I’m sitting in a Barnes & Noble in Mohegan Lake, NY, and it is like a refugee camp because no homes in the surrounding upper Westchester/Putman counties in New York have power due to Hurricane Sandy. That also means no Internet connection in people’s homes, so they’re flocking to public Wi-Fi sites. Unfortunately, this Barnes & Noble has very few public access electrical outlets. As many as 15 people are gathered around the ones that are available, and they’re daisy chaining multiple electric strips for laptop and tablet connection.
Because of the hundreds of people here (with at least half trying to connect), Internet connection is iffy and, even once connected, it is commonplace to be dropped and have to roll the dice all over again to try to reconnect. The Barnes & Noble’s free connection is based on an AT&T service and is usually fairly reliable. Today, however, it is obviously overwhelmed.
As recently as five years ago, hurricanes would have kept us in our homes. Clearly, times have changed. Despite our cellphones and smartphones, which are often equipped with email access, we demand full access, a real connection. And so, this bookstore is filled with students doing papers and assignments, business people entering orders and checking systems, not to mention other maniacal eccentrics, such as this writer, demanding access as a constitutional, God given right. (Internet access is so important to us these days, some young professionals consider it more important than salary when it comes to accepting a job.)
There are at least 50 people in line to get coffee and cakes, and the jockeying for outlets is getting worse and worse. How did we reach this stage where we are both so dependent and so vulnerable? And what does this mean when we are in an age when we are concerned about cyberwarfare? After all, we are told that a cyber attack is likely to target the electrical grid, much like Hurricane Sandy is doing, but on a much larger scale. (Learn more about this in The New Face of 21st Century Warfare.)
Obviously, better computer security cannot help deal with the havoc caused by hurricanes, and it holds no power against electrical outages caused by downed trees and wires. But this disaster isn’t just proof of our powerlessness in the face of nature; it also shows how much more dependent we are now on electric power than ever before. This outage was relatively small; one can only imagine what it would be like if the entire grid were taken offline.
The present outage is limited to a small, albeit highly populated, section of the East Coast. Driving 5 miles over to our local "refugee center," I saw closed businesses, defunct traffic lights, and gas stations unable to pump gas. In New York City, the entire area south of 34th Street is without electricity, with thousands of businesses and hundreds of thousands of individuals without power. One can only imagine what the impact of a nationwide electrical shutdown would be. A storm couldn’t do it, but that grid is controlled by computer systems, which means a cyber attack probably could.
No matter what our technologists do, hackers, crackers and virus writers, etc. all seem to be able to get around the walls that are put up to keep them out. As an example, the Computer Emergency Response Team (CERT) has been warning users for years about security problems in Microsoft products, particularly Internet Explorer and Outlook. But while it’s certain that Microsoft has been addressing these problems as it finds out about them, on October 25, 2012, it issued a new report, "Vulnerability Note VU#948750 – Microsoft Outlook Web," explaining a system hole under which an attacker could "execute arbitrary scripting code."
Microsoft is certainly not the only culprit in the security area. We have all heard of infiltration of banks, credit cards, online services and even federal government systems, infiltration that leads to identity theft, financial loss, password compromises and vandalism. And what we’ve actually heard is only the tip of the iceberg. 2600: The Hacker Quarterly magazine regularly publishes system vulnerabilities, most of which don’t make it to major news outlets. The publication is never short of material.
It’s obvious that what our virus programs, security systems and systems administrators have been doing isn’t working, at least not 100 percent of the time. Unfortunately, that’s what is really required to protect our cyber infrastructure.
So, what to do? Dr. Peter G. Neumann has been monitoring computer security for SRI International for 40 years and has edited RISKS Digest, an online periodical and forum concerned with security and safety in computers, software and other tech systems, since 1985.
He is leading a team of researchers – along with Robert N. Watson of Cambridge University’s computer laboratory – in an effort to completely rethink how to make computers and networks secure as part of a five-year project financed by the Pentagon’s Defense Advanced Research Projects Agency (DARPA).
"I’ve been tilting at the same windmills for basically 40 years," said Neumann recently during a lunchtime interview at a Chinese restaurant near his art-filled home in Palo Alto, Calif.
"I get the impression that most of the folks who are responsible don’t want to hear about complexity. They are interested in quick and dirty solutions." (For a full profile on Dr. Neumann, check out Killing the Computer to Save It at The New York Times.)
In the Times profile, Neumann describes a complete solution to the computer security problem: Cherry-picking the best ideas from the past 50 years to build something brand new. That sounds pretty scary, and would require a massive effort. However, I’ve only known Peter for 21. (He and I were part of the founding group of the first Computers and Privacy Conference, which was chaired by microcomputer pioneer Jim Warren in 1991.) I know him well enough to know that he is not a wide-eyed "visionary" but rather a very practical, well-grounded and very intelligent security professional.
In spite of the effort required, Richard A. Clarke, the nation’s former counter terrorism czar and an author of "Cyber War: The Next Threat to National Security and What to Do About It" (2010) agrees with Neumann and is quoted in the same Times piece as saying that Neumann’s "’clean slate’ effort, as it is called, is essential. Fundamentally, all of the stuff we’re doing to secure networks today is putting bandages on and putting our fingers in the dike, and the dike springs a leak somewhere else. We have not fundamentally redesigned our networks for 45 years," he said. "Sure, it would cost an enormous amount to re-architect, but let’s start it and see if it works better and let the marketplace decide."
Clarke’s book stresses that the next war will be based on bytes rather than bombs. If that’s a real risk – and I’m not the only one who believes that it is – many experts agree that we are ill prepared. For the most part, people don’t seem concerned. But if you were anywhere near a library, coffee shop or Barnes & Noble during the disaster, one thing is clear: Being disconnected is not an option.