Security and Privacy? Forget About It
Mar 8, 2010 9:32 AM PT
As the Obama administration grapples with the thorny issue of beefing up the United States' cybersecurity infrastructure, and as security experts warn of impending cyberwarfare, a debate is raging over how much surveillance is enough.
One of the biggest problems about implementing cybersecurity is that it involves a measure of surveillance, and the line between surveillance and snooping is razor thin. Thin enough, in fact, that Einstein 3, the latest iteration of the Federal government's intrusion detection program, has aroused privacy concerns because it can examine the content of email.
That, some privacy advocates believe, makes it almost equivalent to warrantless wiretapping.
The security community is divided over the issue.
Some security advocates contend that surveillance is essential to our nation's security for the federal government to know who's saying what, especially in this day and age, when cyberthreats have become so sophisticated and yet so easy to create through prepackaged software kits that you don't need to know much about computers to create malware.
For example, the three Spanish men who created the Mariposa botnet, which infected 13 million PCs worldwide, are believed to have purchased their virus over the Internet.
Pro-surveillance security advocates contend that we can depend on the feds and our intelligence agencies not to cross the line into snooping without a cause.
However, other security experts are not so trusting.
A panel convened Wednesday at RSA 2010 in San Francisco examined the issue of dealing with sophisticated threats in cyberspace without creating Big Brother in the process.
The panelists were Marc Rotenberg, executive director of the Electronic Frontier Foundation; Michael Chertoff, former United States Secretary of Homeland Security; and Richard A. Clarke, former special advisor to the president on cybersecurity
Cyber-Spies Among Us
Agents of foreign governments are stealing the intellectual property of U.S. companies, Clarke said. "We're being targeted every day, and we're being attacked by criminal gangs," Clarke said. "The day-to-day espionage that's going on is eliminating our competitive advantage."
In essence, Clarke contended that the governments of Russia and China are behind these attacks.
That kind of industrial espionage made news after Google discovered its infrastructure had been penetrated, possibly by hackers from China. The attackers also hit more than 20 other major U.S. companies.
Show Me the Way
The EFF's Rotenberg pointed out the difficulty of solving this problem. "What do we do? Do we give government a lot more authority?" he asked. "Do we start authenticating all users? Do we start tracking all communications?" Whatever solution is proposed, transparency and accountability are important, he pointed out.
One possibility would be to create a system of checks and balances. "You don't necessarily want to have the government operating the Internet and opening and closing doors, because it's not hard to imagine the situation you have in other countries where someone decides the threat is not only from botnets but also from ideas you don't like," Michael Chertoff, former secretary of the DHS, said.
Clarke posited that the government could set guidelines but should not be the organization to authenticate that they were being followed. His suggestion was to put the burden on Internet service providers (ISPs).
"Right now the DHS is building Einstein 3, but we could, by regulation, tell Tier One ISPs they have to do deep packet inspection for malware," he said. "Just so long as the government isn't doing it."
Einstein 3 is the third iteration of an intrusion detection system the U.S. government has in place. Using technology from the National Security Agency (NSA), it can examine the content of emails and can shoot down malware before it can do any harm. That capability has raised privacy concerns which the Obama administration is trying to quell.
Tier One ISPs form the backbone of the Internet, connecting to each other around the world over their own networks.
The Threat to Privacy
Using NSA technology almost certainly will lead to an invasion of privacy, the EFF's Rotenberg fears. "The folks over at NSA are not just interested in looking for malware, they're very interested in content," he said. "This is the problem with Einstein 2 and Einstein 3."
On the other hand, turning over the responsibility for deep packet inspection to private companies could have its own pitfalls. "Deep packet inspection opens the doors to commercialization," Rotenberg warned. "The companies can say, 'We have to do this because of our security mandate and oh, by the way, there's a marketing opportunity here.'"
The threat of cyberwar can erode privacy protection, Rotenberg said. "Privacy tends to be collateral damage in cyberwar scenarios," he explained. "Every one of these scenarios becomes a justification for some new type of intrusion upon the user who's doing nothing wrong."
Clarke suggested establishing an organization with bipartisan support that has subpoena power. "We need to restore government credibility, and one way to do that is to have a vigorous civil liberties and privacy protection board," he said.