Is Network Security Impossible?

Kyle A. suggested I write an article about Cyber Security and Telecoms.  It is certainly a timely request.  The last several weeks have seen the WannaCry ransomware affecting innumerable computers.  Estimates vary, but it seems probable that more than 100,000 computers around the world were affected.

Beyond this specific attack, there are no reliable estimates of the number of attacks or victims of cyber attacks.  Attackers don’t seem to be advertising their successes.  Often victims, especially companies, are reluctant to admit to being hacked or attacked.  The potential for negative publicity deters them. This reticence may benefit the attacker.

If a better understanding of the magnitude of the problem was widely known, a greater will to confront it and solve it might exist.  It is clear that cyber attacks represent an uncontrolled risk.  One that, anecdotally, seems to be growing. This risk is to everyone, not simply specific groups of users. It is this uncontrolled risk that must be addressed.

User Training

First and simplest is end user training. People must be made aware of their personal responsibility to prevent such attacks. The use of good passwords and good security practices would help, a little. It is also the lowest-hanging fruit. Governments often undertake public service campaigns for the greater good, such as anti-smoking, drinks driving, fluoridated water. A campaign promoting good online security practices seems uncontroversial.

More difficult would be to educate users in a healthy skepticism of SPAM and Phishing style attacks.  Both these attacks rely upon gullible users. If there is a way to fix that I’d volunteer myself for it!

Software Product Liability

But simply improving end-user practices will not end cyber attacks. Not all cyber attacks are the result of user error or negligence. Many attacks exploit weaknesses in commonly-used software. WannaCry allegedly used a so-called “zero day” exploit in older versions of Windows software. Government intelligence agencies also use these weaknesses to spy. So why do such weaknesses exist? Isn’t it normal that companies are required to fix known defects in their products? Think of how often we hear of car manufacturers issuing “recalls” to correct some defect of the vehicles they produce.

Government intelligence agencies also use these weaknesses to spy. So why do such weaknesses exist? Isn’t it normal that companies are required to fix known defects in their products? For example, think of how often car manufacturers are in the news issuing “recalls” to correct some defect of the vehicles they produce.

The US has a long history of product liability law that makes companies financially liable for damages and injuries caused by product defects. American courts can impose judgments on companies to pay financial damages to people harmed by defective products. If the company can be shown to be willfully negligent, usually meaning they knew of the defect but chose not to fix it, settlement paid to victims can be greater than the actual cost of the damage. This cost forces companies to be more careful and diligent about producing and repairing defects.

This practice of Product Liability has profoundly changed American life and made America a much safer place to live. This is likely true elsewhere, too. Think of car seat belts, motorcycle helmets, inflammable children’s clothing,

But this is not true for the software industry. In the US at least, and perhaps in other countries as well, the software industry is NOT liable for bugs in their products.

From the earliest days of the computing business, software was made exempt from product liability. It may be time to rethink this exemption and make software makers liable for defects to some extent.  To do so would certainly increase the cost of software. But cyber attacks do that, too,  is an uncontrolled way.  Perhaps if software companies bore liability the costs would become more clear.

The proposal that this exemption should end seems only fair to companies who do not share it.  But it is sure to be very controversial if and when it was ever implemented.  What are your thoughts?  Do you know what software was granted this exemption in the first place?  Can you think of good reasons for it to continue? Can you think of ways to soften the blow that ending the product liability exemption would do to such a critical industry?

Insurance

If product liability was made a requirement of software, it would likely lead to another common aspect of daily life that is mostly missing from the software industry: Insurance. To offset the risk of an expensive product liability lawsuit, insurance companies would begin selling relevant insurance policies.  Software makers would protect themselves from the risk of bugs by insuring themselves.  Again, this is a pretty straightforward suggestion.  But one with profound implications for a critical industry.  How might the transition costs be born? How might the disruptions be minimized? The finish line can be seen, but how do we get there?

Bad Security Practices

Software defects are only one aspect of the problem. Even good software products can be exploited when bad security practices are used. I’ve already discussed end-user training. But what happens when the bad security practices of network administrators lead to cyber attacks?

This does get to the point that these days, all IT is security related. There really is no sensible distinction between any aspect of IT and security practice. The best way to make your network as safe as it possibly is for every technological employee to be trained in security practices relative to their responsibilities, and to be security conscious in everything they do, always.  Security layers are built from the ground up.

Applying a product liability mindset could again help. If companies were held to account for the damage done by their bad practices, whether negligent or malicious, they would quickly respond with better practice. The alternative is likely bankruptcy.

Malice of Intent

No matter how much is done to eliminate software and networking defects, there will still be parties willing to commit cyber attacks.  Just as other parts of society have persons willing to break the law, Cyber criminals will still exist.  If the changes I’ve discussed have been put in place, Criminal Law becomes the last defense against cyber attacks.

Do you think the law and Law Enforcement are appropriate in this case?  Are cyber attacks somehow different, requiring different remedies than those offered by current law?

Internet Plumbing

Another aspect of the problem relates to the very plumbing of the Internet itself.  From its earliest beginning, the Internet was developed in Academia with a spirit of openness and sharing built in. The fundamental protocols upon which the Internet runs have precious little built-in security.

I’ve heard that when the latest version of the core networking protocol, IPv6, was being debated there was considerable tension between advocates of openness and advocates of security. This tension remains unresolved. With so much commerce now dependent on the Internet, perhaps the default to openness is not longer appropriate. What do you think?

Telecoms

When discussing the Internet’s plumbing, it is not lazy to consider Telecoms networks to be “dumb pipes”.  The metaphor is a good one.  We learned this lesson from failures deploying the so-called Intelligent Network in the PSTN.  The Internet has flourished partly because transport, the dumb pipes, is mostly indifferent to the content: all bytes have been treated equally.  The intelligence is all in the edge devices.  This is a logical point for a discussion of Net Neutrality.  But I’d like to leave that as a topic for another article.

Telecoms themselves are sometimes the victims of cyber attacks. But I see these as mostly a result of either bad security practice or software vulnerabilities.  The attackers generally want something the Telecoms have, subscriber data and credit card numbers, and sometimes eavesdropping on the content, rather than something the network itself is.

But security is also a service that Telecoms can and do sell. Traffic scanning for malware, mitigation in case of outages or even DNS attacks, man-in-the-middle detection and thwarting, just to name a few. Many companies already do this.  It is positive to think of cyber security as a legal, commercial opportunity for entrepreneurs to exploit.

What do you think? Are Telecoms especially vulnerable to cyber security issues?

Conclusion

Cyber attacks result primarily from 2 conditions: 1) lack of product liability in the software industry which frees software developers from the consequences of selling defective products and 2) poor security practices of network users and administrators. Neither will easy to fix.  But don’t we have to start somewhere?