Is vulnerability an objective?

I ended last year with a death-of-the-Internet column, and I'm starting off the new year with a death-via-the-Internet one.

I spent time over the holiday reading "America the Vulnerable" by Joel Brenner. This is an activity that I recommend to anyone who does not mind a few sleepless nights.

BACKGROUND: 2011's biggest security snafus

Brenner served as the head of counterintelligence for the director of National Intelligence so he has reason to actually know what kind of threats the United States is under but, due to his previous government position, he is limited in what he can say to information already made public. Thus, he needed to provide public documentation to back up what he wanted to write about, and the book has 38 pages of references of that documentation. I shudder to think of what Brenner knows about active threats that he was not able to write about due to not being able to find a public document that disclosed the threats. (Read Network World's Senior Editor Ellen Messmer's take on this book.)

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I ended last year with a death-of-the-Internet column, and I'm starting off the new year with a death-via-the-Internet one.

I spent time over the holiday reading "America the Vulnerable" by Joel Brenner. This is an activity that I recommend to anyone who does not mind a few sleepless nights.

BACKGROUND: 2011's biggest security snafus

Brenner served as the head of counterintelligence for the director of National Intelligence so he has reason to actually know what kind of threats the United States is under but, due to his previous government position, he is limited in what he can say to information already made public. Thus, he needed to provide public documentation to back up what he wanted to write about, and the book has 38 pages of references of that documentation. I shudder to think of what Brenner knows about active threats that he was not able to write about due to not being able to find a public document that disclosed the threats. (Read Network World's Senior Editor Ellen Messmer's take on this book.)

No doubt about it, we are exposed. Data about us as individuals is everywhere and totally out of our control; critical corporate data is wide open to everyone in the corporation, and too frequently, just to everyone; Internet service providers ignore compromised customer computers; utilities put the controls for their key systems directly on the Internet "protected" by security systems that would embarrass a maker of windup toys; the "best" security companies around have been breached and information about, or protecting, tens of thousands of their customers has been stolen; and our economic and political adversaries are getting good -- very, very good -- at exploiting these conditions.

Brenner details all of the above issues in great, and frightening, detail and includes some suggestions as to what government could do to mitigate some of the issues. I'll explore a few of them here:

*ISPs generally know when their customers' computers get infected and become botnet slaves, yet almost never let customers know they are toasted. Maybe ISPs should be required to let them in on the secret.

*Electric utilities too often put the controllers for their power generators, most of which have laughable security protections, directly on the Internet because it is convenient for their technicians. Of course, it is also convenient for remote hackers who might like to install software that could destroy the generators when it's convenient for the hackers (see The Aurora Project). Brenner lays out an all-too-feasible scenario of a future where a Chinese government blackmails the United States by destroying a few power generators as a demonstration of what it could do. (Note that the United States no longer builds this type of big generator -- we buy them from the Chinese.) Maybe it should be against the law, with criminal penalties, to connect such controls to the Internet.

*Why does just about everyone in your organization have direct access to just about all the company secret files? There is no reason that the person in the mailroom or, in most cases, the company president, should have such access. Take a look at WikiLeaks to see what goes wrong when there is too indiscriminate access.