Today I am attending Harvard National Security Journal’s Symposium titled “Cybersecurity: Law, Privacy, and Warfare in a Digital World.” The full list of speakers and topics are listed here.
First on the list is my colleague at the school of law Jonathan Zittrain, who is Co-Director of the Berkman Center for Internet and Society and Professor of Law at Harvard Law School. He is taking part of a lunchtime debate with Stewart Baker former General Counsel of the National Security Agency. Mr. Baker is now a partner in the Washington office of Steptoe & Johnson LLP. (He was also described as “the lone coat and tie wearer on internet anarchists list-servs.”)
The debate topic was “The Future of the Internet.”
Baker’s point was two-fold. First, the “bad guys” on the Internet are continuing to get faster and better. We are increasingly at risk. He used the Dali Lama network-hack attack as an example. There was social engineering with an attached virus -> Spyware infiltrated his system – camera, keystrokes, etc. all accessed. He called it a 1984 style surveillance, only George Orwell did not know that we would be buying and using our own equipment against us. The fear is that there is no assurance of privacy except by remaining silent.
Cyberwar is an increasing danger and is inevitable that people will seek to wage cyberwar against the US govt. The classic power grid scenario was discussed. He said there was a likelihood of SCADA attacks happening increasing every year. The question is what are we going to do about it? The thing we most need is a mechanism that can ID the perpetrators and impose consequences: criminal prosecution or cyber-attack. Or, Baker said, there was an idea of altruistic punishment: People derive reward from punishing those who broke the rules, even if it costs them money. He went on to cite a study that talked about a deep seeded need in our DNA to punish those who violate social norms. The danger is that if we build a system where there are no repercussions – the system will fail. We need to find way to ID people in cyberspace and impose penalties on them for violating social norms. If we don’t punish – we risk continuous attacks.
The lawyers, justices, etc. find it to be a wonderful problem which they are reveling in, but not addressing. “Back off” and let us solve some of these problems.
JZ: There is a problem. And this problem has formed a type of anarchy that even the techno-libertarian does not want: Utter anarchy (he used the Anonymous — the “hacktivist” group as an example) is not a functional, innovative, rights-respecting state of existence on the Internet. He talked a bit about Baker’s call for “Attribution and imposing consequences” mode. At the weak level -> good forensics tools should do it. But will it actually deter future hackers (wikileaks). If we could truly attribute something back to the country or that hacked the Dalia Lama could we impose consequences? Even the most sophisticated of attacks might require changing the Internet itself to track the different ways we are attacked. Do we have to lock down routers – attribution through someone’s wireless router. Are we creating a world that is much less free for the sake of getting better attribution? Does this have a cold war flavor to it? The Cold War model won’t work. Look at wikipedia – let’s make it so that the costs of the attacked are easily mitigated, with some light anonymity, that actually works as a structure of mutual aid that is more robust when facing DDOS service attacks, etc. He talked a bit about a model of Mutual aid through mirror sites – more information, more communication, with no “real” punishment.
They also talked about the boring solutions: True factor authentication helps a lot, but it’s the consumer-hated boring, slowing, yet more secure version. But it slows down the interaction. The real security of the net: “can packets reliably go from point A to B?” – that’s a secure net. Bank money stolen is a different problem – why reform the whole net architecture based on that?
Baker: No one thinks there is any real risk when they commit cybercrime today -> many factors in the real world that deter crime do not exist in cyberspace.
Zittrain: We are much more monitor-able than we know – consumer privacy is a problem. Firms desperately want to know what you are buying – what is the danger in looking at my purchase of cat food?
Baker: The EFF tells RIAA that the music information wants to be free. By and large their argument is “It’s a shame about your business model.” But the bits about you (not music) are fully private!
The internet kill switch bill: Baker said “There is no internet kill switch bill. It’s bullswitch!”