Day 4 Predictions
Amanda: I am very interested to hear Chuck's take on the relationship between the government, large corporations like Microsoft, and the defcon-attending hacker community (like the L0pht group mentioned in the Wired article). Is the government receptive to both groups? I imagine the relationship specifically between the hacker community and the government can become tense because the interests of both groups is not exactly aligned and is sometimes conflicting. Have they been able to successfully work together around a common threat like cybersecurity? While I imagine the government often tries to recruit from the hacker community, and I'm interested to hear where they draw the lines legally as far as subversive behavior within the hacker community (ie do they bend the rules for the sake of potential advances in cybersecurity?).
- Of course there are great advances yet to be made in the relationship between white-hat hackers and corporations like Microsoft. Skepticism abounds from both sides for obvious reasons, as well as entrenched interests and preconceptions based on past interactions ("Hackers are simply criminals", or on the other side "Microsoft is The Man").
- Tyler: To follow up on the above predictions, I am interested in hearing Chuck describe what he feels is the proper balance between government and private corporations dealing with cybersecurity. This may be an actual allocation of roles, or more of a question about how much of private industry's culture of innovation and rapid change can be transplanted into the government. Professor Goldsmith painted a picture where the government is not, and is unable to, secure the cyber-interests of the United States so when we hear that 90% of US military traffic runs through private networks, are we shocked that this number is so high or that it is not closer to 100%?
- Elisabeth: I'm also interested in exploring this idea of transplanting "the private industry's culture of innovation and rapid change" into government. When I read government documents, I'm struck by how little they actually say--there's a lot of forming a vision to have a strategic plan to nurture partnerships that draw on core competencies. On the other hand, I was impressed by the number of actual ideas that David Clark and the participants in the Centra Technology Cyber Compendium proposed. How can the government provide the resources and permission for private companies (or actors?) to start actually trying out these ideas, instead of having everything devolve into meetings about process? (see the Cyber compendium doc, starting on page 87, for some more musings on these questions.)
Vickie: I'm going to dovetail from Amanda's comment and say that I think Chuck is going to speak more specifically about the ID program he was talking about the other day as a possible solution to cybersecurity. Just as in the Wired article - identification solves a large percent of the problem, mostly through accountability. However, this seems too Orwellian for my blood. Unlike a passport that is shown in person - a computer ID is never going to be checked person to person. The computer will always be the intermediary. Moreover, this type of program may deter people from doing things on the Internet that they normally would do - if it wasn't anonymous. Visit certain political sites, fetish sites etc. etc. At what point is our fear balanced by our need for an Internet that is not being surveyed.
Sheel: I'm interested in hearing about the BGP/Secure BGP with ASes vulnerability mentioned in the Wired article. This is something that Microsoft should have, and probably does have, on their radar; after all, what would happen if a bunch of Hotmail customers had their private emails routed to other ISPs, or delivered to the correct ISPs after making stops at non-secure locations. My guess is that Chuck recognizes the problem and that Microsoft is taking action, but doesn't know what exactly is being done/could be done technically using Microsoft's clout.
- Ramesh: I wonder what Chuck would say are the benefits to anonymity on the internet, and whether they are outweighed by the security risks. It seems like there could be a creditable argument saying just that. Also, I wonder about problems in scaling up ID programs -- one would assume that many countries would not participate, but if desirable content could only be accessed by an ID, perhaps consumers would then demand their nations also issue internet IDs.
- Elisabeth: easier IDing creates problems specifically in repressive political regimes, and would make GNI's work more difficult.
Hector: Some of Chuck's points from his remarks on Tuesday that stuck with me most were the strengthening of internet identification and alternative networks that use something else than TCP. I hope that he elaborates on the possible applications of the latter.
Lien: I'm very interested to hear (i) what Chuck thinks the biggest cybersecurity risk is that Microsoft and other simular major private companies face and (ii) how the company is prepared for attack on its system and will react on it. I however predict he's not gonna answer that question...
Reuben: On Tuesday we spent a great deal of time on the attribution problem of cybersecurity which is related to deterrence and retaliation. I'd like to hear more about that, but I'd also like to hear about how we shore up our own defenses and incentivize security. I'll be interested to hear who Chuck thinks should be responsible for security. There is a dilemma for a company like Microsoft that may not want to have the burden of cybersecurity thrust upon them, but may also resist government mandates and control. I think Chuck will probably recognize that both public and private sector have a role to play, but he will emphasize the need for government to provide more leadership in the area.
- Daniel: If Chuck details public and private strategies, I expect him to talk much more about what Microsoft has proposed to other industry players than about governmental talks. My guess is that he will also reiterate a preference for diplomatic cooperation between firms, stressing the limitations of naming and shaming (as with GNI, when nobody discussed the tainted past of the companies that were not present on Tuesday). Finally, I would bet a lesser amount on his discussing long-term solutions for users to be more aware of security risks and more reactive to perceived security flaws / reports that do not harm primarily that specific user.
Jason: Especially since we have already had some discussion on the security issue, I think the class will be able to offer some interesting solutions for problems that exist pretty high-up in the stack, like user behavior, software, ID schemes, and other things that happen at the end node. But I predict that we'll be somewhat flummoxed about what's going on and what to do about the fundamental nature of the network, like the implications of the stuff that Clark was talking about in his talk that we listened to. I certainly am - though hopefully we'll make a bit of headway in class.
Michael: Though not quite a prediction, I would like to hear Chuck's thoughts on whether cybersecurity issues can be solved incrementally or whether there needs to be a comprehensive scheme to take care of many problems at once. We touched on this question on during the second class, but it never really got answered. My guess is that Chuck will say comprehensive change is impractical and the internet will have to continue to rely on the procrastination principle.
Andrew: Another leftover question from Tuesday is JZ's Wikipedia-esque solution at the logical layer--implementation of bottom-up stuff like ad hoc mesh networking rather than top-down "perimeter defense", and the transformation of the security problem into a question of numbers (do the people who are passionate about the network succeeding outnumber those who are passionate about its failure). (Hopefully I didn't botch the paraphrase). Neither Jack nor Chuck responded directly to these ideas; perhaps Chuck will today.
Juan: I would like to hear what are the roles of different parties to address the problem? How can the parties work collaboratively to approach this problem? How can the hacker resources be used efficiently to solve this problem? e.g. use white-hat hackers to hunt down black-hat hackers. What incentives can be given to ISPs and vulnerable site owners to create secured internet and secured websites?
- Daniel: How much should government / companies provide incentives to individuals joining the fight? What happens in the aftermath of white-hat / black hat hacker wars? Is defection to the bright side more likely to happen than defection of now-trained hackers to cybercrime?
Franny: Following Hector's train of thought, I think Chuck will expand on how addressing the attribution problem with "Internet drivers licences" will help ameliorate (if not resolve) many cybersecurity problems. Of particular interest, I hope Chuck will discuss implementation strategy - would it be possible to achieve this goal through economic pressure, or is internationally harmonized government involvement necessary?
Bruno: I would be interested to know whether Chuck would consider changes in the end-to-end architecture at order to insert security in the center of the network at the cost of generativity.