Sunday, May 31, 2009

Can anyone, including President Obama, secure Cyberspace?

President Obama has announced a "comprehensive cybersecurity strategy" for the U.S. Government that includes a 76 page "Cyberspace Policy Review." This policy statement is full of words using "cyber" as a prefix, but what does it really say and what is the real threat?

Apparently, the perceived threat is big enough to establish yet another government agency and another "senior White House official, "who will have broad authority to develop strategy to protect the nation's government-run and private computer networks, according to people who have been briefed on the plan" Washington Post.

In the Preface to the Cyberspace Policy, it states:
The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.
My response to this broad accusation is just this; name one incident. The real heart of the issue is in a couple of paragraphs later in the document:
Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.
That's the problem, "Information and communications networks are largely owned and operated by the private sector, both nationally and internationally." It is not that the government is afraid of anything in particular, it is the fact that all that information and communications ability is in private hands that make the President and his advisers nervous.

Let's get to the real issue; the government wants to nationalize the Internet. The entrenched bureaucrats cannot stand the idea the the private sector has any control over anything. Not only do they want to nationalize General Motors, they would like to nationalize everything.

The next bottom line is the usual one, "The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements." That's it in a nutshell, nationalize the communications network and the Internet and spend more money.

Look at page "vi" of the Policy Statement at number 4: "Designate a privacy and civil liberties official to the NSC cybersecurity directorate."

Look at the Bibliography. The documents are available in the Cyberspace Policy Review. Read some of the documents. See if you can find one documented incident of "intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information."

Here is one example. Carnegie Mellon University, Lynn Robert Carter, "Computing Infrastructure Risk: Issue, Analysis, and Recommendation," December 23, 2008 .
Look at this document. Here is the threat:

1. Spam
2. Distributed computing such as the SETI network.
3. Botnets
4. Unspecified "targets of the the bad guys"
5. Identity theft
6. Morphing still images, voices and videos (i.e. "Die Hard" movie)
7. von Neumann architecture
and so on.

Not one incident is mentioned or identified. I haven't had the time to look at all these documents. How about someone out there showing me where's the beef? Where is the threat to national security other than a worry that the computer network is in private hands?

No comments:

Post a Comment