which are controlled by botnets range from 12-30% of connected computers; these hundreds of millions of machines are then harnessed to attack servers, mine the net for personal data or any number of other nefarious activities. No longer is hacking the pursuit of curious tinkerers or bored teens. Today an entire industry, estimated recently by Gartner to be worth $3.2 billion in 2007, has arisen to sell malicious computer activities.

Cybercrime takes advantage of both the generative nature of the net, poorly written code and user ignorance. Like all crime, cybercrime has brought about attempts to regulate the Internet, and often these regulations err on the side of caution and over-regulate, limiting beneficial activities. Rampant copyright infringement brought about the DMCA which tried to limit illegal song-swapping, but instead has been used to silence critics or sue adorable kids. And, most likely, it hasn’t done a whole lot to stop copyright infringement.

What is at risk with Internet crime is a similar course of events. In briefly reviewing Zittrain’s book, Lessig poses the question:

“Whether a single event, or a coordinated event, whether intentional, or accidental, it is simply a matter of time before a catastrophic network event happens. And when it happens — think of it as a kind of i9/11 event, but the bad guys are not Al-Qaeda — will we be prepared for the inevitable iPatriot Act response? Are we better prepared than civil libertarians were when we were hit with the USA Patriot Act? Have we even framed the right debate?”

Arguably this over-regulation has already started to take place, but it could certainly get worse. To help flesh out some of the important ideas about the future of cybercrime, the Publius Project has commissioned three essays.

Michael Barrett, head of information security at PayPal, writes that the impetus for regulation of cars and airplanes were prominent accidents. Paul Starr tells a similar story in The Creation of the Media about the beginning of radio regulation. Following the sinking of the Titanic, the Radio Act of 1912 required all radio operators to be licensed, all ships to have transmitters and allocated bands of spectrum for certain purposes. Barrett thinks that cybercrime will have the same effect that the Titanic did and be the cause of serious government regulation of the Internet. In fact, he welcomes it as an important part of the interconnecting regulation needed from government, private industry and users.

First of all, it is not clear that cybercrime will be able to have the dramatic effects that a sinking Titanic did. Many of the threats from online activity, especially identity theft, are well-known and publicized. Others are becoming more publicized, like Internet-facilitated espionage. These cybercrimes will not necessarily serve as the shock that government needs to begin regulation. But, let’s say there is an event or series of events which are powerful enough to induce government response, like Barrett welcomes and Lessig fears, is that the right response?

Cybercrime, as best we know, is not centralized. There is no capital city to bomb, leaders to sanction or even mob boss to imprison. As security expert Bruce Schneier says, even the alleged Chinese spy-hackers are not controlled by the state. So, what the cyber-police or other government regulation would be up against is a distributed network of criminals – a classic starfish – and one does not combat decentralized organizations in the same manner as centralized ones. As The Starfish and the Spider points out, to beat a decentralized foe, in this case, cybercrime, one must decentralized oneself, centralize the opponent or change the ideology. In this light, Barrett’s assertion that “it’s quite possible that a new global governance organization is needed” seems misguided. While I welcome his support of a shared responsibility between stakeholders, I am fearful that calling for government regulation may be regrettable.

Instead, the words of Internet guru David Clark seem more nuanced:

So the starting point for improving the state of Internet security must be a social dialog, not just a technical dialog, about what sort of Internet we want. The challenge to the technical community is not to build a very secure Internet—that might be more of a price than we actually want to pay. The challenge is to find clever ways to give us more security without taking away our freedom of action. And finding these better solutions will require a design process that involves both technologists and social observers, because it will take both technical imagination and social imagination to conceive of a different Internet from what we have today, more secure but still suited to our desires for open, diverse access.

This social dialog should recognize the power of defaults and architect a security-bias. Beau Brendler, in his essay, embraces this by calling for simple solutions which “nudge,” to use Sunstein and Thaler’s expression, users towards more secure computing. Provide free anti-virus software and simple-to-understand security manuals, for one.

But if these soft-power solutions are to emerge, they had better do so quickly because while mainstream media rhetoric on the issues may border on panicked, those who know best are worried, too. And if we are to save the open, generative net, it will need saving from both itself and outside regulation.