Flight plan for security
Technologist recommends an international approach to cybersecurity, based on aviation's approach
- By William Jackson
- Aug 10, 2007
The information technology security community is on the losing side of a lopsided battle to secure the increasingly wild and wooly cyberspace, a professor who combines international affairs and computer science told a Washington audience last week.
The odds in the struggle have favored the bad guys, who focus on exploiting what others create, said Seymour Goodman, of the Georgia Institute of Technology.
'These guys are becoming innovative faster than the good guys,' Goodman said. The technology also works against security. 'Things that scale really well tend to favor the bad guy. Effective law enforcement scales very badly.'
Speaking at the Hudson Institute, Goodman said the IT community must go beyond law enforcement to secure an increasingly vital information infrastructure, and he proposed the Civil Aviation Convention as a model for the job. Almost every country belongs to the convention, which was adopted in the early years of this century to protect a rapidly developing transportation infrastructure. It focuses on standardizing requirements for protecting the aviation infrastructure and requires operational capabilities in member countries.
'Access is the enemy of security. Very little of [the internet] was designed with security in mind.
'Seymour Goodman, Georgia Institute of Technology
Goodman said the result is an aviation industry that is relatively secure given its inherent risks and high profile as a target for terrorists.
The current information infrastructure, based primarily on the Internet, was created with an emphasis on functionality and easy access. Its growth has surpassed expectations. In the 1980s, Goodman was part of a Defense Department working group that recommended that DOD should relinquish control of the ARPAnet, the Internet's precursor, and let it move to commercial development. At that time, he estimated that 60 or 70 countries might connect to it by 2000. He was off by a factor of three.
There are now about 1.3 billion Internet users in more than 220 countries, as measured by their top-level domains.
'A lot of this is very good, but it raises a number of security problems,' Goodman said. 'Access is the enemy of security. Very little of this was designed with security in mind.'
As a result, the bulk of today's e-mail traffic ' as much as 90 percent by some estimates ' is spam. Malware has compromised about 14 percent of U.S. household computers and can incorporate them into botnets for illegal use by organized crime.
All 53 or 54 African countries ' depending on how you count Western Sahara ' are on the Internet, and Internet users often exceed the number of landline telephones in a country. The continent has little centralized security, and only two countries, Algeria and Tunisia, have computer emergency response teams.
'The only thing that is growing faster is cellular telephony,' which has about 3 billion users with 1.6 million being added every day, he said. And cellular technology is becoming increasingly integrated with the Internet.
Unlike earlier communications technologies, today's networks are global, with no single point of control or authority, and their interactive nature makes them more valuable and more dangerous.
Organizations such as the Council of Europe's Convention on Cybercrime are trying to come to grips with these issues. About 30 countries, including the United States, have ratified the convention.
But 'the European Convention is crime and punishment,' Goodman said. 'It harmonizes laws. There is much to be said for a convention like this,' but the law enforcement focus makes it reactive rather than proactive.
'I'm still rooting for this thing to work,' but the scheme has limits, Goodman said. The convention does not require member countries to develop methods of enforcing its measures.
In contrast, the Civil Aviation Convention requires member countries to have the ability to meet and enforce its standards for safety and security of airports and air carriers rather than merely respond to security breaches. Each country must have a regulatory body similar to the U.S. Federal Aviation Administration.
Failure to meet those standards can result in airports or carriers being cut off from the rest of the world.
Goodman said the International Telecommunication Union, a United Nations agency for information and communications technologies, might be the vehicle for such a cybersecurity scheme. He added, however, that the analogy between securing air transportation and cyberspace is imperfect. The aviation infrastructure is much more limited and more easily controlled by member governments than the Internet.
William Jackson is freelance writer and the author of the CyberEye blog.