IP: PFIR Statement on Legislating Internet Security

[Dave Farber <farber@cis.upenn.edu>]

>\\
>
>            PFIR Statement on Legislating Internet Security
>
>               (http://www.pfir.org/statements/02.12.00)
>
>         PFIR - People For Internet Responsibility - http://www.pfir.org
>
>         [ To subscribe or unsubscribe to/from this list, please send the
>           command "subscribe" or "unsubscribe" respectively (without the
>           quotes) in the body of a message to "pfir-request@pfir.org". ]
>
>
>2/12/00
>
>Greetings.  In the wake of the recent flurry of public concern
>over Internet denial of service (DoS) attacks (as discussed in
>http://www.pfir.org/statements/02.09.00), we are already hearing calls that
>Internet sites must somehow be "forced" to upgrade and maintain their
>security, probably through legislative mandates.  Information suggesting that
>otherwise innocent third party systems were hijacked to participate in
>these attacks has contributed to this viewpoint.
>
>Unfortunately, the history and practice of computer security suggest that
>attempting to legislate such security is usually akin to passing laws aimed
>at controlling the weather--we may know what we want, but our ability to
>influence events has severe practical limits!
>
>Unlike other areas (such as privacy policies) where legislation could
>establish rules which most firms and individuals could understand and
>implement without undue complexity or haziness, computer security is a very
>different sort of very complicated beast.
>
>In particular, few computer users, even amongst the most experienced, have a
>complete understanding of all installed security-relevant software on their
>systems--it may not even be clear which software would be involved!
>
>Since the most widely used operating systems and software applications are
>closed-source, the overwhelming majority of users are almost completely
>dependent on their software vendors for virtually all aspects of their
>computing environments, from secure default configurations to ongoing bug
>fixes.  Even with open-source systems such as Linux, an increasing
>percentage of users will not have the experience to personally discover,
>track down, or repair security problems by themselves.  Attempts to remove
>the user "from the loop" by automating software update procedures can
>introduce their own security and system stability risks, capable of
>causing new problems on previously stable systems.
>
>In the current rapidly changing Internet environment, most users are
>embedded in a continual cycle of downloading and installing new upgrades,
>drivers, and other software components on a frequent basis.  Even assuming
>no designed-in security trapdoors (not at all a safe assumption in the real
>world!) the ease with which accidental security flaws may be introduced
>through such downloads is alarming.
>
>Perhaps most at risk are the ever increasing numbers of home and small
>business computer users with full-time high speed Internet connections (via
>cable modems, DSL, or other technologies).  The users of such systems can be
>extremely vulnerable to outside attack, with the potential for untold damage
>to their privacy and systems, and to other parties' systems when computer
>hijacking occurs.  The ease with which such attacks can be developed,
>evolved, and launched is staggering, and protection is difficult to
>assure in the ever-changing software environment on most targeted systems.
>
>The vast array of software from different vendors, which can interact in
>unpredictable manners, guarantees that even with the best of intentions
>security problems are a fact of life, and will continue to be so.  No
>technological or legislative "magic bullets" will be forthcoming that can
>substantively alter this situation.  We need to come to grips with the fact
>that while we can do our darnedest to implement the best security possible,
>we are engaged in a perpetual cat-and-mouse game.  This has profound
>implications both for the Internet itself and for all of the applications,
>however trivial or critical, which we choose to host upon it.
>
>The sooner we begin to meaningfully factor these realities into our
>thinking throughout industry, government, and the consumer world,
>the better for us all!
>
>--Lauren--
>Lauren Weinstein
>lauren@pfir.org or lauren@vortex.com
>Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
>Moderator, PRIVACY Forum - http://www.vortex.com
>Member, ACM Committee on Computers and Public Policy