Cybersecurity: Better vs Different
There’s been a lot of discussion this past week on cybersecurity. A lot of this relates to Richard Clark’s latest book Cyber War: The Next Threat to National Security and What to Do about It. While it is easy to come to the consensus that cyberwar is indeed a real threat, it is more difficult to identify what the solutions are.
There are two ways of achieving better security from a macro scale: different networks or more secure networks. If for example, we build networks to operate our nuclear weapons, electricity, satellite navigation, etc. so that they are completely disconnected from the Internet, then we achieve security…unless foreign intelligence agencies have agents physically on the ground. Alternatively, we could just build really secure systems. I imagine these would involve limiting user privileges and developing incredibly complex passwords.
There is obviously a trade-off between these systems, but it’s helpful to be able to conceive of cybersecurity in this mindset. For example, while separating a system from the Internet is one way of being “different;” another is to simply use an alternate operating system. The reason that Mac computers get less viruses has a lot to do with their being different. This is also the reason behind a new, seperate opperating system called Kylin, developed by the Chinese governemnt. A report released by the US-China Economic and Security Review Commission claimed the intent of this OS was for security reasons (though there is little evidence to support this claim).
In his book, Richard Clark takes a strong anti-Microsoft stance, focusing particularly on the issue of Pentagon technology acquisition. Not only does Microsoft not claim that their OS is incredibly secure, it’s also what almost everybody else has. As hackers focus their attention on large scale operations, Microsoft (and particularly old Windows) computers are easy targets.
And yet, I don’t know if I can be an advocate for “different” systems. Metcalfe’s Law suggests that the more systems we have interacting together, the more valuable the system is. Why wouldn’t this apply to the Internet? It’s certainly an issue that technologists and policy wonks should reflect on.
