technology can potentially tell you the identity of a machine that waged an attack (or committed a crime), this isn’t always helpful if the original source was some public computer. “Being able to attribute activity to a particular machine is a lot different than being able to say ‘What was its true source?’ ” says Berkeley’s Vern Paxson. “Even if it went all the way to the terminal end system”–that is, the place of an attack’s true origin–“you might have some coffee shop in Shanghai.” Paxson warns that in general, approaches to tracking identities in cyberspace carry obvious privacy implications. “The technology to address these sorts of issues–the ability to be able to monitor who is doing what, and track it back–would be very powerful,” he says. “But it would also be police-state technology.”
With solutions still far off, averting a needless outbreak or escalation of cyber war will have to rely on more conventional intelligence techniques. Surveillance of computer networks can sometimes provide the clues needed to identify and expose a potential attacker, says Bret Michael, a computer scientist at the Naval Postgraduate School in Monterey, CA. So can basic human intelligence networks. If intelligence agencies can pinpoint the source of a threat, they can “shine a light on a malefactor before he attacks or soon after,” he says. “Sometimes just being identified is enough to prevent an attack from taking place.”
On a crisp April morning this year, more than 140 diplomats, policy makers, and computer scientists arrived in the mountain town of Garmisch-Partenkirchen, Germany. Their host was the Russian Interior Ministry.
The topic of the conference that brought them there: how to secure the “information sphere,” as the Russians put it. But this meant different things to people from different countries. Painter, the White House aide, emphasized fighting cyber crime. Russian speakers–mindful of the suicide bombings that had recently struck the Moscow subway–talked of thwarting terrorist training and organizing online. An Indian researcher talked about network usage by the Mumbai terrorists and described how Indian laws were reformed in response. Representatives of the Internet Corporation for Assigned Names and Numbers (ICANN), the authority responsible for domain names, spoke of the latest security fixes. A small Chinese delegation attended but watched silently.
Then, on the second day, Michael Barrett, the chief information security officer at PayPal, took the podium to remind the attendees of what they had in common: a broken set of technologies. Like other targets, he said, PayPal–which gives Internet users a secure way to send cash in 190 countries and regions–is under siege. “What’s becoming clear to us, and indeed any practitioner of information security, is that most of the curves–and we can all dig out these curves, the amount of viruses on the Internet, the number of incursions, and blah blah blah–they all look depressingly similar. They all tend to look logarithmic in scale. They all go up like that,” he said with a sharp skyward sweep of his hand.
Referring to earlier conversations about improving coöperation and adding security patches, he added: “It’s not that those things are bad. But at this point it reminds me slightly of the definition of madness, which is to say, doing the same thing over and over again and expecting a different result. It’s our hypothesis that to secure the Internet, we have to think about ecosystem-level safety, and that means rethinking the foundations of the Internet.” Just as Barrett was getting warmed up, the Russian organizers cut him off. They were behind schedule and it was time for lunch, but the decision was symbolic of a larger problem. “Essentially, we don’t have the technology to address the threats that are delivered by the network infrastructure we’ve put in place,” says John Mallery, the MIT researcher. Several research projects have created test beds for new Internet architectures or prototyped more secure operating systems and hardware architectures, such as chips that store some software in isolated areas. But the Department of Homeland Security report still found “an urgent need” for accelerated research and development on securing cyberspace.
The collective discussion in Garmisch was useful to advance near-term efforts. Changing the behavior of individual computer users and corporations will be crucial; so will tightening law-enforcement ties, installing the latest technological patches, and expanding diplomacy. But switching to new technologies will ultimately be necessary. And that’s not likely to happen until we experience a major breakdown or attack. “What we’ve seen is that arms races often progress in an evolutionary fashion. But now and then, they jump,” says Paxson. “If there is some cyber attack that messes up a city for a week–or if a big company is brought to its knees–it will be a game changer. I have no way of knowing how to predict that. It’s like saying here in the Bay Area, ‘Will there be a big earthquake in the next three years?’ I really don’t know.”
His remarks reminded me of Kaspersky’s plane-crash fears; collectively, we just can’t predict how, and when, things might change. But as Baker put it, “The lesson of 9/11, the lesson of Hurricane Katrina, is that sooner or later, it’s going to happen.”
David Talbot is Technology Review’s chief correspondent.