Monday, November 15, 2010

Are cyberattacks an act of war?

An interesting question is what constitutes "cyberwar?" That is war in cyberspace. It wasn't defined a few years ago, and it's still not well defined today.

I was reading Cyberdeterrence and Cyberwar by Martin C. Libicki of RAND today. It's a long document and I've only made it through the dozen or so pages at this point, but he makes a really interesting point (page xvii) talking about the role of cyberdeterrence in preventing cyberwar:
Might retaliation send the wrong message? Most of the critical U.S. infrastructure is private. An explicit deterrence policy may frame cyberattacks as acts of war, which would indemnify infrastructure owners from third-party liability, thereby reducing their incentive to invest in cybersecurity.
In other words, if cyberattacks can be considered acts of war, this would this trigger an Act of War exclusion common in many insurance coverages, allowing parties to escape liability from damage caused by a cyberattack by framing it as a act of (cyber)war?

Your money gets stolen from a bank: sorry, act of cyberwar.

House burned down by a virus attacking your smart meter: sorry, act of cyberwar.

However, the courts have decided 9/11 and similar acts of terrorism are not acts of war:
the courts have consistently held that a “war” within the meaning of an “act of war” exclusion can only exist as between two sovereign or quasi-sovereign governmental entities.
So, despite rhetoric about "war" in various forms, courts have set a pretty high bar for use of the term. Until two countries come out (or one at least) and declares cyberwar explicitly on another country, I doubt we'll see the term hold up in court.

Friday, November 12, 2010

Why security is not THE goal: TSA, built to fail.

There is an old joke in computer security:
Q: How do I make my computer secure?
A: Lock it in a safe and put it at the bottom of the ocean.
The joke being that you've made the computer really safe, but also completely unusable.

But this joke has a good lesson, and that is: Security is never THE goal.

It is a goal, one of many. But it's never the only thing you're trying to accomplish. There are always other goals, e.g. making something useful, perform well, appealing to the senses, or just available to enjoy.

Security is always a trade-off with these other goals. As Bruce Schneier puts very well in his talk (worth watching), the question is not "will it make us safer?" but "was it worth the trade-off?"

Following that logic, I've always thought that making security the goal of single organization, or group in an organization - "the security team", was a bad idea because it let the everyone else off the hook for security, they could assume "the security team has it" and ignore it.

But I've realized lately there is an even stronger reason why it is a bad idea - any organization or team who's sole focus is security will, by nature of doing their job, continuously increase security without regard for anything else.

And, to my point, one of these other things is protecting our civil liberties.

Like many others, I'm very unhappy with the TSA's new body scanners. Their policies to this point have been silly and annoying, but this is now crossing a line, in the opinion of many, myself included, from annoying to violating. (The no-fly list has arguably done so as well for years now.)

How did we get into this mess?

In thinking about this, we've created an organization in the TSA whose sole goal is security. Heck, it's one third of their name and it's baked into their mission:
The Transportation Security Administration protects the Nation’s transportation systems to ensure freedom of movement for people and commerce.
First and foremost is "protect the transportation systems." They started in the right direction with "ensure freedom of movement," but that's stopping far short of ensuring civil liberties, dignity, and privacy.

So fundamentally, "we've" created an organization that only cares about security. Back to Bruce's point, they only ask if something will make thing more secure, not whether it's a good trade-off against privacy, civil liberties, economics, or even if it's just silly. If it increases security, they've done their job.

Add to that the lack of any real oversight, congress is not going to risk looking weak on security, and we've created a department that has a mission to keep protecting the transportation system to a greater and greater degree, with no constraints.

And it will keep protecting that system more and more until we're all flying locked in safes, or worse.