Friday, September 10, 2010

Schneier v. Baker at the U Nebraska Cyber Conference

On Thursday, September 9th, the University of Nebraska Law School hosted its annual Space and Cyber Conference at the Newseum. The audience contained equal parts attorneys and policy folks, and included a significant Air Force presence as well as representatives from industry and civil rights groups.

In lieu of a keynote speech, the organizers arranged for a keynote conversation between Bruce Schneier and Stewart Baker of Steptoe & Johnson, formerly of DHS. Their rollicking discussion ranged over many points of agreement but helped highlight the issues where both sides have merit. Of particular from their conversation:

  • Classification has lowered the level of discussion: Mr. Baker noted that the US government's decision to classify much of the juciest and most persuasive facts pertaining to computer network threats has resulted in a less-informed and less urgent discussion than the issue deserves. As an example of the type of facts that are missing from the US record, he pointed to a report from the University of Toronto examining a 2010 hack of the Dalai Lama's secure communications network. (Report, Reuters article) While he didn't explicitly suggest that the US be more open about its intelligence on the state of play in the cyber domain, he did indicate that this dearth of good information in the national discussion coincides with cybersecurity's absence from the president's agenda.
  • Same dumb, much more dangerous: Mr. Schneier reiterated that, due to the "leverage" of the Internet, operational security slip-ups that 40 years ago would have resulted in compromising one person or one document can now put a whole organization at risk.
  • Cyberwar analogy: Overflights or flashmobs? While analogy is suspect, Mr. Schneier and Mr. Baker's discussion of the propriety of the term cyberwar produced a few interesting alternate takes on how aggressive actions online should map onto the real world. Schneier repeated his characterization of most cyberattacks, such as Estonia, as being largely analogous to an invading army getting in line at the DMV. This, he insisted, was not war in any recognized sense. Baker put it in graver terms, describing pervasive network intrusions as more akin to planting landmines or as F-15 overflights. If information operations could result in a military disadvantage to the victim were war to actually break out, he argued, then that groundwork itself is a threat as grave as military action. Schneier, as he did in the Intelligence Squared debate, took issue with the equivocation on the term war. Cyberwar, he insisted, was a subset--not a superset--of the broader term war. If there is no war, there could be no cyberwar. Both agreed that the potential domination of the cyber domain by a hostile force had the potential to not only severely incapacitate a nation's military but also to dramatically increase the number of civilian casualties in a conflict. Baker noted that, unlike the sea and air domains, in which combat operations generally take place well away from civilian centers, information operations by necessity take place over and amidst civilian infrastructure. It would be as if, Baker observed, a dogfight were to be joined over an airport.
  • Attribution is a Hard Problem (and it may not matter that much anyway): The difficulty of securing bomb-proof attribution on the Internet makes it very difficult to attach consequences to hostile actions. Schneier suggested that the nature of the problem made it effectively unsolvable: even the best system of attribution can only identify the computer, not the person. (As anyone who's dealt with a botted computer can attest to.) Attribution, Scneier said, was effective at identifying the average users because the average user is identifiable by and as his or her machine. Professionals, on the other hand, are unlikely to be affected at all. Schneier doubted that a major overhaul of the Internet, including attribution, was possible given amount of time and money required; there will be no do-over, he said. Baker disagreed, reasoning that a complete overhaul wasn't necessary. Instead, those who required a more disciplined network could create subnetworks with protective features rolled in. "It can be Mardi Gras every day," he said, "as long as you don't mind getting mugged occasionally."
Conference Agenda and Speakers