[ISN] Opinion: Four laws Congress needs to pass now to boost computer security

From: InfoSec News (alerts@private)
Date: Thu Feb 01 2007 - 22:16:41 PST


By Ira Winkler
February 01, 2007

Even though we have a new Congress, I doubt that much will change with 
regard to computer security. While a law related to identity theft will 
probably be passed in one form or another, I expect that it will be 
trivial and not deal with preventing the theft of individuals' personal 
information. Corporate lobbyists have proved themselves to be too adept 
at manipulating members of Congress so they don't pass laws requiring 
companies to be proactive, especially with regard to security measures.

Identity theft is a symptom of poor computer security. There are two 
underlying methods of identity theft: hacks of vendor computers, and 
client-side attacks. Vendor hacks are the result of poor security on the 
part of the vendor and often lead to the theft of thousands, or 
millions, of credit card numbers, at once. The laws passed in this 
regard basically state requirements that vendors have to follow once 
data is stolen. However, they do not lay out computer security 
requirements. The hope is that if vendors have to act if their security 
fails, they will try to better protect themselves. All you have to do is 
browse Computerworld.com to see how well that's working.

Congress, however, has taken no action to address client-side attacks 
targeting the end user. These include phishing, keystroke logging and 
virus attacks. The underlying enabler of these attacks are the bot 
networks that grow unchecked. Botnets are networks of PCs that have been 
compromised by a remote attacker through known vulnerabilities on the 
PCs. The attacker then has the compromised PCs do his bidding without 
the knowledge of the PCs' owners.

Bots send out billions of spam e-mails and their evil cousins, phishing 
messages. Just as important, bots are used for distributed denial of 
service attacks. DDOS attacks use thousands of computers to 
simultaneously send data packets to a victim's computer to overwhelm the 
computer and the supporting network infrastructure. The attackers then 
use the DDOS attacks to extort money from owners of various Web sites. 
For example, it's common for online gambling sites to be threatened 
prior to a major sporting event, where the attacker will say, "Unless 
you pay me $50,000, I will take you down for a day before the event." A 
successful attack could cost a good-sized gambling site more than $1 

Likewise, DDOS attacks have targeted critical elements of the Internet, 
such as the root DNS servers. Those attacks have crippled segments of 
the Internet for periods of time. It should be expected that similar 
attacks will occur in the future and will attempt to do even more 
damage. Frankly, I believe that if there is a significant Internet 
attack, it will involve bot networks.

So, for Congress to do anything that helps protect consumers and the 
critical Internet infrastructure as a whole, it must pass laws that 
require proactive processes to protect computers, not that tell people 
how to deal with the resulting mess.

Here are more reasons for enacting computer security laws:

* According to reports, the percentage of unsolicited e-mail sent out 
  via bot networks is in excess of 90%. Messages are also growing in 
  size. The number and the size of messages will only continue to grow, 
  so you can assume a very large percentage of Internet traffic is a 
  result of bots.

* From my personal observations, an unprotected computer will fall 
  victim to dozens of attacks an hour. This implies that botnet scans 
  are constant and responsible for a large volume of Internet traffic.
* Botnet-related attacks result in billions of dollars in lost 
  productivity and added costs annually. ISPs and large organizations 
  spend billions to increase bandwidth as spam and other botnet-related 
  attacks take up network volume, and billions more is spent on security 
  software and the related hardware to prevent botnet-related attacks.

With the above in mind, the following laws are needed to at least begin 
to protect businesses, consumers and the Internet itself:

1. Make ISPs (and all organizations providing computer access to more 
   than 100 people) responsible for filtering scan and attack traffic 
   across their networks.

ISPs were declared "publishers" by the Child Online Protection Act. The 
legal effect of this was that ISPs were found to be not responsible for 
the content or intent of the data packets going across their networks. 
While it may be reasonable to say that an ISP might have no clue that a 
JPEG file going across its network has child pornography, thousands of 
ACK packets sent instantaneously are a different story. Attack and scan 
traffic is easy for ISPs to detect and block. The more scans that are 
blocked, the fewer compromised systems there will be. Any increase in 
time to process data packets is easily made up by the overall decrease 
in the amount of network traffic.

2. Make ISPs (and all organizations providing computer access to more 
   than 100 people) responsible for knocking customer PCs off their 
   network if they become bots.

Any system that is clearly behaving as a bot should be immediately 
logged off a network. An end user who starts flooding the network with 
tens of thousands of e-mail messages, or who starts to send hundreds of 
thousands of DOS packets, is clearly compromised or otherwise abusing 
privileges. It is blatant and therefore easy to spot. More important, it 
is easier to identify and stop offending traffic at the source than for 
a victim under attack to identify and contact the appropriate 
administrators to stop the attacks.

3. Make end users liable if losses are incurred because of outdated 
   security software.

We cannot push all requirements to the ISPs. End users who leave their 
computers vulnerable to being controlled by others are also at fault. 
All PCs connected to the Internet should have the latest patches 
installed, as well as updated firewall, antivirus and antispyware 
software. While these tools won't prevent everything, they can decrease 
a computer's susceptibility to compromise exponentially. Those who fall 
victim to an attack because they don't have the appropriate software and 
updates would be financially responsible for their own loss and 
potentially the loss they cause others. Just as individuals are legally 
required to keep their cars in safe condition to protect others on the 
road, they should be required to keep their computers safe to protect 
others on the Internet.

4. Write some kind of law concerning efficient security software.

I have been wrestling with how to word this one. A law like this is 
especially important if people are required to install and run security 
software. People have uninstalled their antivirus and antispyware 
software because it brought their systems to a crawl. Security software 
vendors must make performance a critical feature of their software.

While there are other laws I could recommend, these are the most 
fundamental and easy to implement. I know there may be criticisms. For 
example, some smaller, and even larger, ISPs and organizations will say 
they can't afford the software and staffing needed to kill end-user 
access as required. First, these companies are already spending money to 
provide bandwidth for all of the malicious traffic. Second, if they 
can't afford to protect their network properly, they shouldn't be in 
that business.

That is probably the key point. Can you imagine a trucking company 
saying that highway safety laws shouldn't be enacted because that would 
be too expensive? Likewise, can you imagine a private citizen saying 
that he doesn't want to properly maintain a car's safety? Of course not, 
as they would be endangering the safety of others. If people want to 
have access to the Internet, or financially profit from it, they should 
likewise be required to take precautions so that they don't endanger 

All of the current regulatory discussions in Congress and local 
legislatures generally involve identity theft and are in reaction to the 
current hype. They are also reactionary in their effects in that they 
deal with what to do after information is stolen, and not with the fact 
that the thefts should have been prevented in the first place. Most 
important, they do not fundamentally improve security. We need laws that 
are proactive in preventing identity theft and all other likely attacks. 
These proposed laws go a long way in doing so.

Ira Winkler is president of the Internet Security Advisors Group. He is 
a former National Security Agency analyst and author of Spies Among Us 
(Wiley, 2005).

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 22:38:10 PST