Not too many years ago, conversations about our nation's critical infrastructure would have revolved around the Interstate Highway System or the television and radio broadcast networks. Not so long before that, the same conversation would have centered on railroads. Times certainly change, and while we haven't abandoned many of the transit and distribution systems of the last century, we've become dependent on new ones, like the Internet.
Because of the Internet's recent elevation to critical-infrastructure status, it is now the subject of a new national policy debate about how to secure it. This is a result of the increased awareness of security following the terrorist attacks of September 11 last year. Internet security and stability is now a key responsibility of the fledgling Department of Homeland Security.
The focus of the current security debate is a new draft policy document called "The National Strategy to Secure Cyberspace" (www.whitehouse.gov/pcipb/). It was prepared by the President's Critical Infrastructure Protection Board, a group of government and private sector heavyweights appointed by President Bush to examine the state of network security today and to make recommendations for improvement.
In the crisis that sparked the review though, the Internet actually outperformed other systems. Shortly after four hijacked airplanes brought tragedy to the lives of thousands, the telephone systems of New York and Washington became overloaded. Friends and family found only busy signals when trying to make important connections. Those fortunate enough to have email or a weblog, however, were able to communicate with friends, family, even strangers over the Internet. At a time of crisis, the network performed according to its design.
Then why target the Internet for review?
Spoofing
In spite of a design that is supposed to withstand nuclear war, the current security focus isn't about how to keep the Internet running, but how to ensure that critical parts of it don't fail. While the Internet's distributed nature means that two working computers can usually communicate, a distributed system provides no protection for a single node. Each computer connected to the Internet is responsible for securing itself. How to do that is largely the focus of the new report.
The study's authors have a good understanding of connection perils. Not only can a computer be attacked by a malicious party, but computers can be converted into unwitting accomplices in those attacks. These "zombies" are used to launch denial of service attacks and send spam. Viruses can slow the overall performance of the Internet, not to mention the havoc they can wreak with individual systems. The ability to spoof identity creates problems of fraud and identity theft.
The government strategy document appreciates that these problems place a real burden on individuals and companies that rely on the Internet, as well as a burden on our national budget. So how does the government propose to address this? It's going to place a different kind of burden on all of us: the burden to secure our own systems.
Public-Private Partnership
While the government can dictate certain behaviors from companies with which it has an established regulatory relationship, its sway over the Internet is less certain.
Even if the government could coerce operators of the Internet's private systems to behave in a certain way, we don't yet have a model for governmental supervision. From its beginnings, legislators have been told to keep their hands off the Internet and, with a few notable exceptions, they've largely listened. Compared to telecommunications and broadcast communications, Internet traffic is still relatively unregulated.
The remarkable thing about the government's initial approach to "securing cyberspace" is that its first impulse wasn't to pass a set of new laws. That's pretty extraordinary all by itself. The policy paper calls for a "public-private partnership" to solve the problems of security and cyberspace, and the focus of that partnership is to develop a set of best practices. This may well be the government's most thoughtful approach yet to directing conduct on the Internet.
