Computer Security and Your Patriotic Duty

“Fellow citizens, now is the time to firewall your broadband connections and filter your email, lest your computer be abused by those who would attack our nation’s critical infrastructure. Now is the time to do your patriotic duty and install security patches for your applications, change your passwords, and tighten up those directory permissions. If not, that computer in your den, the one on the high speed Internet connection, could become an attack platform.”

Sound a little hokey? Maybe, but we’d be surprised if anyone can find a flaw in the logic or fault any of the stated facts. As far as we are concerned, and we’re the ones who’ve been giving this speech, the large and growing number of unprotected, high-powered, always-on, broadband-connected personal computers does indeed represent a threat to the national infrastructure (note that we are both U.S. citizens, but this is by no means a uniquely American perspective—we would be holding the same truths to be self-evident if we were citizens of the United Kingdom, or Germany, or Brazil, or anywhere else that is experiencing a rapid increase in broadband connectivity).

We have had these thoughts, and said these things, for some time, but we feel compelled to reiterate them now, because our President has just signed the Homeland Security Bill, causing the biggest overhaul of the U.S. government since the National Security Act of 1947 unified the Armed Forces under a single department and created the National Security Council and Central Intelligence Agency. The Homeland Security Department is expected to have a combined workforce of more than 170,000 employees and pull together more than 20 agencies.

As if that wasn’t enough for one bill, the Homeland Security Act also amends a bunch of other laws and encompasses things like the creation of a new form of charitable trust to “provide for the spouses and dependents of military, CIA, FBI and other federal employees killed in the line of duty in the war on terrorism.” A noble goal, but arguably extraneous to the creation a new department of government.

We will have more to say about the Homeland Security Act in future columns, after we have more completely digested all 470 pages (okay, that’s the double-spaced version, but still, this is not light reading). What we want to highlight here is the starring role that computer security plays in this legislation. For a start, the bill includes a definition of information security and spells out that other C-I-A, the one that infosec people have been working at for years: Confidentiality, Integrity, and Availability.

In a dramatic turn, the bill makes significant amendments to the Computer Fraud and Abuse Act of 1986. Indeed, these amendments are to be known as the “Cyber Security Enhancement Act of 2002.” The "enhancements” include increased penalties for criminal hacking, up to life imprisonment “if the offender knowingly or recklessly causes or attempts to cause death” through conduct such as intentionally accessing a computer without authorization or exceeding authorized access.

What we don’t see in the Homeland Security Bill, or in the $900 million appropriation for computer security research that was also passed last week, is funding for the education of network computer users and operators. These are the people, like you, and us, and generations just getting started, who are connecting their computers to the Internet. The connections are often high bandwidth (24 million Americans have broadband Internet connections at home according to Pew report this summer). Whose job is it to tell the people who have these connections that their computer could unwittingly host a distributed denial of service attack (DDoS Attack)? Who is responsible for telling computer operators to make sure they are not harboring programs that could bring down emergency service communications during a terrorist attack?

When you get a Dell does it say on the box: “Dude, this thing could kill someone.” No, and we don’t expect to see such a warning sticker any time soon. That is the point. With powerful technology comes a ton of responsibility. It just tends to arrive somewhat later than the technology itself. In the meantime, securing all those computers on the network will take some serious motivation, such as patriotism.