Is vulnerability an objective?

By: Scott Bradner

I ended last year with a death-of-the-Internet column, I'm starting off the new year with a death-via-the-Internet one. I spent time over the holiday reading "America the Vulnerable" by Joel Brenner. This is an activity that I recommend to anyone who does not mind a few sleepless nights.

Joel Brenner served as the head of counterintelligence for the director of National Intelligence so he has reason to actually know what kind of threats the US is under but, due to his previous government position, he is limited in what he can say to information already made public. Thus, he needed to provide public documentation to back up what he wanted to write about. The book has 38 pages of references of that public documentation. I shudder to think of what Mr. Brenner knows about active threats that he was not able to write about due to not being able to find a public document that disclosed the threats.

No doubt about it, we are exposed. Data about us as individuals is everywhere and totally out of our control; critical corporate data is wide open to everyone in the corporation, and too frequently, just to everyone; Internet service providers ignore compromised customer computers; utilities put the controls for their key systems directly on the Internet "protected" by security systems that would embarrass a maker of windup toys; the "best" security companies around have been breached and information about, or protecting, tens of thousands of their customers has been stolen; and our economic and political adversaries are getting good -- very very good -- at exploiting these conditions.

Mr. Brenner details all of the above issues in great, and frightening, detail and includes some suggestions as to what government could do to mitigate some of the issues but I'll only explore a few of them here.

ISPs generally know when their customer's computers get infected and become botnet slaves yet almost never let those customers know that they are toasted - maybe they should be required to let those customers in on the secret.

Electric utilities too often put the controllers for their power generators, most of which have laughable security protections, directly on the Internet because it is convenient for their technicians -- it is also convenient for remote hackers who might like to install software that could destroy the generators when it was convenient for the hacker. (see The Aurora Project http://www.youtube.com/watch?v=rTkXgqK1l9A) Mr. Brenner has an all too feasible scenario in the book of a future where a Chinese government blackmails the US by destroying a few power generators as a demonstration of what they could do. (Note that the US no longer builds this type of big generator, we buy them from the Chinese.) Maybe it should be against the law, with criminal penalties, to connect such controls to the Internet.

Why does just about everyone in your organization have direct access to just about all the company secret files? There is no reason that the person in the mailroom or, in most cases, the company president, should have such access. Take a look at Wikileaks to see what goes wrong when there is too indiscriminate access. (http://www.networkworld.com/columnists/2010/120110-bradner.html)

The basic message of America the Vulnerable is that we are, almost willfully, handing our secrets, our economy and our future over to those who would do us harm. There are things we, as a country, as employees and as individuals to reduce the threats but we better get a move on or it will be too late. (It is too late in many cases, including the technology used to quiet submarine propellers.)

disclaimer: I had the privilege of attending a Harvard seminar with Mr. Brenner but the above book, and situational, report is mine - not the university's.