Net Cops: Ready to Write a Security Fix-it Ticket?

By Larry Seltzer  |  Posted 2003-09-21 Print this article Print

With the recent spate of attacks, some have raised new proposals for enforcing Internet security. While tempted by the law-and-order possibilities, Security Center Editor Larry Seltzer wonders if it's politically feasible.

There are many outspoken voices in the security field, but most pale in comparison with Russ Cooper, Surgeon General of TruSecure Corporation and editor of the essential security site NTBugtraq. Fed up with people who do nothing to protect themselves (and others) from security threats that could be easily stopped, Cooper recently proposed financial penalties for users and ISPs who dont take reasonable antisecurity measures.
Now, Im not sure whether this proposal is entirely serious or more of a trial balloon to gauge opinion among Coopers technically sophisticated audience. He definitely will solicit reader reaction and Im sure hell discuss those reactions in a later commentary.

Most worm and viral attacks spread because so many systems on the Internet are unprotected, even though countermeasures are free or inexpensive and have been available for a long time. This is an outrage, as Ive mentioned in previous columns. The gist of Coopers plan is to hold users and ISPs to a minimum level of responsibility for taking measures to protect themselves. For example, the Slammer worm spread throughout the world quickly even though there had been a patch available for about 6 months. Too many people decided they were just too busy to apply it.

Under Coopers proposal, users and especially ISPs would be expected to apply it. ISPs would be expected to do what they could to block it and to notify their customers when patches are available. However, the plan goes farther than warnings. If a client system becomes infected as a result of a missing and available patch, Cooper suggests that ISPs impose a fine on the customer and collect it.

This is a shocking notion, most shocking to the ISPs themselves no doubt. The fines, or at least a portion of them, would go to the ISPs to support these efforts, giving them a stake in it or at least some coverage. Cooper also states that ISPs would need freedom from liability for dropping customer traffic pursuant to the new rules. Even with all this, I suspect few, if any ISPs would be happy about their business being turned into a security enforcement mechanism.

In addition, this scheme would require the creation of a squad of Internet Police, potentially a security firm under contract (like Coopers own TrueSecure, a possibility he raises himself). This firm would regularly scan systems on the Internet and forensically examine attacks—their goal would be to determine how ordinary people should respond to an attack, not so much who instigated the attack. These responsible actions would include applying patches, running anti-virus software and keeping them up-to-date.

At one level I find this plan quite tempting. People often compare the Internet to a highway, except the analogy falls apart when we look that the details. We have strict rules for our roadways and a police force authorized to enforce them. Drivers can incur fines and even go to jail based on their misbehavior. On the contrary, there no authority on the Internet to protect the innocent against the malicious attacks of bad guys; or as Cooper is more concerned with, against those who have taken no measures to protect their own security. Worse, its not even clear that some of the attacks being perpetrated are illegal.

Still, if we take the highway analogy further, Coopers plan for Internet cops looks reasonable. We expect drivers to inspect their cars and maintain safety standards, standards which have become much more rigorous over the years. We expect drivers to have insurance. For heavens sake, we license drivers! Shouldnt we expect something similar as our data maneuvers through traffic?

Reaction thus far to Coopers plan, such as in a Slashdot thread, has been varied. Of course, a large and predictable element blames the whole thing on Microsoft, or for the most part on those who write software that can be abused. In my book, this attitude distorts right and wrong. If someone breaks into my house, am I to blame for not having sufficient defenses, or is it the company that manufactured my door lock? To an extent perhaps, but we shouldnt lose sight of the fact that its the attacker, the author of the worm or the hacker breaking into the system, who is really to blame. And its the responsibility of governments to protect us from such people.

At the same time, Im concerned about giving power to such an agency, which would maintain records of users and their practices. And Im worried about the likelihood that it would make mistakes. Besides, is this plan politically feasible? From a practical point of view, its difficult to imagine anything like this happening. Coopers Internet cops would have to have international powers, and the very idea of some international über-cyber authority is outside the comfort level of most people, including me.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel