As the Internet’s power grows — dominating our public discourse and driving deeper into every industry and commercial realm — it becomes a bigger target. As the key platform of our knowledge economy, it invites mischief, or worse.
Most digital citizens know the hassles and even dangers of viruses, phishing, and all manner of mal-ware. But cybersecurity is a much broader and deeper topic, and will grow ever more so. The Center for Strategic and International Studies published a good report on December 8 detailing the threats and offering recommendations to “the 44th Presidency.” CSIS suggested a number of specific actions, among them:
(1) a comprehensive national strategy; (2) that the White House lead the effort; (3) that we “regulate cyberspace”; (4) that we authenticate identities; (5) modernizing old laws not suited to the digital networked world; (6) building secure government systems; and (7) not starting over, given what they saw as the previous administration’s productive start.
Yesterday the Senate Commerce Committee moved the ball forward with a hearing on the topic, including the head of the CSIS study James Lewis, nuclear engineer Joseph Weiss, cyber-guru Ed Amoroso of AT&T, and Eugene Spafford of Purdue University’s Center for Education and Research in Information Assurance and Security — better known by its brilliant acronym, CERIAS.
I say better known, but I had never heard of CERIAS, which is in West Lafayette, just 50 miles up the road from my home outside Indianapolis. Spafford told the committee that his Purdue program had produced a quarter of the only 400 or so cybersecurity Ph.D.s educated in the U.S. over the last decade (and a big percentage of that number returned abroad after completing studies). So clearly, many of us who know a little about cybersecurity don’t know nearly enough. And it appears the U.S. doesn’t know enough. I recall a conversation in Beijing with long-time Princeton professor Andy Yao, now head of Tsinghua University’s computer science department and a world-leading cryptologist, in which he lamented that the U.S. would not let many of China’s best cryptography and security experts come study in America, with the hope of retaining them so they might become our experts. But that’s another story for another day. After reading last winter’s CSIS report and yesterday’s testimony, however, it’s clearly time to get, well, serious.
Spafford’s job is to imagine worst-case scenarios. So the normal disclaimers about self-interest, grains of salt, and axes to grind might apply. Nevertheless, I found this comment jolting:
There is a common misconception that the primary goal of intruders is to exﬁltrate information or crash our systems. In reality, clever adversaries may simply seek to modify critical applications or data so that our systems do not appear to be corrupted but fail when relied upon for critical functions — or worse, operate against our interests.
Ed Amoroso focused on sophisticated “botnet” attacks, like the one that crippled Estonia two years ago, and then supplied a daunting economic metric:
Last year the FBI announced that revenues from cyber-crime, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits.
As the Internet grows in importance, undergirding every crucial function of our economy — and democracy — these numbers and threats will grow. Confirming my own research projecting the growth of the Internet, Amoroso testified that his networks transport
more than 17 Petabytes a day of IP data traffic, and we expect that to double every 18 months for the foreseeable future.
Seventeen petabytes a day — that’s close to the monthly traffic of the entire Internet in the year 2000. As the Internet and the focus on cybersecurity expand and evolve, I’ll be surveying the array of technologies and policies needed to secure this fundamental global asset.
UPDATE II: A worldclass cyber-guru tells me the Chinese state is too sophisticated to be the culprit in this case.