We certainly have come a long way since the first computer virus was created in Lahore, Pakistan in 1986. Today, some experts believe that a majority of all new software releases around the world involve malicious code — “malware” — designed to compromise or corrupt the functioning of information systems. Policymakers decry this rampant criminality, but they are speaking to a public that is partly responsible for the problem. Not only do many internet users fail to take the most elementary steps to protect themselves from exploitation by on-line criminals, but disregard for the law has become part of the user’s ethos on the Worldwide Web. For instance, it is a rare teenager who has not downloaded pirated music or videos.
Government policies for dealing with cyber dangers seem to be grounded in the belief that we can curb internet criminality without limiting the freedom of everyday users. That view is not supported by our national experience with other social problems. The reason crime was rampant during Prohibition was that millions of U.S. citizens insisted on buying and consuming alcohol, creating a vast market for organized criminal gangs to serve. The reason every major city along Mexico’s northern border is awash in drug violence is because millions of U.S. citizens defy state and federal laws to buy illicit drugs. The reason illegal migrants continue to cross the border in droves is because millions of U.S. citizens are willing to hire them and pay wages better than can be obtained in Mexico.
The lesson here for policymakers is that we can’t reasonably expect to get control of the criminal element operating in cyberspace unless typical users change their behavior. Most of the major penetrations of government networks result from careless computer users reaching out into the internet and coming back with something unsavory. For instance, one hapless employee at a defense company was using a peer-to-peer file sharing system to trade music on the Worldwide Web, and the end result was that the electronics architecture for the presidential helicopter popped up on a server in Teheran. A few careless workers at the federal nuclear facility in Oak Ridge, Tennessee opened seemingly innocuous emails from strangers and thereby enabled criminals to thoroughly penetrate their network.
Obviously, the challenge of curbing illicit on-line activity is made worse by the anonymity of the internet. But even the most cleverly disguised message needs some mode of entry into a target network before it can cause damage. So the real issue is controlling the traffic moving through portals, a problem that is exacerbated by the propensity of users to surf the web and freely engage in on-line socializing. Take the case of Securities and Exchange Commission employees who downloaded thousands of pornographic images during the recent financial crisis; if agency filters let all those images into their network, then other things like spyware may have entered at the same time.
Raytheon, a leading cyber-security provider, has concluded the difficulty of controlling such penetrations is so great that more effort needs to be put into trapping intruders once they are inside. In a recent paper, company chief information strategy officer Jeff Brown endorsed a strategy to “detect, disrupt, and deny [the] attacker’s command and control (C2) communications back out to the network.” This unconventional approach compensates for the failure of many users to discipline their on-line activities. But the larger reality is that we will not be able to defeat cyber threats unless we change our attitude that the internet is a friendly place where there are no rules.