Alot of us are worried about online privacy. Whether it's
Big Brother, corporate interests, or your neighbor down
the street, chances are you have something to hide from
someone else. Quite frankly, the NSA, CIA, FBI, and most
of the other three-lettered government agencies are
suffering from a glut of information. You've used search
engines before, we all have - and we know how hard it is
to use them to find a specific piece of information. The
government's problem is alittle bit worse.
During the cold war East Germany had a massive spy network.
The CIA and NSA were involved in monitoring communications
in the area for us. There are thousands of tapes that, to
this day, have not been reviewed. They were recorded,
sent to an archive, and have never been listened to. Ever.
With the explosion of the internet, the problem has become
even worse. Not only is there a glut of information, but
hundreds of opportunities for steganography exist online,
in addition to strong crypto being used by lay-people. I
truly feel for the NSA, it has to be tough to live up to
this country's expectations of it.
I don't believe the government is invading people's privacy on a
mass-scale. They simply cannot - it's inefficient, expensive,
and has little practical benefit. Quite frankly, you're just
not important enough. While the capability to monitor you
inexpensively exists, the manpower and information processing
resources currently available means that the paranoia about
the government is unjustified.
It's been necessary to state this to get to the heart of
the matter, but first I had to dispel some FUD surrounding
our government - Yes, they've made mistakes, but right now
they need some help about a very important issue. The United
States, as well as most european countries that are tied to
us economically and whose economies are increasingly dependent
on the internet, is facing a substantial danger online.
With ever-increasingly complex operating systems and software,
security vulnerabilities are being reported (and exploited)
and an unprecidented rate. As Bugtraq's moderator, Aleph1,
would no doubt tell you, it's not an easy job keeping abreast
of new changes - entire classes of vulnerabilities are
discovered every year.
Many administrators are concerned about security, but are
undereducated or too busy to deal with it. The result is
that even when patches and updates are available they go
unapplied on millions of computers connected to the 'net.
Even for those administrators who take security seriously,
invariably a mistake is made - an improperly applied patch,
a typo in a configuration file, incorrect file permissions,
in addition to a plethora of unpublished hacks which you
simply don't hear about. The end result of this is an
internet which is, to paraphrase Bruce Schneider, dying
by death of a thousand paper cuts.
Many of our financial systems are based online,
and as I've demonstrated above, these systems are
constantly under a low-level attack, with new attacks
being discovered daily on the front lines. Many times
major disaster has been avoided by sheer luck or quick
responses by system administrators watching over the
networks late at night. While many of these attacks are harmless presently, they are growing in both numbers and severity.
The mainstream media has, and continues to, routinely
release information which is inaccurate, misleading, and
sometimes dangerous. While the latest e-mail virus (such
as ILOVEYOU) and Amazon.com outages makes front page, more
serious issues like those reported on BugTraq daily are
completely unnoticed. The american public is not aware of
how fragile the networks we maintain are, and if they knew,
chances are they would overreact and do something stupid
anyway - like have the government get involved in all the wrong ways.
The conclusion of all of this is sobering: It's not a
question of if, but when, there will be a determined,
high level attack on our network infrastructure. Many
white hat groups have expressed concern over the relative
ease that routing protocols can be exploited - a few
well placed packets would be all it would take to crash
the internet, based largely on dynamic routing. Although
the internet is distributed, a few critical superstructure
points (the backbone) could fail, leading to a cascade
failure which could kill connectivity around the world for
days, maybe even weeks. Nightmares about backhoes aren't
the only thing keeping network administrators up at night.
I propose that as a partial solution to this problem that
we expand the defense budget to include the internet's
infrastructure points, and allocate funding accordingly
to ensure that the companies responsible for major portions
of the internet (amazon.com does *not* count) making available
to them government resources and personnel. This includes the NSA.
I also propose that countries other than the United States impliment
similar practices, and that they work together to share resources
and information with other countries. We are all interdependent
on each other.
We need our core network infrastructure to be hardened against
attack, but we must also balance this against private-sector
interests. This is the catch - ISPs will be responsible for
the security of their networks. If, through negligence, an
attack originates from their network and causes substantial
harm to the network, they can and should face both civil and
criminal liability. You don't have to ask the government for
help but if you do, your liability goes down.
I conclude that the government has neither the resources
nor the inclination to spy on the average person, that
we are facing the threat of attack both domestically and
abroad which could lead to substantial economic damage in
this country, that there are insufficient safeguards in
place to protect against this, and that our government can
and should be empowered with the ability to protect against