Security Awareness Month

On May 1, 2001 I walked with Cornell University’s security coordinator over to the Law School to discuss with the director of Legal Information Institute and its network administrator a server breach.

A hacker exploited vulnerability and was sucking down all of the information on the site. A veritable neophyte when it came to the technology of the Internet, I was in learning mode. Having gleaned from my student days at Cornell Law School that expertise in any field is built around vocabulary, I made a mental note of the new terms as well as old ones with new interpretations. Network flow longs indicated that the attacker had exploited vulnerability in a server. The attacker set up a proxy server to disguise the Internet protocol address. Now the hacker was downloading all of the documents off the site. Curiosity overcame my attempt not to appear ignorant. “Why would anyone do that when all they have to do is go online to find the documents,” I asked. Almost as if on cue, the network administrator and the security coordinator turned to me simultaneously and said, “They are in China.”  I tried to make my face appear as if that explained everything, but it did not.  All they had to do is go online I kept thinking … it was already free. 

Minus the ignorance, I could tell this story again today without anyone blinking an eye. That it occurred in 2001 is only an indication of the endurance of technical security issues on the Internet that threaten everything from data integrity to the Gross National Product of nation states.  The only salient factor that has changed is the range of media accounts that speak to this experience in industry, government and education. In 2013, the New York Times, angry as a hornet with the People’s Republic of China’s breach into the email accounts of its reporters, broke the corporate silence.  The public is now much more aware of security breaches.  Home Depot, Target, Sony, Blue Cross and Blue Shield are just some of the names of industry leaders in the last couple of years that have made headlines. Over the years, breach notices have gone from alarming messages to junk mail. And yet even in 2015, there appears to be no end in sight.  Why?

Let’s approach this question from the perspective of the Lessig framework. In other words, what are the technical, market, social and legal factors that contribute to the state of play? Beginning with the technical, it is important to remember that the Internet’s strength is also its weakness.  The simple elegance of packet switching allowed for more complex technologies to be built upon it.  Its openness was, and remains, an invitation to developers of all stripes. Contained in the halcyon DARPA days with network administrators in higher education, the government and some industry, the experimental network grew with a naïve sense of trust.  Once opened to the public, the Internet became the canvas upon which all humanity painted itself.  TCP/IP protocols do not discriminate between “good” and “bad” code.  A vehicle for the market, the Internet transports the packets of legitimate banks, organized criminals and reckless vandals just as sure as these disparate elements of society can be found on the streets. Altruistic souls and trolls surf the ‘net.  Only an equally naïve sense of human nature would expect anything different.

 The one factor left unaddressed is the one most needed: law. There is no international law on cyber security.  Remember a few weeks ago when President Xi of the PRC visited the United States? Not surprisingly, cyber warfare was at the top of the list.  Of course, no one expected resolution; most don’t even expect meaningful action. In part, this result is because both the substantive and procedural mechanisms are either not clear or don’t exist. 

The United Nations would be the most obvious locus for such law, but no one really believes that they have the necessary credibility. Not the only offender of that cynicism, but a case in point, the United States that picks and chooses its issues with the U.N. and its judicial arm, the International Court of Justice. Treaties are the most viable instruments of international law, but both the magnitude and the quality of this challenge are beyond what treaties accomplish. The United States and the People’s Republic of China are two very significant offenders of cyber warfare, but they are by no means alone.  Neither world powers, nor world power aspirants, are going to turn off their cyber warfare operations in the midst of a global wild west. Blurred lines between offensive and defensive approaches make the rules of engagement all the more difficult to articulate. Advanced persistent threats (APTs, the ones sponsored by national states) have morph from direct military action into script widely disseminated among the hacking public; it is now getting increasingly difficult to trace a direct connection back to the government. Treaties cannot address diffuse criminal behaviors. 

Nation-state sponsored attacks, organized crime and intentional vandals (including for protest or political purposes) comprise the three principal categories of what lies behind our insecure Internet. Higher education can’t compete in such a highly funded, intensely motivated and complex technical/behavioral landscape. Money would help, especially because every dime higher education spends on network security in its broadest sense (meaning not just the hard and software, but in policy development, training and education) is money that is not spent directly on our missions; those expenses are part of the many hidden costs (compliance and the foibles of scholarly publishing are two of my other favorites) of higher education that jack up the tuition price. But money alone will never answer this challenge.  Meaningful collaboration among industry and government and higher education is an achievable goal, although so long as the United States remains a player in cyber war, colleges and universities should engage with a grain of salt. Robust information management that includes privacy and security, compliance and risk management, is a business necessity for colleges and universities if only to protect institutional information and research data.  Any board member that expects perfection from their presidents and chancellors, chief information and security officers, however, should be schooled in the total risk portrait before s/he levels criticism or blame in the event of a breach. A “keep up with the Jones’” approach of best administrative, technical and physical security practices is what separates negligence from doing reasonable risk management.  Perfection is far from that mark.

And yet, I hold out hope for higher education in this space.  Recently a participant on a panel discussion with government (NSA, NIST) and industry (Cisco and the Chertoff Group), I attempted to redefine the hackneyed judgment that higher education is “open” and therefore particularly vulnerable to attacks.  By and large the only thing higher education is more open about is disclosing these events to the public. This exposure is especially true for public institutions subject to open records laws. That said, I am the first to admit higher education has particular challenges. Trying to get a tenured faculty member to appreciate the difference between unsecured networks and open scholarship can sometimes be especially exasperating, but it is a task to which we must bring respectful and deeply informative training, education and compliance. Meeting this challenge is an object lesson for the American public.  Couldn’t – shouldn’t – higher education offer its experience in keeping with its outreach missions and public service?

And so here is the twist: Higher education can play a leadership role in the area that needs attention the most: International Internet governance. Higher education institutions around the world have their missions in common. To be sure, there are varying levels of nation-state influence in those institutions, and let’s not kid ourselves, not least in the United States.  But still, that modicum of what makes higher education unique – the pursuit of knowledge for knowledge’s sake, and imparting that thirst in the pedagogy we teach – contains a kernel to exploit in the best sense. Higher education can facilitate a necessary conversation about international Internet governance. It can become the locus, physical and virtual, where issues can be raised and negotiations can take place. Integrity of its missions is a mantle and bully pulpit. Let’s start thinking about how to use those opportunities to preserve that which higher education helped to create: the Internet. 

P.S.  On a lighter note, my favorite Security Awareness Month feature is this one from UMass Amherst.  Check it out!