Schneier on Security
A blog covering security and security technology.
« Our Inherent Capability for Evil |
| Risk Preferences in Chimpanzees and Bonobos »
April 16, 2008
Comparing Cybersecurity to Early 1800s Security on the High Seas
This article in CSO compares modern cybersecurity to open seas piracy in the early 1800s. After a bit of history, the article talks about current events:
In modern times, the nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas--the cyber seas. The Internet has the potential to significantly impact the United States' position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier.
This should be a surprise to no one.
What to do?
With that goal in mind, let us consider how the United States could take a Jeffersonian approach to the cyber threats faced by our economy. The first step would be for the United States to develop a consistent policy that articulates America's commitment to assuring the free navigation of the "cyber seas." Perhaps most critical to the success of that policy will be a future president's support for efforts that translate rhetoric to actions--developing initiatives to thwart cyber criminals, protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens' constitutional rights. Clearly articulated policy and consistent actions will assure a stable and predictable environment where electronic commerce can thrive, continuing to drive U.S. economic growth and avoiding the possibility of the U.S. becoming a cyber-colony subject to the whims of organized criminal efforts on the Internet.
I am reminded of comments comparing modern terrorism with piracy on the high seas.
Posted on April 16, 2008 at 2:27 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not exactly sure what "protecting U.S. technological sovereignty" means, but it doesn't seem to fit in with fighting "cybercrime". It sounds more like maintaining prestige than anything else.
The first part of the article (history of piracy) is interesting, but the second half (internet) is full of vague language that makes me wary.
"In the case of financial fraud on the Internet, the costs... are currently borne by private companies... This basically creates a system in which the financial institutions are paying a type of "tribute" to the cyber criminals, just as Adams did to the Barbary pirates."
Umm... no. If these institutions payed protection money to criminals to leave them alone (which they may for all I know) that would be tribute. This is not.
The article is full of such forced analogies and doesn't seem to mention the art/science of cryptography at all, but rather sees everything in terms of political action at the international scale. This makes me VERY nervous.
One more gem:
"The efforts of the United States to disrupt the illegal drug trade provide examples of how we can work with other countries, respecting their sovereignty, while working to undermine the drug cartels and interdict threats before they arrive in U.S. ports."
BWAH-HAH-HARR! (snort!) Sorry.
P.S. I tried to link "vague language" to the Wikipedia article on "Politics and the English Language", but I guess we can't use tags here.
Personally, I'd rather the government stay the hell out of it completely. They've managed to screw up everything else they've ever touched, so why do we want them to get even further entrenched in the internet. I say kick them out!
I'm with you Beta. Not a good example of success to cite.
Our government is part of the problem. Homeland Security attacks on the Constitution and US citizens have done nothing to stop terrorism. It is getting worse, not better.
I'm not certain how far this metaphor can be taken. As history and the article point out, part of America's approach to dealing with piracy was aggressive law enforcement, such as by sinking pirate ships and sailing to "the shores of Tripoli" to directly threaten pirate leaders with bodily harm. In 1815, a British fleet secured an end to Barbary tribute by bombarding Algiers into rubble.
While effective at sea, I'm not sure these tactics map well to the Internet.
Some of these tactics map; for instance, Orson Swindle [FTC Commissioner]'s solution to the spam problem.
Government intervention will be required to effectively deal with some online security threats such as industrialized fraud (e.g. 419), spam, and the underlying issues responsible for botnets. However no one should have any confidence that initiatives on these fronts won't be combined with Orwellian efforts that define business model protection for corporate rent seekers as a security problem.
"Protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens' constitutional rights" Ho, ho.
As is often the case, the US citizen gets the deliverable, the rest of us must be satisfied with a principle:
"a presidential declaration outlining the unalienable right of all nations and peoples to conduct commerce on global networks"
We are supposed to be reassured that a nation that less than 50 years ago was one of the biggest piraters of intellectual capital (it's good odds that, for one example, a number of those reading this forum first read "The Lord of the Rings" in a US pirate edition) is now #1 in its concern for the rights of others?
It's as if 1600 Britain proposed issuing a declaration "outlining the unalienable right of all nations and peoples to conduct commerce on global" seas while "protecting English technological sovereignty, and balancing any defensive actions to avoid violating English citizens' legal rights". The Spanish and Portugese would have laughed themselves sick.
Reality check time...
Most of the rest of the world look at what the US has been upto recently in the name of "democracy" and hence have started putting an even longer handle on the spoon.
You also need to remember that piracy on the organised scale it became happend because it was used as a weapon of politics between the seafaring nations. Later it became a way for either disposesed or oppressed people to escape the tryany of those same governments.
Piracy on that scale only carried on as long as it did because the good people of certain parts of what is now the US were happily buying the stolen goods the pirates had aquired.
Which beggs the question of who benifits most from any process, usually it is the people who run it.
This gives rise to the conspiracy buffs notion of a "fundraiser" where those in power and in a policing role decide the easest way to build their empire is to either talk up or worse commit a couple of criminal acts close to home. So they can the "go to the folks on the hill" and bleat they are under reasourced.
So forgive the rest of the world if it views an US "initiative" as yet another power grab.
On a more technical note the US does not own the Internet the majority of users are not in continental America. Some US organisations currently control certain parts of the Internet infrestructure, but only because others allow them to currently to avoid the effoft of doing it them selves.
If pushed how long do you think it would take Europe or other large nation saying not on our turf?
We all ready see nations setting up firewall technology to "protect their citizens" from US influence. And we also see US technology companies happily going allong with such nations and supplying them with the technology or assistance they want.
So how can the US maintain it's supposed lead position?
I suspect only by not pushing others to the point they will want to break away. And importantly that has implications on those living in the US. After all it would be easier for a company to lose the connectivity to a small entities web pages than lose a major contract worth millions...
Which by the way we have all ready seen happen.
Even if one buys into this comparison, fighting pirates in the name of free navigation meant a commitment to values. Foremost the value of free navigation.
Regulation of cyber space so far seems not to be committed to values but to corporate interests and greed. If the US were to establish values for cyber space, net neutrality sould be the first.
"Our government is part of the problem"
You could at least acknowlege the Internat as a creation of the US government. Almost every building block of what we regard as cyberspace was either wholly funded by the US.-
IP, TCP/IP, DNS POP, SMTP etc. from the DARPA project, or came out of International projects funded by various governments ( including the USA such as the www protocol and HTML ) from CERN.
The private enterprise innovations are so far confined to SPAM and Phishing.
Safety is always the most important
If I get it right, he thinks somebody should do something. What a revolutionary idea!
For the pirate's viewpoint on all this, read
The Sea Rover's Practice: Pirate Tactics and Techniques, 1630-1730
Written by a former Navy Seal, it concludes:
"Whatever their vices, weaknesses, and moral ambiguities, these buccaneers have in common with most sea rovers several tactical virtues, including innovation, loyalty, perseverance, adaptability, and courage. Collectively, they prove that a loose, uncentralized, and informal network can conduct significant, complex military operations. They show the effect that an irregular force can have on the resources of a powerful state, causing great economic damage and tying down significant forces. And, most importantly, they demonstrate that elements of broadly divergent and disparate cultures, races, nationalities, classes, professions, and personalities can act as one with a common goal."
So...instead of a set of pipes or tubes, the internet is now a bunch of creaky 1800s sailing ships?
Part of how we dealt with the pirates in the 1800s was not giving in to their demands. Ship captains started firing their own ships rather than let the pirates have them. Maybe dismantling the credit system, which is where a LOT of the problem lies simply because they want credit to be too easily obtainable, would be a better analogy than having the US Government "develop initiatives".
Part of how states dealt with pirates was issuing letters of marque and reprisal. Do we want to engage in the internet equivalent? If the analogous solutions aren't desirable, is the analogy anything other than a mental exercise?
Yeah, right, US goverment must devise a policy, blah, blah, blah.
Yeah, sure, policy. So the hackers will have something to wipe their arses with.
How thick one needs to be to live to an adult age and never notice that government policies never seem to make anything better?
And, yes, sending spam is a kind of terrorism.
Can it get even more stupid?
Speaking of Pirates and outrageous disproportionality.
Has anybody ever read the U.K. "Marine Offencies Act" 1967?
(unfortunatly it does not appear to be online but you can get the flavour from
Put simply the U.K. Gov reserved the right to carry out what would be "acts of Piracy" against ships and other vessels outside their jurisdiction to prevent said vessels transmitting broadcast signals into the U.K.
The way the then Labour Government under Harold (mack-n-pipe) Wilson was to claim the broadcasters where "pirates" and therefore criminals...
To put it in perspective if you had the worlds largest bulk cargo carrier and you filled it full of highly illegal and consiquently high value items/substances and sailed it just outside of U.K. waters there is little or nothing the U.K. Government could legaly do.
However transmit a radio signal in any of the Broadcast bands and the UK Govenment reserve the right to board / imprison / confisgate etc which is prety much what the Pirates of old did...
This proves it is easy to carry an analogy too far...
Next I expected to read about "cyber drownings" and "cyber (water)pollution". Dont forget cyber global warming raising cyber sea level or over-cyberfishing depleting cyberspecies or cyberfish. And of course the dreaded cybertsunami.
The government takes to long to answer anything. It also takes to much to change it. If people wouldn't jump into deeper water than their head they wouldn't have these problems. People tend to think that they can get into a fix and someone will come along to help them. Ignorance is bliss. If everyone realized that everyone is a criminal whether they claim to be or not. As in you heard something and then repeated it to someone. That info along with other MISGIVINGS helps to set a scheme into place even if there wasn't one to begin with. People that are fed info, interpret it differently. Even if you have a moral stand against crime. Your concocting an idea of how a crime could happen is a step for someone else who could be building a staircase. That statement is also the way criminals are caught. Thus ending up as a >constructor
Which makes me wonder why I posted. Or is it the reason I posted.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.