What if individuals within the United States government knew about Pearl Harbor before it happened and did nothing to prevent it?
What if individuals within the United States government anticipated a 9/11 attack and leveraged the tragedy to expand government powers?
These questions border on silly, if not travel deep into the territory of the inane....at least until recently.
Lawrence Lessig, author of Code and Other Laws of Cyberspace and a respected law professor at Stanford University, dropped a bomb at this years Fortune Brainstorm Tech Conference in Half Moon Bay, California.
In the video segment above (roughly 3 min 50 seconds into the discussion) Lessig states:
There’s going to be an i-9/11 event. Which doesn’t necessarily mean an Al Qaeda attack, it means an event where the instability or the insecurity of the internet becomes manifest during a malicious event which then inspires the government into a response. You’ve got to remember that after 9/11 the government drew up the Patriot Act within 20 days and it was passed.
The Patriot Act is huge and I remember someone asking a Justice Department official how did they write such a large statute so quickly, and of course the answer was that it has been sitting in the drawers of the Justice Department for the last 20 years waiting for the event where they would pull it out.
Of course, the Patriot Act is filled with all sorts of insanity about changing the way civil rights are protected, or not protected in this instance. So I was having dinner with Richard Clarke and I asked him if there is an equivalent, is there an i-Patriot Act just sitting waiting for some substantial event as an excuse to radically change the way the internet works. He said “of course there is”.
This is troubling on a few counts. First, that infringement of rights is anticipated by some within our own government as a response to attack. Second, unlike a terrorist attack, an i-9/11 is entirely avoidable in my eyes.
On the first count, I'm sure it's thought by some of the PATRIOT Act progenitors that such infringements are "for our own good/safety/security". Such thinking would be inaccurate. The United States has a long history of putting personal liberty to the forefront, even in many instances, ahead of national security (control of nuclear weapons/materials is the one consistent exception to this as far as I know). This position has worked out well so far. As sophisticated, nebulous, or hidden a terrorist plot might be, terrorists, frankly, are freaks. Laws upholding our rights are for the benefit of citizens, not necessarily for the detriment of freaks.
One the second count, an i-9/11 attack (resulting in an equivalent i-PATRIOT act that "radically changes the way the Internet works") will likely be enabled because of poorly written, insecure software, not because of widespread mis-configuration of computer systems (although this will undoubtedly contribute to some degree).
The reasoning is simple. A zero day exploit (an exploit for a software vulnerability for which there is no available patch) can be used against just about any system containing the targeted vulnerability. We've seen this already with widespread virus infections, worms, malware, etc. A zero day exploit gives tremendous advantage to a cyber attacker; that's why zero days sell for so much in the underground vulnerability market.
In contrast, configuration settings are just too numerous and introduce far too many variables for a widespread i-9/11 attack to be feasible. An i-9/11 attacker would have to hope that every target system (or collection of systems) possess the same or similar mis-configurations to successfully execute the attack. I admit this is possible (CodeRed taught us this much), but unlikely for an i-9/11 attack (I'm not talking about theft here, but a true, no-shit attack). If I were an attacker (I'm not admitting to anything here), I'd place my money on a zero day (as many serious state-backed and criminal-backed hackers do) instead of on the hope of pervasively mis-configured systems.
But, as I stated, an i-9/11 attack is avoidable and so is the potential infringement of our rights both on and off the Internet. There are far too many software vulnerabilities introduced by software manufacturers for far too long. Hackers are simply doing what software manufacturers failed to do themselves. Software vulnerabilities are preventable if only software manufacturers have the incentive to do so. I'm not talking about "perfect" software here; just software that can withstand highly foreseeable malicious activities.
There is no reason why "bad" software filled with preventable flaws should jeopardize our rights, especially, as Richard Clarke implied, when there is already plans drawn up to enact an i-PATRIOT law in the event of a 9/11 equivalent cyber attack. There is also no reason why we should have to wait for catastrophe to change in the software market what we know must, and should have been changed, long ago.
Comments