Friday, April 28, 2006


“. . . all I could see in London's packed Olympia conference centre was an industry united in a profitable celebration of the failure of our society to properly protect itself from the dangers of living an increasingly online existence.”

Simon Moores, What’s the Point of Security?, (April 26, 2006).

Moores is describing his reaction to the speakers and displays at a recent British computer security conference. As I have noted in earlier posts (e.g., "Treaty," April 16, 2006), I agree with him that our society notably (some might say "criminally") unsuccessful in protecting itself from online dangers. As I have explained elsewhere, our failure is due to our continuing reliance on an outdated model . . . the reactive model of law enforcement we use to control real-world crime. As I have also explained
elsewhere, that model is ineffective, at least as our sole crime control methodology, for cybercrime because cybercrime differs in several critical respects from real-world crime, the type of crime the model evolved to control.

I agree with Moores that we are doing a miserable job of protecting ourselves online. And I can understand his reaction to the conference that prompted it -- while I tend to avoid commercial cybersecurity conferences, I, too, have on occasion found myself discouraged by the overt commercialization of efforts to secure our activities online . . . efforts, I might note, that are not proving particularly successful. I tend to have the same reaction to this that I did several years ago, when I went to a Homeland Security Conference in the US . . . and visited the Exhibition Hall where commerical vendors were displaying what I regarded as a parade of horribles: Huge supplies of body bags, portable radiation detectors and protective gear, devices for dealing with the outbreak of hideous, exotice diseases, etc. It was horrible because of the spectres it raised and it was horrible because people were dedicated to profiting from the anticipation (if not the realization) of these spectres.

I differ slightly from Moores in that I believe, as I have
explained elsewhere, that a critical first step in changing the current status quo, in improving our ability to protect ourselves online, is effecting a sea change in our culture: We must inculcate the realization that we all -- schools, businesses, religious organizations, individuals, charities, government agencies, etc., etc. -- now bear a significant portion of the responsibility to control online crime. If these commercial events help inculcate that realization, then I think they are accomplishing something . . . aside from enriching the companies that participate.

The problem I see with these events (and analogous events that target only government officials and agencies) is that they do nothing to help the general public realize that they are, in effect, our frontline in controlling cybercrime. One of the currently more exploited tools of cybercrime is the botnet . . . a assemblage of "civilian" computers that have been taken over by cybercriminals and turned into zombies which do the cybercriminals' bidding. Botnets are used for various activities; they are advantageous because of the expanded power they give cybercriminals, and because they serve as an effective buffer between cybercriminal and police. If police track down the source of an attack, they will find the "civilian" computers that constituted the botnet, not the actual perpetrators of the attack.

We desperately need to make the civilians who participate in cyberspace aware of the dangers that lurk there, including the danger (and consequences) of having their computer turned into a botnet. The conferences Moores writes about do nothing to accomplish that, which I see as the real tragedy. I agree with him that commercial motives are so far driving the efforts to develop "civilian" cybersecurity, efforts which are notably unsuccessful. My primary concern, however, is that because these commercial motives focus only on large organizations, the general populace, which is the true Achilles heel of any modern, online society, is going ignored.

No comments: