On Wednesday a group of federal bureaucrats, business representatives and industry lobbyists will be rolling out a draft of the White House's new initiative to enlist the computing public in the task of defending cyberspace. Originally, the Feds had planned to roll out a final draft, but this has been delayed due to unresolved conflicts among the technology companies the scheme will be affecting.
An earlier draft of the White House plan, drawn up under the direction of cybersecurity Czar Richard Clarke, has been leaked. We don't know how up-to-date it is; but it's been posted on-line as a series of .jpeg images in no particular order. Tomorrow, with luck, we'll get to see an updated 'official' version, but this one should help satisfy curiosity in the mean time, even if it's outdated.
A lot of it, I must say, is good old-fashioned common-sense. The government feels that the Internet's BGP (Border Gateway Protocol) is too easy to attack; and they're right. They recommend the adoption of a secure version (S-BGP) which is already in development. But uptake has been slow because it involves investment in new kit, and like most bureaucratic efforts, this one neglects to solve the basic problem: how do we entice, shame, cajole, threaten, bribe, private companies into discarding their property and buying new stuff to replace it?
Routers and switches and their operating systems should be beefed up, we're told. Fine, but who's going to pay for that? SCADA systems need stronger authentication mechanisms; but of course this involves a performance hit so we'll need very low-latency auth devices. And that's an excellent idea. Anyone care to donate the hundreds of millions of dollars needed? Bill Gates, are you there, buddy?
ISPs should implement ingress and egress filtering to make attacks involving IP spoofing more difficult. Yup, they should all right. Who's going to make them do it? Congress? Right; Congress doesn't know the difference between a packet filter and a packet of dust filters.
We're talking about companies here with (severely battered) shareholders to answer to. You don't just tell them, 'gee, it would be great if y'all would spend a few billion dollars making the Internet a bit safer for us all to use.' It has to make business sense, it has to pay off somehow; and that's chiefly what's lacking in the White House scheme. Basically it's a wish-list of the sort anyone with a background in network security would draw up.
Mining for Palladium
Clarke's lieutenant, Critical Infrastructure Vice-chairman Howard Schmidt, is an old Microserf. In fact, he was in charge of security during the days (not long ago) when Outlook was configured to launch executables without user intervention. As soon as Billg decreed that Trustworthy Computing shall be Law, they gave Schmidt the sack, and he was then salvaged by the White House's National Security Council.
Thus it comes as no surprise that such familiar phrases as 'trustworthy platform', 'trustworthy operating system' and the like should be sprinkled throughout the draft. I didn't actually spot the 'P-word', but one can read between the lines well enough. Palladium and schemes like it, which turn the personal computer into a set-top box for controlled computing under the label, 'secure computing', do have a nice potential to turn profits for the software and media industries if they can be forced on consumers.
There actually are some benefits to naive, casual users from devices of this sort. If you're the kind of person who wants to use a computer for simple tasks on-line and off, and who's concerned about security, but who has no interest in learning about either the computer or security, then this product is for you. It will undoubtedly make the millions of Windows machines carelessly connected to the Net by people who just don't want to be bothered more resistant to attack and exploitation.
But the technology itself is very much open to exploitation by the software and media industries, who can use it to restrict access to their priceless jewels, which, as you know, you no longer purchase, but merely lease. The potential for Corporate America to use something like this to screw the consumer is so great that I personally believe it outweighs all the possible security benefits.
The problem here is the incomparable greed and arrogance of the software and media giants we deal with every day, and their paramilitary lobbies like the BSA and the RIAA. They've got a well-established and very unattractive record of abusing consumers. We know these companies and lobbying groups are going to screw us to the nth degree for all eternity. They've signalled this in a hundred ways: punitive BSA audits, EULAs demanding root privileges; shrink-wrap contracts with preposterous terms; the UCITA Trojan legislation which absolves software companies of all responsibilities; the DMCA; copy-proof CDs; Fritz Hollings and his efforts to mandate DRM in all household hardware; Howie Berman and his desire to let the RIAA hack and disable P2P networks -- the list of bad-faith crimes against the consumer goes on. The trusted computing platform is the single most dangerous weapon we could ever concede to these companies.
Yet it is the only portion of the White House's grand scheme which appears capable of generating a new revenue stream, such as pay-per-use software and media, made possible by a usurious DRM regimen sufficient to make it profitable. Look for Congress to be getting a real 'education' about this new boon to Homeland Security during the next twelve months. ®