Posted on February 16, 2011 at 1:31 pm

Why the US Government can’t, and shouldn’t, try to govern the Internet.

There’s been an alarming amount of “cybersecurity” legislation here in the US lately in the same fear mongering, and ill advised tune that got us the entire DHS and almost universally loathed TSA.  The problem, as I see it, is members of congress trying to govern something that they firstly do not understand, and secondly, are not a part of.  By and large the government (and even the public in general!) use the internet, but did not build it, and do not understand it.  And really, aren’t even part of it.  Simply disconnecting a site, node, network, router, or anything, does not make it automatically safe.  And by the time any sort of government action comes down the “cybersecurity” pipeline to do that it’s probably too late, and will actually cause FAR more harm than good.

The Internet is it’s OWN governing body.  Within that entity there are many other parts and pieces,  RIPE, ARIN, IETF, IANA, IAB, AfriNIC, APNIC, LACNIC, NANOG, the RFC Editor, the list goes on.  There are many entities that govern the internet, or at least aspects of it.  If the US Government makes it harder for any of those entities, or their constituents (Verizon, Verio, Google, Yahoo, NTT, Level3, 360 Communications) to participate in the larger entity of the internet, then they will leave, the US citizenship will suffer, as we already do.  Ridiculously expensive internet communications costs, lack of availability in some areas still for example.  It will be EXACTLY what happened with the US Manufacturing industry, it is actually already starting to happen.

The Internet is not some single unit under the thumb of the US Government, it is an entity, in all reality a governing body, a nation, in and of itself with constituents in each and every nation, each and every district, city, county, state.  If the US Government tries to restrict the constituents of the Internet that live, work, and/or do business within it’s geopolitical boundaries, then those entities WILL suffer, and many will go elsewhere.  The Internet is fundamentally different from manufacturing in that in order to exist we have to work together.  My network, those of my neighbors, and so on.  My servers, your web browser, everything.  It is the nature of the beast.  And it will not exist under the control of external entities.  It simply can’t.

Most, if not all, canned security tests come down to what is often called security theater.  Security relies on a chain, and in some ways in layers, but it’s much more like a chain.  And the weakest link will be the break.  Take, for instance, the TJ Maxx debacle.  PCI DSS (Payment Card Industry – Data Security Standards) or whatever Visa and the other credit card processors are calling it nowadays are supposed to prevent this sort of thing.  Anyone in the industry will tell you almost all of their tests are meaningless security theater.  They do almost nothing to actually protect data.  PCI DSS has even been accused of making security worse because it often creates a false sense of security, because you can only test for and look for KNOWN problems.  Security is a chain, and it is as weak as its weakest link.  PCI DSS and other similar tests can only ever adequately look at the very last link in the chain, or known weaknesses.

The tools, techniques, and ideas of physical security often do not translate to the digital world.  In physical security the attackers tools are crowbars, explosives, cutting tools, lockpicks, things like that.  They all require that they physically move to the area to be attacked.  In the digital world the tools are the bit and the byte.  Infinitely simpler, but also infinitely more complex.  A security scanner can only look around the outside of the building, and check for things it knows to be insecure.  What it can’t, and often does not do, is even bother to check a majority of the NORMAL routes of ingress and egress.  Having a web server is like having an 8 line highway into and out of your server.  ANYTHING can come or go over that, so protection at the border, is NEVER enough.  You have to look at how every part handles the data that comes in, and goes out.  And even then you’re likely to only be able to look for things that are known to be problems, novel attacks often make use of what looks like innocuous or non-threatening avenues of approach, at least, until they’re used against you.

It is, and really must be, the individual entities responsibility to actually ensure their security.  You can’t just drop a steel gate in front of the 8 lane highway either, they’ll find a way under or around it, or just bomb the whole damn thing into oblivion.  Obscuring or hiding security problems does NOT help in the Internet.  In order for others to be aware, and secure themselves, they have to be informed.  If you have no idea that that “pool of water” is actually highly acidic, or has a cloud of sulfur dioxide hanging around it, you might jump in, and then be dead, or at least badly injured.  Being informed is the only way.  You can certainly do things to help mitigate some risks, but in the end EDUCATION is the answer.  Organizations like SANS that teach real world security and concepts are the way to improve “cybersecurity” — not legislation.  The US Government would do far more for “cybersecurity” by spreadign around 500+million to the likes of SANS than it could EVER hope to accomplish by any forms of “kill switches”

The ONLY thing the “kill switch” like legislation and “cybersecurity” legislation does is create a political knob that WILL be abused, intentionally, or by ignorance.  Take for instance FreeDNS getting shut down because some pencil pushing retard doesn’t know what a server is, much less DNS.  Tens of thousands of innocents were hurt by that one.

Hell honestly, the governments should be answering to the Internet as an entity/government/nation, NOT the other way around.