The ambitious new U.S. strategy for securing the Internet sets critical goals that may be hard to put into practice, experts say, because some of them conflict and pose seemingly insurmountable technical problems.
The International Strategy for Cyberspace issued by the White House recently sets down seven basic goals for making the Internet safer and more reliable. Secretary of State Hillary Clinton trumpeted the document as a framework to develop, deploy, and coordinate policies that address the full array of cyber security issues.
"It is not a series of prescriptions," she says, "and that's an important distinction. Because as we work to achieve a cyberspace that is open, interoperable, secure and reliable, there is no one-size-fits-all, straightforward route to that goal." She sees that as strength of the policy, but it leaves others confused.
For instance the policy calls for support of freedom of expression and commerce via the Internet and also calls for denying those benefits to terrorists and criminals. The trick is to figure out who is who while maintaining another goal: Internet privacy.
"How can you do this unless you can discern terrorists from citizens and oppressed people and other folks?" says Josh Corman, a security analyst with the 451 Group after an initial reading of the strategy. "You need to monitor use, and monitoring means privacy violations."
He sees creating a formal policy as important but wants to hear concrete steps. "I like that it sets principles and priorities for discussion and debate, but there are things missing," he says. "I find myself wanting more about how we're going to do this."
The issues the document tries to address strike a chord with many because the Internet - and the evils that lurk there - touches so many.
Participants at a cyber security and privacy protection panel at this week's MIT CIO Symposium said they weren't yet familiar with the nuts and bolts of the administration's proposal, but they did say that protecting Web infrastructure was something the government should be more involved with.
"There's absolutely no reason my grandmother needs to fight a cyber war at her desktop," said Michael K. Daly, the director of IT security services at Raytheon. "It's absurd that she can be attacked from somebody in a foreign country and there's really no phone number for her to call. We wouldn't tolerate it if somebody was lobbing missiles over our borders, so I'm hoping we see more screening by the Internet service providers... I understand the risks to that, of course, I'm a fairly libertarian person and don't really encourage government involvement in my day-to-day life. But in this case I think we need a little more protection than what we're seeing right now."
Allen Allison, the chief security officer for NaviSite, who was also at the symposium, said that international cooperation in protecting Web assets was important because many private companies simply aren't getting enough information from governments about the nature of threats that originate overseas.
"I think what we're missing right now is visibility into the systems outside the U.S.," he said. "So what I'm hoping to see is a little bit more of an open kimono when we're dealing with the government in working through international threats."
Jeffrey Carr, CEO of security consultants Taia Global and author of the book "Inside Cyber Warfare", has similar reservations. He says in a phone interview that it's nearly impossible on the Internet to conclusively establish who launches attacks and pulls the levers behind cybercrime.
In the case of acts of cyber warfare that might escalate to a physical war, which means no one can be certain who the enemy is. "There is no way to establish attribution," Carr says. If an attack is traced to servers in a particular country, that doesn't necessarily mean the government of that country was behind it, he says, and technology can't help to cast more light.
Carr says he applauds many of the goals the strategy spells out, but finds shortcomings. "I thought this all sounds beautiful," he says, "but it was written by policymakers, not by people who work in this area."
He says the strategy calls for protecting critical infrastructure, but notes that the U.S. itself falls short of this goal. U.S. laws calling for measures to do so have no teeth. "There is no authority to require compliance, and even if you say you must comply, there's nothing to do if someone doesn't comply. There are no fines," he says.
More on U.S. cybersecurity abilities: DOJ report critical of FBI ability to fight national cyber intrusions
Some goals of the policy sound very good but fly in the face of how countries actually behave. For example, the strategy says use of the Internet should be unfettered, but in practice when push comes to shove, governments do what's in their own best interest. Egyptian leaders, for example, virtually shut down Internet access during recent demonstrations that overthrew the government, Carr says.
"Countries - even the U.S. - will insist they have the ability to control their own networks," he says. "If there is a national problem, the president wants to control the Internet."
So calling for free access while insisting on control may not ring true. "There's only so much room to talk about this without sounding like a hypocrite," Carr says.
The U.S plan calls for better international cooperation tracking down cybercriminals, but there are countries that are intractably opposed, notably Russia and the former Soviet republics. "They have 100% refused to sign anything to do with cross-border cybercrime," he says. Until pressure can be brought to bear, those countries will remain havens for cybercriminals.
In looking at the strategy and its proposals, they shake down into categories, says the 451 Group's Corman - smart but impossible, smart but difficult, smart but doable.
Some don't fit easily into categories. China, for example, is known to violate intellectual property rights yet because of its size and power, is essential to any meaningful agreement about protecting these rights, Corman says. "If major players aren't cooperating, then what?" he says.
Rick Moy, president of NSS Labs, which specializes in vulnerability assessment, said the cybersecurity strategy would probably help formalize what today is more of an ad hoc process for coping with problems uncovered in networked systems.
Moy says there could probably be better coordination between international Computer Emergency Response Teams to address serious infrastructure issues that come up. Today, a lot of the work to prevent attacks against these vulnerable networks is "done by cliques of people who want to do good," in what sometimes seems like "some kind of underground."
Network World reporters Brad Reed and Ellen Messmer contributed to this story.