overstate, ignore, repeat

The damage amounts claimed by the industry are always, ALWAYS hugely inflated. In the same way that the RIAA claims every download is a lost sale, these figures are concocted to make the problem seem larger and more pressing than it is.

The second thing to note is that there is no reason to think that a dedicated, sponsored team of hackers could necessarily do more network damage than a smart Filipino teenager. The sophistication of virii and other malware has historically had little impact on their virulence -- most of the worst offenders have been slightly modified versions of earlier bugs. The idea that more hackers = more threat is wrongheaded. Malware authors don't actually do damage -- they create weapons that cause damage. This may sound silly, but it's an important distinction. The costs associated with developing these weapons are so slight that their quality does not depend on the quantity of resources allocated nearly so much as it depends on the brilliance of its creators and, to a larger extent, luck.

Third, using the power grid as an example is a deeply dishonest scare tactic. Coupling the electrical system to the internet is far too stupid an idea for anyone to have ever seriously considered implementing it. I have no doubt those fifty engineers came up with a way to shut off our power, but the odds that it could be done from any old computer is about zero. Obviously the specific vulnerability wouldn't have been disclosed, but a few well-placed bombs seem a likely candidate. I suppose we'd experience some pretty big computer outages then, but calling this cyberterrorism is like calling 9/11 a historic moment in vandalism by virtue of the number of windows that got broken.

Which brings us to the DHS report -- it begins and ends by invoking September 11th as a call-to-arms for our nation's security professionals. I imagine that all DHS reports start off this way. The problem is that the present conflict has very little to do with cyberterrorism. Computer criminals tend to be well-educated, from countries rich enough to have a decent network infrastructure, and part of an online culture dominated by libertarian atheism. These are not the sort of folks Middle Eastern Islamofascists tend to hang out with. Southeast Asia is the only region that has produced any muslim computer crime that has significantly affected American companies. Palestinian script-kiddies have put up websites encouraging attacks on Israeli firms, and there have been some back-and-forth website defacements, but nothing too serious, and certainly nothing organized by genuinely dangerous fanatics. Islamic zealotry is occasionally invoked to excuse a more universal teenage zeal for being a jerk and causing mayhem, but we're a long way from an organized electronic attack on America.

The report admits that the only really plausible tie-in to terrorism is the use of electronic crime to raise money for terrorist activities, but it's tough to believe that identity theft is a better racket for these folks than finding a sympathetic recipient of oil money. Internet technology offers a pipeline of liberal culture, and requires a baseline of wealth and education. It's not a weapon that's well-suited to religious fanatics who trade on the fury of poor, uneducated followers.

So Bin Laden is probably not going to computer-virus us to death, and the larger problem is not as grave as computer security professionals tend to imply. Still, overseas crime syndicates are starting to get serious about online operations, and there's no question that the economic impact of a serious attack on the internet gets larger every day. It's worth paying attention to the problem, and DHS has some recommendations.

Some of them are good: expanding US CERT, developing comprehensive plans to account for disasters and attacks, and funding computer security training programs. They'll be expanding the bureacracy at DHS as well, which is fine, I suppose. But there's a conspicuous lack of initiatives that address actual threats as they exist today.

Fortunately, the internet is really, really well-designed. It's not a stretch to call it one of the greatest feats of engineering in human history. Seriously. As most folks know, the whole thing started out as ARPANET, a DoD project to create a communications network that could withstand a massive attack. Capacity can decrease, but traffic is routed around problems automatically, and the TCP/IP protocol allows reliable communication to occur even if the network link is somewhat faulty. There are only two plausible ways of taking the whole thing down that I'm aware of.

First, there are a few points of vulnerability. The internet's backbone routers are too homogenous -- 58% are made by Cisco, and shared vulnerabilities can exist across products in their line. So far, none of these have been discovered significantly in advance of patches being issued, but if one was the internet would slow to a crawl, and large parts would stop working altogether. Cisco has done a good job, but some oversight of their code and some policy encouraging the use of diverse types of routers would improve overall security.

Another potential concern is the security of the root DNS servers. However, these run on heterogenous software, are physically secure, geographically distributed (although their exact location is secret), and the DNS system would keep working for a while even if they all went offline. So we're probably okay on that front.

The other type of inherent vulnerability is to a distributed attack -- when an attack is coming from a lot of places, it's tougher to block. There are two ways for this to go down: the first is through the use of worms. Programs like Sasser and Code Red exploit vulnerabilities to replicate without user interaction. They generate a lot of network traffic and can spread extremely quickly -- check out this animation of Code Red's spread over a 24-hour period. In the process, it slowed the internet to a crawl.

The other avenue for a distributed attack is for an array of previously infected "zombie" machines to be simultaneously prompted to do a lot of small evil in parallel, with big total effects. This is how a lot of spam gets sent -- a home user has no idea their system is compromised, and probably never will, even as it silently spits out hundreds of offers a day for cheap v1agra. There are a lot of zombie machines out there -- it's not uncommon or implausible for a script-kiddie to have a network of thousands of machines at his disposal. Check out this article -- if you put an unpatched install of Windows XP on a public IP address (ie, not behind a NAT router or firewall) it can be zombified within four minutes. Miscreants are constantly scanning IP ranges looking for vulnerable machines, which they can then infect using the same sorts of exploits that power the aforementioned worms. The less-sophisticated simply send out email with trojans attached; those who stupidly open the attachments are zombified.

There are two ways to fight these kinds of attacks. The first is to help users avoid becoming zombies. CERT is doing a good job of providing tips and alerts , but not enough is being done to go after the zombie network owners. I have no idea why the government continues to try to fight electronic crime with bureacracy and press conferences. There's a place for that, but a lot of good can be accomplished with well-written protective software. The feds ought to hire a dozen high-quality open-source programmers and put together a zombie shield application that auto-updates as new vulnerabilities are discovered. In addition to preventing infection, a tool like this could help track and report where instructions and infection are coming from, making prosecution much easier. Right now the situation is reactive -- a zombienet's owner might be chased down after they cause noticeable damage, but usually not before. We ought to be creating a real disincentive for owning the zombienet in the first place.

The other way to fight these problems is to eliminate vulnerabilities in software. This is the only non-reactive proposal that the DHS report includes at all, and their suggestions are still awfully lame. :

Addressing vulnerabilities requires additional attention. For example, companies that develop hardware, software, and networking platforms should continue to strive to eliminate as many flaws and vulnerabilities as possible before their products enter the market. While it is nearly impossible to create a product that is 100% error-free, several IT security businesses stated that they have efforts underway to increase the security and dependability of pre-marketed technologies. The subcommittee views these initiatives as positive. More, however, can be done. Both Congress and the Department of Homeland Security should consider incentives and recognition programs to encourage private industry to develop more secure cyber products.

I see. So, companies should try to create good products. Great idea! And good news: they've already promised that they'll start doing so! Any day now. Maybe we'll throw some awards or a little money their way when they produce a secure product, too.

This is ludicrously naive. Despite the lip service paid to it, market forces will always ensure that software is produced with the minimum effort necessary to profit maximally. There are very few applications where security is a high enough priority to justify a price tag that will pay for serious vulnerability auditing. Most just need to be "good enough". There are some encouraging developments -- processors are fast enough that the future of programming seems likely to lie with virtual machines like Microsoft's .NET platform. This and other innovativions can mostly eliminate broad classes of vulnerabilities like buffer overflows. But the safe money is that software will always have exploitable bugs.

Incentive programs are more hopeless -- a lack of known vulnerabilities is not proof of well-written software. It's the other way around -- known vulnerabilities are proof of badly-written software. Nothing will be accomplished by handing out money or plaques to companies simply because hackers haven't bothered to attack their products. You might as well start cutting checks to every person who hasn't been mugged as a way of eliminating street crime.

Given that bugs are a fact of life, the obvious solution is to encourage heterogeneity in software products. A diverse computing environment is a harder one to attack -- the idea here is similar to genetic diversity within a population supplying better disease resistance. To the extent that diversity can be encouraged while maintaining interoperability, it should be.

More to the point, though, the government is selecting for insecure traits by continuing to spend billions of dollars on Microsoft products. It's true that open-source software partly owes its relative security to its smaller marketshare, but it also tends to be more thoroughly scrutinized, more quickly patched, and in some cases (such as the Linux kernel) inherently more secure than Microsoft's offerings by virtue of its architecture. The feds could save a lot of money, encourage widespread adoption and significantly improve its own security by transitioning as much of its computing infrastructure to Linux as possible. The government ought to be taking deliberate steps to diversify our computing environment.

Unfortunately, there's nothing in the DHS report about that. There are some good ideas in there, but ultimately they merely continue the traditions of reactive prosecution, expanding bureacracy, and dishonest fearmongering in the guise of "raising awareness". We ought to be agressively pursuing known types of threats and transforming our systems to be less vulnerable. It seems like that will have to wait for another day.