Thursday, September 27, 2012

Cybersecurity: achievable or a Conundrum?

I use the internet a lot...for communication and other things.  I am not at the cutting edge of knowledge like my grandchildren, who seem to be prescient as to how to handle stuff that I haven't even yet discovered exist, but it doesn't scare me.  It is just another tool, like the phone or a hammer.

But I have read articles lately about what is described as the threat of lack of cyber-security, which I interpret to be the possibility of purposeful interference with the ability of folks to communicate and do business over the internet and even the possibility of bringing targeted businesses and even the system itself down in total collapse.

That is scary.  Sort of.  Although there are times when I watch young people text each other when sitting in the same room that maybe the total elimination of the internet and electronic "communication" might not be the worst thing for the long term survival of mankind...but, I digress.

I used to have to write and mail a check to pay my bills.  I used to have to write a letter and communicate with others, if they didn't live in the same town.  I used to actually meet and discuss things with folks face to face.  It was a good encouraged civility and mutual understanding, because there was no electronic anonymity.  This could be a useful thing to re-acquire, I think.

But, assuming that we can never go back...even if there would be a benefit...what is the logical approach to this cyber-security problem?  I am not an expert.  I don't know what is possible.  But logic...even from an old fogy like me...suggests a few things:
1)  Legislation is not...and never will be...the answer.

Folks who bread the law are not impressed by legislation; their activities are neither influenced nor controlled by right or wrong.  You aren't hitting the target.  Likewise, those using the internet for lawful purposes aren't protected by legislation; they hire smart people...sometime people who can solve the problem (surprise) without government "help."

2) Perfection and providing 100% reliability is impossible.

Systems sometimes crash for reasons having nothing at all to do with ill-intent of others.  "Stuff happens."  There is no need to focus on security...except for personal records and more than an inconvenience.

3)  We have enough laws for fraudulent behavior now.

Certainly we should inspect and where necessary amend current laws to include electronic and internet activity within the covered purview of current laws, but that aside, there is no reason to add another volume to the already voluminous Statutes of the United States.

4) I would guess that the answer is in technology and trace-ability.

Perhaps our electronic information systems gurus could develop some useful things:
a) an electronic "trap" that would prevent a hacker from erasing traces of their entry into systems; b) an automatic shut down of a system if there is an overload of requests (demands for service) to prevent damage to the system. (this may already be in place); and c) a means of limiting the number of cut-outs available to users of the internet so as to make it impossible to utilize multiple routing origin points, making it easier to locate the source of activity.  This last would make it much easier to zero in on miscreants and apply the penalties of existing law(s).

5)  For Nation-State activity in this area, I would thing that a declaration of the old cold-war, nuclear threat policy of Mutually Assured Destruction might have the same effect here as it did then; if an attack occurs, it will result in the same response, leaving both entities totally at the mercy of the rest of the world nations.

These are ideas, not declarations of solutions.  I don't know if they are workable, either now or in the future.  But they have the attractive element of not inviting additional governmental activity and attempting to target the problem, not create another bureaucracy or further limit individual freedoms.

What do you think?

No comments: