September 20, 2020

Virtually Unprotected

Today’s New York Times has a strongly worded editorial saying the U.S. is vulnerable to a devastating cyberattack, and national action is required.

We are indeed vulnerable to cyberattack, but this may not be our most serious unaddressed vulnerability. Is the threat of cyberattack more serious than, say, the threat of a physical attack on the natural gas distribution system? Probably not. Nonetheless, cyberattack is a serious enough problem to merit national attention.

As a participant in the Princeton Project on National Security, I have learned about national security planning; and it seems that the traditional governmental processes are ill-suited for addressing cyberthreats. The main reason is that national security processes result in plans for governmental action; but the cyberthreat problem can be solved only by private action. The cyber infrastructure is in private hands, and is designed to serve private ends. Government can’t easily change it.

Other critical infrastructures, such as the electric power system, are also in private hands, but they are more amenable to government influence for various reasons. The electric power system is operated by a relatively small number of companies; but the cyberinfrastructure is operated by many companies and by ordinary citizens. (The computer you are reading this on is part of the cyberinfrastructure.) The electric power industry has a longstanding, strong industry association focused on reliability; but the infotech industries are disorganized. The electric power industry has historically consisted of regulated monopolies accustomed to taking orders from government; but the infotech industry has been more freewheeling.

There are a few levers government could try to manipulate to get the private stewards of the cyberinfrastructure to change their behavior. But they don’t look promising. Mandating the use of certain security technologies is costly and may not improve security if people comply with the letter but not the spirit of the mandate. Changing liability rules is problematic, for reasons I have discussed previously (1, 2, 3). Using the government’s purchasing power to change producers’ incentives might help, but would have limited effect given the relatively small share of purchases made by the government.

To make things worse, our knowledge of how to secure the cyberinfrastructure is rudimentary. Improving the security of critical systems would be hugely expensive; and large improvements are probably impossible anyway given our current state of knowledge.

Probably the best thing government can do is to invest in research, in the hope that someday we will better understand how to secure systems at reasonable cost. That doesn’t solve the problem now, and doesn’t help much even five years from now; but it might do a lot of good in the longer term.

What is the government actually doing about cybersecurity research funding? Cutting it.


  1. Heavens above — mark that “stealth PDF” before someone unwittingly clicks on it and their browser locks up or worse! 🙂

    Security research is also hindered by the DMCA and other content cartel sponsored restrictions and the risk-filled legal climate swirling around encryption research generally as a result. I’m surprised you didn’t mention this.

    The risk from activated (i.e., deactivatable) software is also considerable.

    One thing the government could do that would actually cut costs and improve cybersecurity: quit purchasing anything from Microsoft. Hurting MS can only help cybersecurity and consumers, and a wholesale migration to Linux/*BSD will save them untold billions in the long run. Subsidizing the creation of a desktop-usable Linux and free software with the same functionality as things like VirtualPC would be a somewhat more radical step in the same direction, aimed at encouraging the gradual elimination of dangerously unsafe Microsoft products from home and business use. Right now, using and evangelizing Firefox is probably the #1 way everyone can participate in improving cybersecurity. Internet Exploder is so unsafe it ought to be illegal to drive it anywhere on the infohighway but to Windows Update and back.

  2. Sorry about the stealth PDF. It’s fixed now.

  3. Ryan Frederick says:

    My question is what kind of cyber attacks are we talking about? I mean, with the current state of the Internet practically every computer that is connected to the Internet is vunerable to viruses and cracking attempts. How is this suddenly so much of a threat? Are we talking wide scale DDoS attacks or cracking attempts? It would either take long periods of time or very very large amounts of resource to pull either of these off properly, right? So, what is it that we should be protecting our selves from?

  4. Ryan,

    The national security threat comes from a smart, well-funded adversary who wants to cause maximum harm to the U.S. (or a similar country). The attacker might try to cause maximum economic harm or disruption; or it might try to intensify a conventional attack, e.g. by disrupting emergency communications; or it might try to penetrate another critical infrastructure in order to cause harm there.

    I’ll probably write more about attack scenarios in a future blog post.