PFIR - People For Internet Responsibility
PFIR Statement on
Legislating Internet Security

February 12, 2000

PFIR Home Page

Greetings. In the wake of the recent flurry of public concern over Internet denial of service (DoS) attacks (as discussed in the PFIR Statement on Recent Internet Denial of Service Attacks), we are already hearing calls that Internet sites must somehow be "forced" to upgrade and maintain their security, probably through legislative mandates. Information suggesting that otherwise innocent third party systems were hijacked to participate in these attacks has contributed to this viewpoint.

Unfortunately, the history and practice of computer security suggest that attempting to legislate such security is usually akin to passing laws aimed at controlling the weather--we may know what we want, but our ability to influence events has severe practical limits!

Unlike other areas (such as privacy policies) where legislation could establish rules which most firms and individuals could understand and implement without undue complexity or haziness, computer security is a very different sort of very complicated beast.

In particular, few computer users, even amongst the most experienced, have a complete understanding of all installed security-relevant software on their systems--it may not even be clear which software would be involved!

Since the most widely used operating systems and software applications are closed-source, the overwhelming majority of users are almost completely dependent on their software vendors for virtually all aspects of their computing environments, from secure default configurations to ongoing bug fixes. Even with open-source systems such as Linux, an increasing percentage of users will not have the experience to personally discover, track down, or repair security problems by themselves. Attempts to remove the user "from the loop" by automating software update procedures can introduce their own security and system stability risks, capable of causing new problems on previously stable systems.

In the current rapidly changing Internet environment, most users are embedded in a continual cycle of downloading and installing new upgrades, drivers, and other software components on a frequent basis. Even assuming no designed-in security trapdoors (not at all a safe assumption in the real world!) the ease with which accidental security flaws may be introduced through such downloads is alarming.

Perhaps most at risk are the ever increasing numbers of home and small business computer users with full-time high speed Internet connections (via cable modems, DSL, or other technologies). The users of such systems can be extremely vulnerable to outside attack, with the potential for untold damage to their privacy and systems, and to other parties' systems when computer hijacking occurs. The ease with which such attacks can be developed, evolved, and launched is staggering, and protection is difficult to assure in the ever-changing software environment on most targeted systems.

The vast array of software from different vendors, which can interact in unpredictable manners, guarantees that even with the best of intentions security problems are a fact of life, and will continue to be so. No technological or legislative "magic bullets" will be forthcoming that can substantively alter this situation. We need to come to grips with the fact that while we can do our darnedest to implement the best security possible, we are engaged in a perpetual cat-and-mouse game. This has profound implications both for the Internet itself and for all of the applications, however trivial or critical, which we choose to host upon it.

The sooner we begin to meaningfully factor these realities into our thinking throughout industry, government, and the consumer world, the better for us all!

--Lauren--
Lauren Weinstein
lauren@vortex.com
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy