The wave of cyber attacks North Korea is believed to have unleashed this month reminds me of the time our office telephone system was hijacked.
It was in 2002, shortly after we moved to our new headquarters in Scarsdale and installed our first centralized phone equipment. Someone, most likely using a random dialer, exploited a security hole in the call-forwarding feature of our voice mail. The first sign of trouble was when our phone lines were commandeered in the dead of night for a series of calls to the Philippines. My best guess is that a neighborhood calling shop in some West Coast city “borrowed” our lines as a cost-control measure.
The phone company was right on it. Our international dialing was automatically shut down that same night and we were notified of the problem the next morning. Within 24 hours the hole was plugged. We never had a problem again, and we were not held responsible for the $1,500 in calls that were made before the shutdown.
That’s good network security. We take it for granted in our wired and wireless telephone systems. But we do not have it on the Internet, and a lot of people don’t want it.
The phone company was able to nip our problem in the bud because it watches everything that happens on its network. If I call the Philippines, the phone company knows — and I know it knows. The phone company knows how often I call the Philippines (never), and at what time of day (if I did call, it probably would not be at 3 a.m. Eastern time). So when something really odd happens, the phone company can see it and do something about it.
When it comes to the Internet, people have different expectations of privacy. They do not want anyone to keep track of how often they visit the Supreme Court website, or allthebodiesyoueverwantedtosee.com. (I just made that name up and I do not wish to explore what would happen if I tried to use it.) People also worry about disclosing the content of their online activity, such as the Google searches they execute. We seem more prepared to accept on faith that the phone company, which could listen to our calls if it so chose, has no interest in doing so except under orders from legal authorities.
The Internet, in short, has no centralized gatekeeper the way the telephone network does. As a result, I believe it will always be handicapped when it comes to security.
Governments around the world recognize the importance of computer security issues and have responded both offensively and defensively. President Obama is expected to name a cyber security czar shortly. Privacy advocates already are expressing concern about a reported front-runner for the position, former Republican Congressman Tom Davis of California.
This is just a taste of the controversy that may lie ahead. We can plug holes endlessly, but the bad guys are likely to stay one step ahead of the good guys forever. That’s because the good guys have to wait for the bad guys to do something before they can counter it.
A more effective approach would be to redesign the Internet from the ground up to give it the gatekeeper it has always lacked. In all likelihood, here in the United States that gatekeeper would be a federal agency or a private contractor acting on the government’s behalf. Other countries would have their own gatekeepers who could cooperate to promote international data exchange — or be blackballed if they gave bad guys free reign.
Privacy advocates would be up in arms the instant such a proposal was announced, and they would have a valid point. If confidential Internet activity exists today (and there is room for disagreement over whether it does), it would certainly cease to exist once a gatekeeper was in place. Our privacy expectations for the Internet would have to be more limited, just as is the case today for telephone networks.
What might we get in return for less privacy? More security, at least in theory. The government would set up a checkpoint at the Internet on-ramp. This could screen out most of the phishing, body-enhancement and get-rich-quick spam that plagues all of us. More importantly, it could stop offshore crime rings that now extract huge sums through financial fraud, as well as private or government-sponsored commercial espionage and government-inspired attacks on public and private sites.
Yet another benefit: Tighter computer security could constrict communications and funding for terrorist organizations.
All of these security issues are major concerns right now. The alleged North Korean assault on other countries’ sites is not the first of its kind; there have also been Russian-linked cyber attacks in former Soviet republics in the Baltic region and in Georgia. Ultimately, the policy question we face is this: How much privacy are we willing to trade and how much security will we demand in return?
Online privacy concerns are not irrelevant, but in my view they are overblown, and it is increasingly expensive for free societies to meet citizens’ expectations of complete Internet privacy. Most of us expect the content, if not the fact, of our phone conversations to be private; we expect any monitoring to be restricted and justified. Those expectations are mostly met. A more regulated Internet, with similar expectations and protections for privacy, will have to be in our future if we are going to keep cyberspace safe enough to use.
Posted by Larry M. Elkin, CPA, CFP®
The wave of cyber attacks North Korea is believed to have unleashed this month reminds me of the time our office telephone system was hijacked.
It was in 2002, shortly after we moved to our new headquarters in Scarsdale and installed our first centralized phone equipment. Someone, most likely using a random dialer, exploited a security hole in the call-forwarding feature of our voice mail. The first sign of trouble was when our phone lines were commandeered in the dead of night for a series of calls to the Philippines. My best guess is that a neighborhood calling shop in some West Coast city “borrowed” our lines as a cost-control measure.
The phone company was right on it. Our international dialing was automatically shut down that same night and we were notified of the problem the next morning. Within 24 hours the hole was plugged. We never had a problem again, and we were not held responsible for the $1,500 in calls that were made before the shutdown.
That’s good network security. We take it for granted in our wired and wireless telephone systems. But we do not have it on the Internet, and a lot of people don’t want it.
The phone company was able to nip our problem in the bud because it watches everything that happens on its network. If I call the Philippines, the phone company knows — and I know it knows. The phone company knows how often I call the Philippines (never), and at what time of day (if I did call, it probably would not be at 3 a.m. Eastern time). So when something really odd happens, the phone company can see it and do something about it.
When it comes to the Internet, people have different expectations of privacy. They do not want anyone to keep track of how often they visit the Supreme Court website, or allthebodiesyoueverwantedtosee.com. (I just made that name up and I do not wish to explore what would happen if I tried to use it.) People also worry about disclosing the content of their online activity, such as the Google searches they execute. We seem more prepared to accept on faith that the phone company, which could listen to our calls if it so chose, has no interest in doing so except under orders from legal authorities.
The Internet, in short, has no centralized gatekeeper the way the telephone network does. As a result, I believe it will always be handicapped when it comes to security.
Governments around the world recognize the importance of computer security issues and have responded both offensively and defensively. President Obama is expected to name a cyber security czar shortly. Privacy advocates already are expressing concern about a reported front-runner for the position, former Republican Congressman Tom Davis of California.
This is just a taste of the controversy that may lie ahead. We can plug holes endlessly, but the bad guys are likely to stay one step ahead of the good guys forever. That’s because the good guys have to wait for the bad guys to do something before they can counter it.
A more effective approach would be to redesign the Internet from the ground up to give it the gatekeeper it has always lacked. In all likelihood, here in the United States that gatekeeper would be a federal agency or a private contractor acting on the government’s behalf. Other countries would have their own gatekeepers who could cooperate to promote international data exchange — or be blackballed if they gave bad guys free reign.
Privacy advocates would be up in arms the instant such a proposal was announced, and they would have a valid point. If confidential Internet activity exists today (and there is room for disagreement over whether it does), it would certainly cease to exist once a gatekeeper was in place. Our privacy expectations for the Internet would have to be more limited, just as is the case today for telephone networks.
What might we get in return for less privacy? More security, at least in theory. The government would set up a checkpoint at the Internet on-ramp. This could screen out most of the phishing, body-enhancement and get-rich-quick spam that plagues all of us. More importantly, it could stop offshore crime rings that now extract huge sums through financial fraud, as well as private or government-sponsored commercial espionage and government-inspired attacks on public and private sites.
Yet another benefit: Tighter computer security could constrict communications and funding for terrorist organizations.
All of these security issues are major concerns right now. The alleged North Korean assault on other countries’ sites is not the first of its kind; there have also been Russian-linked cyber attacks in former Soviet republics in the Baltic region and in Georgia. Ultimately, the policy question we face is this: How much privacy are we willing to trade and how much security will we demand in return?
Online privacy concerns are not irrelevant, but in my view they are overblown, and it is increasingly expensive for free societies to meet citizens’ expectations of complete Internet privacy. Most of us expect the content, if not the fact, of our phone conversations to be private; we expect any monitoring to be restricted and justified. Those expectations are mostly met. A more regulated Internet, with similar expectations and protections for privacy, will have to be in our future if we are going to keep cyberspace safe enough to use.
Related posts: