Even before the shooting starts, and almost always after it does, the network attackers crank up. In Africa, rival factions in the various civil wars blast at each other via website, and occasionally try to mail-bomb or othewise take down the opposing sites. The Indians and the Pakistanis have a constant low-level battle going, and the last time they started shooting it escalated within hours to a full-scale hack attack on each other. Most recently, Azeri hackers defaced a number of Danish websites in retaliation for the dissing of Mohammed via cartoon.
So here we sit. Businesses and government have developed a high degree of dependency on the Internet for their normal operations, we even have telcos aggressively marketing Voice-Over-Internet-Protocol (VOIP) telephony to all and sundry. Even our power transmission grid, which is in itself running at near-maximum load levels in normal times, uses the Internet as a communication medium among its control centers. So I ask, given all this, who is defending this resource, and how? I grant you that we can't defend the Internet outside our borders, but what are we doing here to secure ourselves?
Looking at our government doesn't give you much comfort — this is the government (at all levels, not just the feds) who failed to take action on 15 years of recurring warnings from the engineering community about the vulnerability of New Orleans to flooding, and who even in the face of an over-the-top storm bearing down on them seemed to be (collectively) deer in the headlights. The National Critical Infrastructure Protection group has been captured and folded into the Department of Homeland Security and renamed the National Infrastructure Advisory Council, a chillingly-vague title for a group with such presumably critical responsibilities. I note that none — none — of their working papers is dated later than 2004 and are mostly agency-startup fluff pieces acknowledging the problem but not even proposing an approach to solving them.
Now, one line of reasoning says that "protection plans are being developed and they have to be secret, have faith in us" but this is not a comforting line of thought. Our government's history with even basic day-to-day system development is not reassuring, witness the recently-dumped FBI records system, dropped after $200,000,000 was spent on it over 10 years, and nothing of use came of it. Or the Do Not Fly database, which can't keep US Senators off it, and lists 6-year-olds as confirmed terrorists (and this system is presumably some kind of priority!). Or the Department of the Interior's Indian Trust Fund database which the GAO required them to remove from public visibility. Will they somehow do better on very complex, fast-evolving, and even more technologically complex systems?
Maybe the government has engaged legions of hackers, of which we certainly have some of the best in the world, ready to be called up to a) protect us from attack, and 2) launch a devasatating counterattack. Why do I doubt they have done this? Is it because the current administration has such a loathing for anything Federal and such a tendency to suggest that everyone protect themselves? That's certainly the message that came from New Orleans.
Maybe the solution is to do a kind of "open-source" review of our approach to securing the Internet. This kind of peer review is what makes encryption systems so hard to break, because thousands of eyes are looking for flaws and proposing fixes. I don't know, but I'm worried.
Oh, and in the last round of serious India — Pakistan attack-hackiing, its generally accepted that the Pakistanis won. This should give us some pause: the Indians are our friends, and the Pakistanis are not necessarily so.
Read Full Post »