About five minutes into U.S. Secretary of Homeland Security Janet Napolitano’s speech to a large banquet hall full of security professionals, watching her over the plated tiramisu I was socially restrained from eating, I was struck by the mental image of 2,000 Dobermans sitting patiently in rows, each with a doggie treat balanced on its nose.
The speech was long and unilluminating, and the tiramisu tasted like it came out of the world’s largest Sara Lee box, but even bad tiramisu is better than no tiramisu.
Napolitano was addressing the combined conventions of ASIS and ISC2, which aren’t officially acronyms, but which focus on generalized security issues and information security respectively. My press pass admitted me to a dizzying and somewhat chilling range of talks and panel discussions; for example, one afternoon’s “Security in the Cloud” was counter-programmed against “Analyzing Verbal Statements” and “Mass Homicides in the Workplace.”
I’ll freely admit: it’s odd to be at this conference. On the one hand, any number of private companies and governmental organizations have serious security concerns, and you would expect (and want) professionals in the industry to band together to share best practices or take certification programs. On the other hand, the category list of the exhibit floor reads like the signs at the Post-9/11 World OfficeDepot: Access Control, Biometrics, Blast Mitigation, Bullet Resistant Systems, Citywide CCTV, and so on. Browsing through the catalog, I found a full-page ad encouraging exhibitors to advertise in two security trade periodicals in India — “a US$1 billion… huge opportunity.” This is why I’m opening with coverage of how the
security industry talks to itself, with the impressions I got from Napolitano’s speech.
By way of introduction, suppose you asked a Mac expert, “Hey, how safe is my hard drive?” Almost all of us will say, “Extremely reliable,” especially if we’ve been around long enough to remember Jaz cartridges, floppy disks, or even punch cards. But we experts will all immediately add, “but be sure to back up regularly, preferably in several different ways.” That’s because the expert is considering everything ranging from hardware crashes and firmware malfunctions to theft and fires.
A file on a hard drive or SSD can be rendered unreadable by a cosmic ray from outer space. Yes, really (PDF). When dealing with that kind of problem, security experts develop a healthy sense of paranoia, and that’s what you pay them for, so you can take just the sensible precautions and get on with your life.
Now ramp that up so instead of dealing specifically with computer security, you’re approaching all kinds of security threats, including small arms and large conventional explosives. It’s natural to want to have experts in society whose job it is to protect against these attacks, and to have well-informed laypeople know what to do in the event of trouble. But at the same time, it’s smart to be aware of whether assessing everyone as a potential threat can lead to the sort of professional paranoia that computer experts have about cosmic rays and electromagnetic fields.
This brings me to Napolitano’s speech. I’m on record criticizing political speeches to expert communities (see “CFP 2011: Shine On, You Crazy Senator!,” 16 June 2011), and here I was disappointed by more of the same: congratulating the audience on being themselves, without discussing the topic at an expert level. Public-private partnerships are crucial to the nation’s security, and the assembled experts in the room are an important part of that. The Department of Homeland Security (DHS) is working with private companies and nonprofit organizations to protect national infrastructure and promote cybersecurity. The DHS Computer Emergency Response Team (CERT) responded to over 100,000
incidents last year and issued over 5,000 alerts.
Napolitano opened her speech by calling cybersecurity “one of the most” important issues facing the nation, but closed in a less-qualified way, saying (I’m forced to paraphrase here) that these virtual attacks are the biggest threat we face. As I see it, there are three ways we can respond to such a statement.
First, we can be very scared by this — surely our biggest threat must be countered by the public and private groups who protect us — and we can invest large amounts of time, money, and resources into protection.
I’m not going to argue against this — but at the same time, some problems shouldn’t be solved with billion-dollar hardware. The best encryption in the world won’t help you when you don’t bother to use it at all. Critical infrastructure attacks over the Internet are up 17-fold — to which one might justly reply, “Wait, why exactly is a power grid control system connected to the Internet at all, rather than being isolated on a private network?”
More to the point, without some details about the 160 attacks on “critical infrastructure” in 2011, it’s impossible to evaluate whether the solution is stronger hardware, better training, or advanced deep-breathing relaxation techniques. Some Internet attacks are the equivalent of trying a door handle to see if it’s unlocked. These might be targeted against millions of computers in numeric sequence, and happen to include “critical infrastructure” only by accident.
Or an attack could be directed at specific targets with dozens of distributed expert criminals trying to crack into a particular control system. That’s a different kettle of “phish.” I think Napolitano’s subtext is to say that CERT’s 100,000 incidents are in this category, and we should all be very, very worried. But the track record of several administrations is to lump both meaningless and terrifying attacks together into the biggest possible number, which leaves me skeptical of sweeping statements about the risks we actually face.
Second, we can give some thought to what private resources we need to increase, and whether it’s a weakness in our national security that the general population isn’t educated on these issues. Napolitano cited the “If You See Something, Say Something” program, which has alerted the public to report suspicious behaviors to the police, without providing much training on what an expert would deem suspicious. Anecdotally, I’ve seen a large bag left unattended by a passenger for over 20 minutes in front of one of those “Say Something” videos on an endless loop at a major train station, and I’ve had a dispiriting interaction with the Amtrak
police at that same station when my own bag was stolen a few months later.
Not to put too fine a point on it, but when half of your neighbors think bad weather can affect iCloud, there’s also some basic education necessary before we can secure the millions of computers being used for crucial everyday activities. Most of the increased security we’re enjoying today comes from the simple design decision to make higher security the default in new operating systems; likewise, a lack of security in a common protocol like Wi-Fi leaves many people vulnerable. Few people are aware that anything they send or receive over their corporate email system is legally
owned by their employers, or can be read by the IT department pretty much whenever, even if the corporate encryption strategy protects against outsiders.
Personally, I’m more encouraged by security that stems from widely disseminated education. We can (and should) spend the next 20 years improving our anti-spam methods to near-perfection, but if you know basic English business grammar, then you can spot today when that email purporting to be from PayPal wasn’t actually written by someone at PayPal.
Third and finally, there’s one major response we can have to “our biggest threat is cyber attacks,” and that is wild cheering.
I rarely make friends by saying this, but the biggest revelation I had after 9/11 was just how powerful and safe people in Western nations actually are. The most significant attack on the United States since Pearl Harbor was emotionally devastating, but we got through it, and we were back to some semblance of normal far faster than many people would have predicted. All of our societal changes to the new post-9/11 normal were of our own choosing — and it’s past time we had a more complete and open debate about which of these actually make us safer.
I grew up during the end of the Cold War, and learned military strategies involving nuclear weapons that would cause deaths in the tens or hundreds of millions. The United States has faced non-nuclear existential threats in at least three wars. Compared to the experience that most adults over 40 have lived through, or what a sixth-grader should know about history, terrorism doesn’t come close as a danger to who we are or what we value. Contrast that with the daily experience of many people in the rest of the world; as an Argentinean friend once told me, “I can always tell who’s American when I travel; they’re the ones who will walk up to a police officer to ask for directions.”
If the biggest threats we face are to our data, then we should take a moment to enjoy the security of our persons. Certainly, when the way we use data affects our physical security (whether we’re talking about the power grid or air traffic control), that’s a problem we need to fix — but let’s focus on whether that lack of security is caused by incompetent or inattentive management before we blindly hand more money to the managers.
Quoting Bruce Schneier: “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.” The same applies when our worst fears are Internet-based and Internet-restricted. Let’s pay the experts to be paranoid on our behalf, so we can live differently.