This
is
another excerpt from the book I'm writing on technology, terrorism, and
my
time at DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
[email protected]. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.
--Stewart Baker
Exponential technologies always seem to serve dessert first.
That's why they grow exponentially. Their benefits are immediate and
irresistible, so we use them in numbers that double and double again. It seems implausible at the start of that
curve that they could be misused. Indeed, at the outset, people do use them
mostly in good, socially responsible ways. I leave it to the philosophers
whether that’s because people are basically good or because it takes time for
people to figure out how to be bad with new technologies.
Whatever the reason, information technology certainly followed the
same path as commercial jets. It took decades between the time the technology
was first democratized and the first really frightening misuse.
Until the late 1980s, the risks of misuse were almost entirely
theoretical. Computer viruses had been invented by then, but mainly just to
show how they would work. It wasn’t until the mid-1980s that “wild” computer
viruses began to spread from one PC to another via floppy disks. Then, in 1988,
a worm caused much of the Internet to grind to a halt. For the academic and
defense users who then dominated the Internet, the worm was a shock. But they relaxed when they found that the
worm’s author, Robert Morris, wasn’t a spy or a criminal. He was a student, and
he claimed he’d been testing a concept that got out of control.
In retrospect, what’s most notable about the malware of that era
is its comparative innocence. It caused damage, sure. But it was either
academic or nihilistic in purpose; it demonstrated the capabilities and perhaps
the ill will of the author. It wasn’t really much of a threat, although the
worst examples could destroy stored data.
Most attacks were the digital equivalent of the Plains Indians
“counting coup” by striking an enemy with a stylized stick and escaping. Like
coup counting, the purpose of early hacking was to humiliate, not to kill. And
computer security only needed to be good enough to outfox adolescent
malcontents, a task both industry and government felt fully capable of
handling.
By the mid 1990s, though, the Internet had become a fully
democratized place, and money had replaced showing off as a motive for hackers.
Spam was the earliest form of profitable Internet crime. And when network
administrators started blocking spam by refusing to accept mail from spammers’
machines, hackers found they could compromise other people’s computers in bulk,
then use those machines to send the messages.
If the senders of unwanted email were widely distributed, spam couldn’t
be stopped by quarantining a few suspect computers. Hacking wasn't just fun any more; it could
put money in the hacker's pocket.
Once underground networks of compromised machines had been
assembled, it turned out that they could be used for other profitable crimes as
well. If all of the captured machines could be induced to send meaningless
messages to a single Internet site at the same time, the site would be unable
to process all the messages. The site would falter and fail. Legitimate users
would be locked out.
Such “distributed” denial of service attacks turned into a
new-style protection racket. Gambling sites, for example, simply cannot afford
to be unavailable in the days and hours before the Final Four basketball
tourney. If a site suffers an effective denial of service attack, there was a
good chance that it will pay a reasonable “security” fee just to get back on
line quickly. That wasn't the only use
to which criminals could put herds of zombie machines. The machines could be programmed to visit
ad-supported websites and mindlessly click ads, earning illegitimate
click-through fees for those sites.
But security professionals at large firms still had confidence in
their defenses. Denial of service was a concern, sure, but it could usually be
defeated by retaining an ISP with lots of bandwidth and an ability to filter
packets quickly. Distributed spam took away one tool for discouraging spam, but
there were plenty of other ways to filter unwanted mail. For most users, spam
was at worst a nuisance.
But malware continued to grow more sophisticated, and it could use
the Internet to spread rapidly. Several viruses in 2000 and 2001 caught large companies unprepared and forced a
shutdown of their networks while the viruses were eradicated. Hackers began to
find ways to intrude into important financial and military systems.
This was getting serious.
Even so, most security experts thought the plague could be
contained. They blamed systems administrators who didn’t patch their systems
quickly enough. Most of all they blamed Microsoft. The company had emphasized
new features over security, they complained, and in its drive to be first to
market it had written sloppy code. Other operating systems were said to be more
secure; and many thought that relying on a variety of operating systems was
inherently superior to the “monoculture” created by Microsoft.
Stung, Microsoft fought back. Bill Gates himself took on the
problem. Gates was famous for his insight into the future of the personal
computer. Past Gates memos had produced a profound change in Microsoft’s
strategic direction, most famously when he wrenched Microsoft into the Internet
age, focusing the entire company on the challenge posed by Netscape – and
leading to Microsoft’s’ victory in the browser wars.
By January 2002, Gates had a new focus. He announced that security
was the key to Microsoft’s future. From now on, all of its products would be
built with security in their foundation: “when we face a choice between adding
features and resolving security issues, we need to choose security. Our products
should emphasize security right out of the box, and we must constantly refine
and improve that security as threats evolve.”
The memo was a call to arms. All of Microsoft’s employees were
expected to bring this new focus to their jobs. In the past, that single-minded
focus had enabled Microsoft to beat some of the most talented companies in the
world. IBM, Lotus, WordPerfect, Ashton-Tate, Digital Research, Sun, Real,
Apple, AOL, and Borland – not to mention much-feared and rarely bested Japanese
electronics makers like NEC and Toshiba –all had tried to stand between
Microsoft and its strategic vision of the future. Microsoft had defeated them
all.
Now Microsoft was gearing up for battle again. This time, though,
it only had to beat a bunch of punk hackers. That should be a piece of cake.
Once it was done, a new age of online security would dawn, with Microsoft’s
trusted products at the heart of every online transaction.
More than seven years have passed since Microsoft set out to beat
a ragged band of hackers. The company has rewritten its operating system more
or less from scratch. And its code is indeed far more secure than in 2002.
But it has not won the war. The second Tuesday of each month still
brings a boatload of corrections and patches that the company must make to even
its newest and most secure operating systems. By 2009, the ragged band of
hackers was looking a lot more sleek and prosperous than before, and Microsoft
has suffered its first revenue decline in history.
More important than Microsoft’s security failures are its
successes – and how little difference they have made. Microsoft has indeed
tightened up the operating system. But the structure of the PC world has made
that almost irrelevant. The point of the PC is the control it gives to the user
-- who can decide what applications to run -- and to the developers -- who can
create new applications quickly and easily. At the end of the day, Microsoft
must empower users and developers. And so that’s what its security approach
does. Windows Vista, for example, was famous for nagging at users to confirm
their dangerous decisions to run new code or open new attachments – so famous
that Windows 7 has had to cut back on the nagging, despite the security risks.
The one think Microsoft can’t do is forbid users to make dangerous decisions.
If Microsoft tried that, it would leave its users angry and looking for a new
operating system. The same is true for applications; Microsoft can’t require
developers to write secure code without discouraging them from writing Windows
applications. And if it does that, it loses its main advantage in the market –
the overwhelming number of applications that run only on Windows.
So, to the extent that Microsoft has succeeded, it has simply
displaced the risk. Online security is
still getting worse, but it's getting harder to blame the operating
system. Instead of exploiting the
operating system, more and more attacks exploit holes in applications. Or they
induce the user to do something he shouldn’t do.
Or both...
Probably already know this, but there's a slight typo in this line:
"The one think Microsoft can’t do is forbid users to make dangerous decisions."
Posted by: Brian D. Coryell | Jan 05, 2010 at 11:10 AM
Thanks, Brian. I did finally catch that.
Posted by: Stewart Baker | Jan 06, 2010 at 12:10 AM
hello mr. coryell, if you are who i think you are i have been searching for you so i could apologize to you for the way we parted. after almost losing my life to a brain aneurysm, i have decided to try to make things right with everyone whom i have wronged. again, i apologize. sue(schramm)bradbury.
p.s. i am no longer married and i am a grandma.
Posted by: Susan Bradbury | Apr 26, 2010 at 06:35 PM