[Infowarrior] - Opinion: Four laws Congress needs to pass now to boost computer security

[Richard Forno]

Opinion: Four laws Congress needs to pass now to boost computer security
Ira Winkler
 http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9009984&pageNumber=1

February 01, 2007 (Computerworld) Even though we have a new Congress, I
doubt that much will change with regard to computer security. While a law
related to identity theft will probably be passed in one form or another, I
expect that it will be trivial and not deal with preventing the theft of
individuals' personal information. Corporate lobbyists have proved
themselves to be too adept at manipulating members of Congress so they don't
pass laws requiring companies to be proactive, especially with regard to
security measures.

Identity theft is a symptom of poor computer security. There are two
underlying methods of identity theft: hacks of vendor computers, and
client-side attacks. Vendor hacks are the result of poor security on the
part of the vendor and often lead to the theft of thousands, or millions, of
credit card numbers, at once. The laws passed in this regard basically state
requirements that vendors have to follow once data is stolen. However, they
do not lay out computer security requirements. The hope is that if vendors
have to act if their security fails, they will try to better protect
themselves. All you have to do is browse Computerworld.com to see how well
that's working.

Congress, however, has taken no action to address client-side attacks
targeting the end user. These include phishing, keystroke logging and virus
attacks. The underlying enabler of these attacks are the bot networks that
grow unchecked. Botnets are networks of PCs that have been compromised by a
remote attacker through known vulnerabilities on the PCs. The attacker then
has the compromised PCs do his bidding without the knowledge of the PCs'
owners.

Bots send out billions of spam e-mails and their evil cousins, phishing
messages. Just as important, bots are used for distributed denial of service
attacks. DDOS attacks use thousands of computers to simultaneously send data
packets to a victim's computer to overwhelm the computer and the supporting
network infrastructure. The attackers then use the DDOS attacks to extort
money from owners of various Web sites. For example, it's common for online
gambling sites to be threatened prior to a major sporting event, where the
attacker will say, "Unless you pay me $50,000, I will take you down for a
day before the event." A successful attack could cost a good-sized gambling
site more than $1 million.

Likewise, DDOS attacks have targeted critical elements of the Internet, such
as the root DNS servers. Those attacks have crippled segments of the
Internet for periods of time. It should be expected that similar attacks
will occur in the future and will attempt to do even more damage. Frankly, I
believe that if there is a significant Internet attack, it will involve bot
networks.

So, for Congress to do anything that helps protect consumers and the
critical Internet infrastructure as a whole, it must pass laws that require
proactive processes to protect computers, not that tell people how to deal
with the resulting mess.

Here are more reasons for enacting computer security laws:

    * According to reports, the percentage of unsolicited e-mail sent out
via bot networks is in excess of 90%. Messages are also growing in size. The
number and the size of messages will only continue to grow, so you can
assume a very large percentage of Internet traffic is a result of bots.
    * From my personal observations, an unprotected computer will fall
victim to dozens of attacks an hour. This implies that botnet scans are
constant and responsible for a large volume of Internet traffic.
    * Botnet-related attacks result in billions of dollars in lost
productivity and added costs annually. ISPs and large organizations spend
billions to increase bandwidth as spam and other botnet-related attacks take
up network volume, and billions more is spent on security software and the
related hardware to prevent botnet-related attacks.

With the above in mind, the following laws are needed to at least begin to
protect businesses, consumers and the Internet itself:

1. Make ISPs (and all organizations providing computer access to more than
100 people) responsible for filtering scan and attack traffic across their
networks.

ISPs were declared "publishers" by the Child Online Protection Act. The
legal effect of this was that ISPs were found to be not responsible for the
content or intent of the data packets going across their networks. While it
may be reasonable to say that an ISP might have no clue that a JPEG file
going across its network has child pornography, thousands of ACK packets
sent instantaneously are a different story. Attack and scan traffic is easy
for ISPs to detect and block. The more scans that are blocked, the fewer
compromised systems there will be. Any increase in time to process data
packets is easily made up by the overall decrease in the amount of network
traffic.

2. Make ISPs (and all organizations providing computer access to more than
100 people) responsible for knocking customer PCs off their network if they
become bots.

Any system that is clearly behaving as a bot should be immediately logged
off a network. An end user who starts flooding the network with tens of
thousands of e-mail messages, or who starts to send hundreds of thousands of
DOS packets, is clearly compromised or otherwise abusing privileges. It is
blatant and therefore easy to spot. More important, it is easier to identify
and stop offending traffic at the source than for a victim under attack to
identify and contact the appropriate administrators to stop the attacks.

3. Make end users liable if losses are incurred because of outdated security
software.

We cannot push all requirements to the ISPs. End users who leave their
computers vulnerable to being controlled by others are also at fault. All
PCs connected to the Internet should have the latest patches installed, as
well as updated firewall, antivirus and antispyware software. While these
tools won't prevent everything, they can decrease a computer's
susceptibility to compromise exponentially. Those who fall victim to an
attack because they don't have the appropriate software and updates would be
financially responsible for their own loss and potentially the loss they
cause others. Just as individuals are legally required to keep their cars in
safe condition to protect others on the road, they should be required to
keep their computers safe to protect others on the Internet.

4. Write some kind of law concerning efficient security software.

I have been wrestling with how to word this one. A law like this is
especially important if people are required to install and run security
software. People have uninstalled their antivirus and antispyware software
because it brought their systems to a crawl. Security software vendors must
make performance a critical feature of their software.

While there are other laws I could recommend, these are the most fundamental
and easy to implement. I know there may be criticisms. For example, some
smaller, and even larger, ISPs and organizations will say they can't afford
the software and staffing needed to kill end-user access as required. First,
these companies are already spending money to provide bandwidth for all of
the malicious traffic. Second, if they can't afford to protect their network
properly, they shouldn't be in that business.

That is probably the key point. Can you imagine a trucking company saying
that highway safety laws shouldn't be enacted because that would be too
expensive? Likewise, can you imagine a private citizen saying that he
doesn't want to properly maintain a car's safety? Of course not, as they
would be endangering the safety of others. If people want to have access to
the Internet, or financially profit from it, they should likewise be
required to take precautions so that they don't endanger others.

All of the current regulatory discussions in Congress and local legislatures
generally involve identity theft and are in reaction to the current hype.
They are also reactionary in their effects in that they deal with what to do
after information is stolen, and not with the fact that the thefts should
have been prevented in the first place. Most important, they do not
fundamentally improve security. We need laws that are proactive in
preventing identity theft and all other likely attacks. These proposed laws
go a long way in doing so.

Ira Winkler is president of the Internet Security Advisors Group. He is a
former National Security Agency analyst and author of Spies Among Us (Wiley,
2005).