The Internet Isn't 'Critical Infrastructure'
from the cyber-hysteria dept
A new report (PDF, via Slashdot), by a security analyst named Gadi Evron, analyzes the recent Estonian "cyber-attacks" and makes recommendations about how to deal with such attacks in the future. While it makes some good suggestions, it also rather dramatically overstates the nature of the threat. For example: "The Estonian authorities need to revise some of their former preconceptions and define the Internet as critical infrastructure, equally strategic to national security as its electricity grid and water supply." This is rather silly. If the water supply is cut off, people can die of thirst or sanitation problems. If the electricity grid fails, it can lead to the death of old people dependent on their air conditioners or medical devices. If the Internet fails, it's a big headache for a lot of people, but it's unlikely to be a life-threatening emergency.
The report points out that some mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that's true, the lesson of the Estonian attacks isn't that the Internet is "critical infrastructure" on par with electricity and water, but that it's stupid to build "critical infrastructure" on top of the public Internet. There's a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea. The Internet's architecture is optimized to be cheap and ubiquitous; such a network is never going to be perfectly secure or reliable. There are too many botnets, incompetent administrators, and other problems on the Internet. And so transactions that absolutely have to be done correctly and on time need to be done on a dedicated network, or at least the people doing them need to have a backup plan in case the Internet has problems.
But the report takes the opposite approach, essentially concluding that because people do important things on the Internet, the Internet needs to be treated as an essential national security asset. This reaches absurd lengths when Evron writes that because attacks often originate from botnets consisting of compromised personal computers, "personal computers need to be reprioritized and considered as critical infrastructure." He doesn't discuss what that means in any detail -- maybe they can post soldiers with automatic weapons outside peoples' home offices. Evron concedes that "the attacks in Estonia did not hurt critical infrastructure, energy, and transportation," but nevertheless insists that "an Internet-staged attack on energy could easily disrupt entire supply and distribution chains, prompting severe shortages." He never elaborates on how that would work, but if he's right, the solution is to do a better job of separating critical infrastructure from the public Internet.
Wide-scale cyber-vandalism is a real problem, and it's good to be talking about ways to respond to it more effectively. But we need to keep a sense of perspective. Launching a distributed denial-of-service attack -- even a really big one -- is nothing like conventional warfare or a terrorist attack. Terrorism and warfare lead to massive loss of life and destruction of property. Internet vandalism rarely involves more than a few hours' inconvenience and lost productivity. That's certainly something we should try to prevent, but we shouldn't blow it out of proportion.