another excerpt from the book I'm writing on technology, terrorism, and
time at DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.
Exponential technologies always seem to serve dessert first. That's why they grow exponentially. Their benefits are immediate and irresistible, so we use them in numbers that double and double again. It seems implausible at the start of that curve that they could be misused. Indeed, at the outset, people do use them mostly in good, socially responsible ways. I leave it to the philosophers whether that’s because people are basically good or because it takes time for people to figure out how to be bad with new technologies.
Whatever the reason, information technology certainly followed the same path as commercial jets. It took decades between the time the technology was first democratized and the first really frightening misuse.
Until the late 1980s, the risks of misuse were almost entirely theoretical. Computer viruses had been invented by then, but mainly just to show how they would work. It wasn’t until the mid-1980s that “wild” computer viruses began to spread from one PC to another via floppy disks. Then, in 1988, a worm caused much of the Internet to grind to a halt. For the academic and defense users who then dominated the Internet, the worm was a shock. But they relaxed when they found that the worm’s author, Robert Morris, wasn’t a spy or a criminal. He was a student, and he claimed he’d been testing a concept that got out of control.
In retrospect, what’s most notable about the malware of that era is its comparative innocence. It caused damage, sure. But it was either academic or nihilistic in purpose; it demonstrated the capabilities and perhaps the ill will of the author. It wasn’t really much of a threat, although the worst examples could destroy stored data.
Most attacks were the digital equivalent of the Plains Indians “counting coup” by striking an enemy with a stylized stick and escaping. Like coup counting, the purpose of early hacking was to humiliate, not to kill. And computer security only needed to be good enough to outfox adolescent malcontents, a task both industry and government felt fully capable of handling.
By the mid 1990s, though, the Internet had become a fully democratized place, and money had replaced showing off as a motive for hackers. Spam was the earliest form of profitable Internet crime. And when network administrators started blocking spam by refusing to accept mail from spammers’ machines, hackers found they could compromise other people’s computers in bulk, then use those machines to send the messages. If the senders of unwanted email were widely distributed, spam couldn’t be stopped by quarantining a few suspect computers. Hacking wasn't just fun any more; it could put money in the hacker's pocket.
Once underground networks of compromised machines had been assembled, it turned out that they could be used for other profitable crimes as well. If all of the captured machines could be induced to send meaningless messages to a single Internet site at the same time, the site would be unable to process all the messages. The site would falter and fail. Legitimate users would be locked out.
Such “distributed” denial of service attacks turned into a new-style protection racket. Gambling sites, for example, simply cannot afford to be unavailable in the days and hours before the Final Four basketball tourney. If a site suffers an effective denial of service attack, there was a good chance that it will pay a reasonable “security” fee just to get back on line quickly. That wasn't the only use to which criminals could put herds of zombie machines. The machines could be programmed to visit ad-supported websites and mindlessly click ads, earning illegitimate click-through fees for those sites.
But security professionals at large firms still had confidence in their defenses. Denial of service was a concern, sure, but it could usually be defeated by retaining an ISP with lots of bandwidth and an ability to filter packets quickly. Distributed spam took away one tool for discouraging spam, but there were plenty of other ways to filter unwanted mail. For most users, spam was at worst a nuisance.
But malware continued to grow more sophisticated, and it could use the Internet to spread rapidly. Several viruses in 2000 and 2001 caught large companies unprepared and forced a shutdown of their networks while the viruses were eradicated. Hackers began to find ways to intrude into important financial and military systems.
This was getting serious.
Even so, most security experts thought the plague could be contained. They blamed systems administrators who didn’t patch their systems quickly enough. Most of all they blamed Microsoft. The company had emphasized new features over security, they complained, and in its drive to be first to market it had written sloppy code. Other operating systems were said to be more secure; and many thought that relying on a variety of operating systems was inherently superior to the “monoculture” created by Microsoft.
Stung, Microsoft fought back. Bill Gates himself took on the problem. Gates was famous for his insight into the future of the personal computer. Past Gates memos had produced a profound change in Microsoft’s strategic direction, most famously when he wrenched Microsoft into the Internet age, focusing the entire company on the challenge posed by Netscape – and leading to Microsoft’s’ victory in the browser wars.
By January 2002, Gates had a new focus. He announced that security was the key to Microsoft’s future. From now on, all of its products would be built with security in their foundation: “when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”
The memo was a call to arms. All of Microsoft’s employees were expected to bring this new focus to their jobs. In the past, that single-minded focus had enabled Microsoft to beat some of the most talented companies in the world. IBM, Lotus, WordPerfect, Ashton-Tate, Digital Research, Sun, Real, Apple, AOL, and Borland – not to mention much-feared and rarely bested Japanese electronics makers like NEC and Toshiba –all had tried to stand between Microsoft and its strategic vision of the future. Microsoft had defeated them all.
Now Microsoft was gearing up for battle again. This time, though, it only had to beat a bunch of punk hackers. That should be a piece of cake. Once it was done, a new age of online security would dawn, with Microsoft’s trusted products at the heart of every online transaction.
More than seven years have passed since Microsoft set out to beat a ragged band of hackers. The company has rewritten its operating system more or less from scratch. And its code is indeed far more secure than in 2002.
But it has not won the war. The second Tuesday of each month still brings a boatload of corrections and patches that the company must make to even its newest and most secure operating systems. By 2009, the ragged band of hackers was looking a lot more sleek and prosperous than before, and Microsoft has suffered its first revenue decline in history.
More important than Microsoft’s security failures are its
successes – and how little difference they have made. Microsoft has indeed
tightened up the operating system. But the structure of the PC world has made
that almost irrelevant. The point of the PC is the control it gives to the user
-- who can decide what applications to run -- and to the developers -- who can
create new applications quickly and easily. At the end of the day, Microsoft
must empower users and developers. And so that’s what its security approach
does. Windows Vista, for example, was famous for nagging at users to confirm
their dangerous decisions to run new code or open new attachments – so famous
that Windows 7 has had to cut back on the nagging, despite the security risks.
The one think Microsoft can’t do is forbid users to make dangerous decisions.
If Microsoft tried that, it would leave its users angry and looking for a new
operating system. The same is true for applications; Microsoft can’t require
developers to write secure code without discouraging them from writing Windows
applications. And if it does that, it loses its main advantage in the market –
the overwhelming number of applications that run only on Windows.
So, to the extent that Microsoft has succeeded, it has simply
displaced the risk. Online security is
still getting worse, but it's getting harder to blame the operating
system. Instead of exploiting the
operating system, more and more attacks exploit holes in applications. Or they
induce the user to do something he shouldn’t do.