The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.

A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.

Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”

Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:

We live in a free country where all that is not forbidden is allowed. There is no need in such a country for “affirmative” authority to act. So what does this section do as it in purports to permit private and governmental entities to monitor their information systems, operate active defenses, and such? It sweeps aside nearly all other laws controlling them.

“Consistent with the Constitution of the United States and notwithstanding and other provision of law,” it says (emphasis added), entities may act to preserve the security of their systems. This means that the only law controlling their actions would be the Constitution.

It’s nice that the Constitution would apply</sarcasm>, but the obligations in the Privacy Act of 1974 would not. The Electronic Communications Privacy Act would be void. Even the requirements of the E-Government Act of 2002, such as privacy impact assessments, would be swept aside.

The Constitution doesn’t constrain private actors, of course. This language would immunize them from liability under any and all regulation and under state or common law. Private actors would not be subject to suit for breaching contractual promises of confidentiality. They would not be liable for violating the privacy torts. Anything goes so long as one can make a claim to defending “information systems,” a term that refers to anything having to do with computers.

Elsewhere, the bill creates an equally sweeping immunity against law-breaking so long as the law-breaking provides information to a “cybersecurity exchange.” This is a breath-taking exemption from the civil and criminal laws that protect privacy, among other things.

(1) IN GENERAL.—No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any non-Federal governmental or private entity, or any officer, employee, or agent of such an entity, and any such action shall be dismissed promptly, for the disclosure of a cybersecurity threat indicator to—
(A) a cybersecurity exchange under subsection (a)(1); or
(B) a private entity under subsection, (b)(1), provided the cybersecurity threat indicator is promptly shared with a cybersecurity exchange.

In addition to this immunity from suit, the bill creates an equally sweeping “good faith” defense:

Where a civil or criminal cause of action is not barred under paragraph (1), a good faith reliance by any person on a legislative authorization, a statutory authorization, or a good faith determination that this Act permitted the conduct complained of, is a complete defense against any civil or criminal action brought under this Act or any other law.

Good faith is a question of fact, and a corporate security official could argue successfully that she acted in good faith if a government official told her to turn over private data. This language allows the corporate sector to abandon its responsibility to follow the law in favor of following government edicts. We’ve seen attacks on the rule of law like this before.

A House Homeland Security subcommittee marked up a counterpart to this bill last week. It does not have similar language that I could find.

In 2009, I testified in the House Science Committee on cybersecurity, skeptical of the government’s ability to tackle cybersecurity but cognizant that the government must secure its own systems. “Cybersecurity exchanges” are a blind stab at addressing the many challenges in securing computers, networks, and data, and I think they are unnecessary at best. According to current plans, cybersecurity exchanges come at a devastating cost to our online privacy.

Congress seems poised once again to violate the rule from the SOPA/PIPA disaster: “First, do no harm to the Internet.”

The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy is a post from Cato @ Liberty - Cato Institute Blog

On Thursday, the House Judiciary Committee is slated to take up the misleadingly named Stop Online Piracy Act, an Internet censorship bill that will do little to actually stop piracy. In response to an outpouring of opposition from cybersecurity professionals, First Amendment scholars, technology entrepreneurs, and ordinary Internet users, the bill’s sponsors have cooked up an amended version that trims or softens a few of the most egregious provisions of the original proposal, bringing it closer to its Senate counterpart, PROTECT-IP. But the fundamental problem with SOPA has never been these details; it’s the core idea. The core idea is still to create an Internet blacklist, which means everything I say in this video still holds true:

Let’s review the main changes. Three new clarifying clauses have been added up front: the first two make clear that SOPA is not meant to create an affirmative obligation for site owners to monitor user content (good!) or mandate the implementation of technologies as a condition of compliance with the law (also good!). But the underlying incentives created by the statute push strongly in that direction whether or not it’s a formal requirement: What else do we imagine sites threatened under this law because of user-uploaded content or links will do to escape liability? A third clause says the bill shouldn’t be construed in a way that would impair the security or integrity of the network—which is a bit like slapping a label on a cake stipulating that it shouldn’t be construed to make you fat. These are all nice sentiments, but they remind me of the old philosophers’ joke: “You’ve obviously misinterpreted my theory; I didn’t intend for it to have any counterexamples!”

The big changes in the section establishing court-ordered blocking of supposed “rogue” sites appear to be intended to respond to the objections of cybersecurity professionals and network engineers, who pointed out that requiring falsification of Domain Name System records to redirect users from banned domains would interfere with a major government-supported initiative to secure the Internet against such hijacking. The updated language explicitly disavows the idea of redirection, removes a hard five-day deadline for compliance, and (crucially) says that any DNS operator (like your ISP) has fully satisfied its obligations under the statute if it simply fails to respond to DNS queries for blacklisted sites.

This is bad for transparency, in both the engineering and democratic senses of that term, insofar as it makes a government block indistinguishable from a technical failure, but it does, in a sense, address the direct conflict with DNSSEC. But as network engineers point out, a well-designed application implementing DNSSEC isn’t just going to give up when it doesn’t get a valid, cryptographically signed reply: it’s going to try other DNS servers (including servers outside US jurisdiction) until it finds one that answers.

There are two possibilities here. The first is that application designers don’t design their software properly to implement DNSSEC for fear of liability under the statute’s anti-circumvention provisions, which would be a Very Bad Thing. The second is that they’re assured they won’t be held liable for good design, in which case this whole elaborate censorship process—which was never going to be particularly effective against people who actually want to find pirated content—becomes a truly farcical pantomime, in which nobody running reasonably up-to-date clients even notices the nominal “blocking,” beyond a few seconds delay in resolving the “blocked” site. Now, if we’ve got to have an Internet censorship law, a completely impotent one is surely the best kind, but it becomes a bit mysterious what the point of all this is, beyond providing civil libertarians with a chuckle at the vast amount of money Hollywood has wasted ramming this thing through.

The other big change is to the private right of action, which previously would have allowed any copyright holder to unilaterally compel payment processors and ad networks to cut off sites that it merely accuses of infringement, or enabling infringement, or (in a baffling specimen of tortured language) taking “deliberate actions to avoid confirming a high probability” that the site would be used for infringement. That last little hate crime against English is mercifully absent from the revised SOPA, and it makes clear that only foreign sites are covered, and a judge is now required to actually issue an order before intermediaries are obligated to sever ties.

Which ultimately goes to show that the original proposal was so profoundly wretched that you can improve it a great deal, and still have a very bad idea. This is still, as many legal scholars have correctly observed, censorship by slightly circuitous economic means. The involvement of a judge should (knock on wood) weed out the most obviously frivolous complaints, but it still makes it far too easy for U.S. corporations to effectively destroy foreign Internet sites based on a one-sided proceeding in U.S. courts.

These changes are somewhat heartening insofar as they evince some legislative interest in addressing the legitimate concerns that have been raised thus far. But the problem with SOPA and PROTECT-IP isn’t that they need to be tweaked in order to get the details of an Internet censorship system right. There is no “right” way to do Internet censorship, and the best version of a bad idea remains a bad idea.

The New SOPA: Now With Slightly Less Awfulness! is a post from Cato @ Liberty - Cato Institute Blog

Tattoo it on your forearm—or better, that of your favorite legislator—for easy reference in the next debate over wiretapping: government surveillance is a security breach—by definition and by design. The latest evidence of this comes from Germany, where there’s growing furor over a hacker group’s allegations that government-designed Trojan Horse spyware is not only insecure, but packed with functions that exceed the limits of German law:

On Saturday, the CCC (the hacker group) announced that it had been given hard drives containing “state spying software,” which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the United States. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Back in 2004–2005, software designed to facilitate police wiretaps was exploited by unknown parties to intercept the communications of dozens of top political officials in Greece. And just last year, we saw an attack on Google’s e-mail system targeting Chinese dissidents, which some sources have claimed was carried out by compromising a backend interface designed for law enforcement.

Any communications architecture that is designed to facilitate outsider access to communications—for all the most noble reasons—is necessarily more vulnerable to malicious interception as a result. That’s why technologists have looked with justified skepticism on periodic calls from intelligence agencies to redesign data networks for their convenience. At least in this case, the vulnerability is limited to specific target computers on which the malware has been installed. Increasingly, governments want their spyware installed at the switches—making for a more attractive target, and more catastrophic harm in the event of a successful attack.

The Lives of Others 2.0 is a post from Cato @ Liberty - Cato Institute Blog

• “PBS used to ask, ‘If not PBS, then who?’ The answer now is: HBO, Bravo, Discovery, History, History International, Science, Planet Green, Sundance, Military, C-SPAN 1/2/3 and many more.”
• “The fiscal problem that is destroying U.S. economic confidence is not the fiscal balance, however. It is the level of government expenditures relative to GDP.”
• “The Pentagon’s first cyber security strategy… builds on national hysteria about threats to cybersecurity, the latest bogeyman to justify our bloated national security state.”
• “How ‘secure’ do our homes remain if police, armed with no warrant, can pound on doors at will and, on hearing sounds indicative of things moving, forcibly enter and search for evidence of unlawful activity?”
• National debt is driving the U.S. toward a double-dip recession: 

Friday Links is a post from Cato @ Liberty - Cato Institute Blog

Experienced debaters know that the framing of an issue often determines the outcome of the contest. Always watch the slant of the ground that debaters stand on.

The Internet kill-switch debate is instructive. Last week, Senators Lieberman (I-CT), Collins (R-ME) and Carper (D-DE) introduced a newly modified bill that seeks to give the government authority to seize power over the Internet or parts of it. The old version was widely panned.

In a statement about the new bill, they denied that it should be called a “kill switch,” of course–that language isn’t good for their cause after Egypt’s ousted dictator Hosni Mubarak illustrated what such power means. They also inserted a section called the “Internet Freedom Act.” It’s George Orwell with a clown nose, a comically ham-handed attempt to make it seem like the bill is not a government power-grab.

But they also said this: “The emergency measures in our bill apply in a precise and targeted way only to our most critical infrastructure.”

Accordingly, much of the reportage and commentary in this piece by Declan McCullagh explores whether the powers are indeed precisely targeted.

These are important and substantive points, right? Well, only if you’ve already conceded some more important ones, such as:

1) What authority does the government have to seize, or plan to seize, private assets? Such authority would be highly debatable under any of the constitutional powers kill-switchers might claim. Indeed, the constitution protects against, or at least severely limits, takings of private property in the Fifth Amendment.

and

2) Would it be a good idea to have the government seize control of the Internet, or parts of it, under some emergency situation? A government attack on our private communications infrastructure would almost certainly undercut the reliability and security of our networks, computers and data.

The proponents of the Internet kill-switch have not met their burden on either of these fundamental points. Thus, the question of tailoring is irrelevant.

I managed to get in a word to this effect in the story linked above. “How does this make cybersecurity better? They have no answer,” I said. They really don’t.

No amount of tailoring can make a bad idea a good one. The Internet kill-switch debate is not about the precision or care with which such a policy might be designed or implemented. It’s about the galling claim on the part of Senators Lieberman, Collins and Carper that the U.S. government can seize private assets at will or whim.

The Internet Kill-Switch Debate is a post from Cato @ Liberty - Cato Institute Blog

If you haven’t been following the intrigue around Wikileaks and the security companies hoping to help the government fight it, this stuff is not to be missed. Recommended:

• “How One Man Tracked Down Anonymous—And Paid a Heavy Price,” on Ars Technica.
• “A Disturbing Threat Against One of Our Own,” on Salon.

The latter story links to a document purporting to show that a government contractor called Palantir Technologies suggested unnamed ways that Glenn Greenwald (author of this excellent Cato study) might be made to choose “professional preservation” over his sympathetic reporting about Wikileaks. A later page talks of “proactive strategies” including: “Use social media to profile and identify risky behavior of employees.”

Wikileaks has no employees. I take this to mean that the personal lives of Wikileaks supporters and sympathizers would be used to undercut its public credibility. Because Julian Assange hasn’t done enough…

While we’re on credibility: This may well be Wikileaks’ rehabilitation. Wikileaks erred badly by letting itself and Julian Assange become the story. We’re not having the discussion we should have about U.S. government behavior because of Assange’s self-regard.

But now defenders of the U.S. government are making themselves the story, and they may be looking even worse than Wikileaks and Assange. (N.B.: Palantir has apologized to Greenwald.) That doesn’t mean that we will immediately focus on what Wikileaks has revealed about U.S. government behavior, but it could clear the deck for those conversations to happen.

The concept of “miscalculation” seems more prominent in international affairs and foreign policy than other fields, and it comes to mind here. Wikileaks and its opponents are joined in a negative duel around miscalculation. The side that miscalculates the least will have the upper hand.

Cyber-Intrigue and Miscalculation is a post from Cato @ Liberty - Cato Institute Blog

In response to civil unrest, the Egyptian government appears to have ordered service providers to shut down all international connections to the Internet. According to the blog post at the link just above, Egypt’s four main ISPs have cut off their connections to the outside world. Specifically, their “BGP routes were withdrawn.” The Border Gateway Protocol is what most Internet service providers use to establish routing between one another, so that Internet traffic flows among them.

An attack on BGP is one of few potential sources of global shock cited by an OECD report I noted here the other day. The report almost certainly imagined a technical attack by rogue actors but, assuming current reporting to be true, the source of this attack is a government exercising coercion over Internet service providers within its jursidiction. Nothing I pick up suggests that Egypt’s attack on its own Internet will have spillover effects, but it does suggest some important policy concerns.

The U.S. government has proposed both directly and indirectly to centralize control over U.S. Internet service providers. C|Net’s Declan McCullagh reports that an “Internet kill switch” proposal championed by by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) will be reintroduced in the new Congress very soon. The idea is to give “kill switch” authority to the government for use in responding to some kind of “cyberemergency.”

We see here that a government with “kill switch” power will use it when the “emergency” is a challenge to its authority. When done in good faith, flipping an Internet “kill switch” would be stupid and self-destructive, tantamount to an auto-immune reaction that compounds the damage from a cybersecurity incident. The more likely use of “kill switch” authority would be bad faith, as the Egyptian government illustrates, to suppress speech and assembly rights.

In the person of the Federal Communications Commission, the U.S. government has also proposed to bring Internet service providers under a regulatory umbrella that it could then use for censorship or protest suppression in the future. On the TechLiberationFront blog, Larry Downes has recently completed a five-part analysis of the government’s regulatory plan (1, 2, 3, 4, 5). The intention of its proponents is in no way to give the government this kind of authority, but government power is not always used as intended, and there is plenty of scholarship to show that government agencies use their power to achieve goals that are non-statutory and even unconstitutional.

The D.C. area’s surfeit of recent weather caused the cancellation yesterday of a book event I was to participate in, discussing Evgeny Morozov’s The Net Delusion: The Dark Side of Internet Freedom. I don’t know that he makes the case overwhelmingly, but Morozov argues that governments are ably using the Internet to stifle freedom movements.

Events going on here in the United States right now could position the U.S. government to exercise the kind of authority we might look down our noses at Egypt for practicing. The lesson from the Egypt story—what we know of it so far—is that eternal vigilance is the price of freedom.

Egyptian Government Attacks Egypt’s Internet is a post from Cato @ Liberty - Cato Institute Blog

(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-”The Day After.”

Here are a few cherry-picked top lines:

Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.

The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.

Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.

OECD: ‘Cyberwar’ Overhyped is a post from Cato @ Liberty - Cato Institute Blog

The Washington Post has a poorly thought through editorial today on the Justice Department’s “CALEA for the Cloud” initiative. That’s the formative proposal to require all Internet services to open back doors to their systems for court-ordered government surveillance.

“Some privacy advocates and technology experts have sounded alarms,” says the Post, “arguing that such changes would make programs more vulnerable to hackers.”

Those advocates—of privacy and security both—are right. Julian Sanchez recently described here how unknown hackers exploited surveillance software to eavesdrop on high government officials in Greece.

“Some argue that because the vast majority of users are law-abiding citizens, the government must accept the risk that a few criminals or terrorists may rely on the same secure networks.”

That view is also correct. The many benefits of giving the vast majority of law-abiding people secure communications outstrips the cost of allowing law-breakers also to have secure communications.

But the Post editorial goes on, sounding in certainty but exhibiting befuddlement.

The policy question is not difficult: The FBI should be able to quickly obtain court-approved information, particularly data related to a national security probe. Companies should work with the FBI to determine whether there are safe ways to provide access without inviting unwanted intrusions. In the end, there may not be a way to perfectly protect both interests — and the current state of technology may prove an impenetrable obstacle.

The policy question, which the Post piece begs, is actually very difficult. Would we be better off overall if most or all of the information that traverses the Internet were partially insecure so that the FBI could obtain court-approved information? What about protocols and communications that aren’t owned or controlled by the business sector—indeed, not controlled by anyone?

The Tahoe-LAFS secure online storage project, for example—an open-source project, not controlled by anyone—recently announced its intention not to compromise the security of the system by opening back doors.

The government could require the signatories to the statement to change the code they’re working on, but thousands of others would continue to work with versions of the code that are secure. As long as people are free to write their own code—and that will not change—there is no way to achieve selective government access that is also secure.

The current state of technology, thankfully, is an impenetrable obstacle to compromised security in the interest of government surveillance. The only conclusion here, which happily increases our security and liberty overall, is that everyone should have access to fully secure communications.

Unclear on Internet Security and Surveillance is a post from Cato @ Liberty - Cato Institute Blog

Washington Times reporter Shaun Waterman has a characteristically excellent article out today about U.S. cybersecurity authorities failing to secure their own systems.

According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.

Time and again, people look to government intervention based on what they imagine government might do under ideal conditions. Real conditions produce far weaker results.

We’re better off distributing the problem of data, network, and computer security among all the self-interested actors in the country—fallible as they are. We should not abandon the problem to a central authority whose failure fails us all.

And You Look to Government for Cybersecurity? is a post from Cato @ Liberty - Cato Institute Blog

The Washington Post reports today on an article coming out in Foreign Affairs in which Deputy Defense Secretary William J. Lynn III reveals a successful 2008 intrusion into military computer systems. Malicious code placed on a thumb drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command and propagated itself across a number of domains.

The Post article says that Lynn “puts the Homeland Security Department on notice that although it has the ‘lead’ in protecting the dot.gov and dot.com domains, the Pentagon — which includes the ultra-secret National Security Agency — should support efforts to protect critical industry networks.”

The failure of the military to protect its own systems creates an argument for it to have preeminence in protecting private computer infrastructure? Perhaps the Department of Homeland Security will reveal how badly it has been hacked in order to regain the upper hand in the battle to protect us.

We Fail More—So Put Us in Charge is a post from Cato @ Liberty - Cato Institute Blog

Wired News reports on another bill proposing to create government authority to take over the Internet—this time, because of “cyberattacks.”

Most revealing is the part of the report exposing how Senate staff must fish around for reasons why the authority would be exercised, never mind to what effect:

In order for the President to declare such an emergency, there would have to be knowledge both of a massive network flaw — and information that someone was about to leverage that hole to do massive harm. For example, the recent “Aurora” hack to steal source code from Google, Adobe and other companies wouldn’t have qualified, one Senate staffer noted: “It’d have to be Aurora 2, plus the intel that country X is going to take us down using that vulnerability.”

A second staffer suggested that evidence of hackers looking to leverage something like the massive Conficker worm — which infected millions of machines and was seemingly poised in April 2009 to unleash something nefarious — might trigger the bill’s emergency provisions. “You could argue there’s some threat information built in there,” the staffer said.

These scenarios will never happen. And we wouldn’t want the government grabbing control of the Internet if they did.

The idea of government “taking over” the Internet for security purposes is equal parts misconceived and self-defeating. It’s a packet-switched network, meaning that it routes around the equivalent of damage that would be caused by anyone’s attempt to “control” it. The government could certainly degrade the Internet with a well-coordinated attack, of course.

And that’s the way to think about government controlling the Internet in some kind of emergency: It would be an attack on the country’s natural resilience.

In February, CNN broadcast a bogus reality TV show produced by the Bipartisan Policy Center called “cyber.shockwave.” A variety of technically incompetent government officials talked about pulling the plug on the Internet and cell phone networks in response to some emergency. Commentator D33PT00T captured the idiocy of this idea, Tweeting, “ok my phn doesn’t work & Internet doesn’t work – ths guys R planning 2 run arnd w/ bullhorns ‘all is well remain calm!’”

The Internet may have points of weakness, but it is a source of strength overall. A government take-over of the Internet in the event of emergency would be equivalent to an auto-immune reaction in which the government would attack the society. Proposals for the federal government to take control of the Internet under any circumstance are unfounded and dangerous.

Unfounded Government Plans to Take Control of the Internet is a post from Cato @ Liberty - Cato Institute Blog

“I think that is a terrible metaphor and I think that is a terrible concept,” said Howard Schmidt, the new cybersecurity czar for the Obama administration.

Schmidt: “There Is No Cyberwar” is a post from Cato @ Liberty - Cato Institute Blog

Wired‘s Ryan Singel has given a read to Cyberwar, the new cybersecurity book by Richard Clarke and Robert Knake. (I picked out a potential example of actual cyberwarfare in a Glenn Reynolds review of the book last week.)

Singel—a journalist who has been a sophisticated reporter of computer security issues for years now—is not impressed with the book or the reviews it has gotten. In his review, Richard Clarke’s Cyberwar: File Under Fiction, he writes:

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

It’s brief enough, and refreshing enough. I say read the whole thing.

Sober assessments of computer, network, and data security are far less interesting than the thrillers that would drive Washington policymakers to overreact. This report in Government Computer News, for example, relates the findings of a recent Symantec report on threats to government systems and gives reason to settle down about cyberthreats from China.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.

Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

(Symantec is a vendor to governments, so naturally prone to threat inflation itself. GCN reporter William Jackson deserves credit for the sobriety of the story.)

Cybersecurity-related fearmongering could drive unnecessary dischord between the United States and China, leading to actual conflict where none is warranted. Singel again:

[A]rtists of exaggeration . . . seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

Fact-Checking “Cyberwar” is a post from Cato @ Liberty - Cato Institute Blog

The good thing about this review of the book “Cyber War” by Richard Clarke and Robert Knake is that it actually mentions attacks on computing and communications during warfare.

Messrs. Clarke and Knake are convinced that an Israeli air strike in 2007 against a secret North Korean-designed nuclear facility being constructed in the Syrian desert was a textbook case of cyber-aided warfare. Israeli computers “owned” Syria’s elaborate air defenses, the authors say, “ensuring that the enemy could not even raise its defenses.”

That might actually be “cyberwarfare.”

The rest of the review, and presumably the book, is threat exaggeration and distortion, wrongly characterizing the wide variety of security issues pertaining to computers, communications, and data as having to do with “war.”

An Actual Example of “Cyberwarfare” is a post from Cato @ Liberty - Cato Institute Blog

The Washington Post launches a new weekly today, Capital Business, covering business in the Washington area. The cover of the first edition is striking:

As the cover line exults, “There’s a wave of government money headed our way — bringing opportunities in health care, green energy, cybersecurity and education.” Of course, it’s not actually “government money” — it’s money taxed or borrowed from those who produce it in the 50 states and then sprinkled liberally around the Washington area, which now contains 6 of the 10 richest counties in America.

If the Capital Business cover image had a few more arms, it would look like the logo for this year’s Cato University, “Confronting Grasping Government“:

Washington Rakes in the Money is a post from Cato @ Liberty - Cato Institute Blog

NPR is running a series of stories on “cybersecurity,” prompting some to express their exasperation with cybertouting of cyberthreats.

Some of my cyberefforts on that cyberscore are cyberhere, cyberhere, and cyberhere. CyberBen CyberFriedman has written cyberthis and cyberthis.

Sick of “cyber” yet? Good.

Securing computers, networks, and data is important. But there’s no such thing as cyberterrorism, “cyberwar” is what might occur in computing and communications during an actual war, and the bulk of the work is, as Bruce Schneier puts it, boring:

Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks.

Sick of ‘Cyber’ is a post from Cato @ Liberty - Cato Institute Blog

Brilliant column from William Jackson on GCN.com debunking “cyberwar”:

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.

The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.

How Can We Be at Cyberwar if We Don’t Know What It Is? is a post from Cato @ Liberty - Cato Institute Blog

The New York Times dutifully reports that the Director of National Intelligence says it is. But it’s hard to know what that means. The word “cyberattack” has no usefully fixed definition.

And the important questions—plural—include: 1) whether cyberattacks—plural—are growing in number and sophistication more quickly than the capability of infrastructure owners to fend them off and recover from them; 2) which, if any, owners lack incentives to secure their infrastructure and what security externalities they might create; and 3) what levers—such as contract liability, tort liability, or regulation—might correct any such market failures.

Some lines in Director Blair’s statement are quite telling. Compare this:

Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens.

to this:

The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders.

Now, which class of actors are you going to worry about—the ones that dream of doing something bad? Or the ones that have the sophistication to do something bad? Probably the latter.

While calling for a federal intelligence-community role in “cybersecurity,” Blair confesses that this is more of a crime problem that the business sector needs to handle than a true national security issue in which the leading role would be played by government.

The good news is that crime syndicates don’t prosper by killing their hosts. Don’t look for catastrophic failure of our technical infrastructures arising from this most serious of “cyber” threats.

There’s no question that cybersecurity is important. But it’s also manageable. I shared my thoughts on “cybersecurity” last year with the House Science Committee.

Is the Threat of Cyberattack Growing? is a post from Cato @ Liberty - Cato Institute Blog

Speaking of the Center for Democracy and Technology, Leslie Harris gave a terrific quote to Forbes.com for an article on cybersecurity:

The Rockefeller-Snowe Bill represents just the sort of heavy-handed regulation that could stifle innovation and hurt the economy, argues Leslie Harris, president and chief executive of the Center for Democracy and Technology. “If you lock things down too tight and try to centralize and federalize all kinds of standards, you’re on a collision course with the innovators who may be making the next great tech product in their backyard,” she says.

The question is why CDT doesn’t apply this thinking to the field of identification and credentialing.

Lock It Down, Centralize It, Federalize It is a post from Cato @ Liberty - Cato Institute Blog