67 000 Malware Threats Every Day

Yet a new U.S. Commerce Department report stops short of recommending new legislation

Loading the podcast player...

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

Just last week we devoted a podcast to the astonishing rise in cyberattacks lately, and right on schedule, this weekend, we learned of a breach at the International Monetary Fund. The IMF holds sensitive economic data, which, if released, could send shock waves through the world’s stock exchanges and other financial networks, and the hack was so serious that the World Bank, which is headquartered in Washington, D.C., right across the street from the IMF, severed a network link that connects the two institutions.

As it happens, the U.S. Commerce Department has been studying the problem of cybersecurity for over a year and released a detailed report [PDF] just last week.

In it, the Secretary of Commerce, Gary Locke, noted that “security experts were seeing almost 67 000 new malware threats on the Internet every day,” which, it says, is “more than double the number from January 2009.” The report sizes up the threat and offers dozens of pages of recommendations for government and businesses alike.

My guest today is Ari Schwartz. He’s a senior Internet policy advisor within the Department of Commerce and a member of the Internet Policy Task Force, which put together the report. Ari, welcome to the podcast.

Ari Schwartz: Thank you for having me.

Steven Cherry: Ari, the report distinguishes between Internet systems involved in critical infrastructure, and what it calls the Internet and Information Innovation Sector. We’ll get to that in a moment. But I have to ask about the critical infrastructure, which the report says involves sectors whose disruption would have a debilitating impact on individual security, national economic security, national public health and safety. My question is, with major attacks reported just this past week or so at RSA Security, Lockheed Martin, L-3 Communications, Citigroup, and the International Monetary Fund, isn’t it obvious cybersecurity for critical infrastructure isn’t what it needs to be, and shouldn’t we be worried about that first?

Ari Schwartz: Absolutely. And actually, I think if you look back through the administration’s—through the Obama administration’s record, most of the focus has been on critical infrastructure. And I was part of a team that from a bunch of different agencies that put together a legislative package that was sent to the Hill on the request of majority leader Reid to try and address those issues and focuses almost solely on critical infrastructure. So this report is really, kind of, coming behind that set of recommendations, and saying while we are focusing and we need new legislation to address critical infrastructure issues, we don’t necessarily need new legislation or regulatory authority to address noncritical infrastructure issues and particularly this one sector that you identified there, and that we identify in the report. We felt as though we need to pay more attention to that sector. However, that doesn’t necessarily mean we need new legislation in order to do it, the way we do with critical infrastructure.

Steven Cherry: Very good. So lets get to the Internet and information innovation sector. What exactly does that include and how secure is it?

Ari Schwartz: Well, really it includes a wide range of services: companies that provide information services and content, those that serve as intermediaries for transactional services like e-commerce services, the hosting of publicly accessible content and providing support for activities such as applications, browsers, social networking, search providers. So basically the mainstream kind of consumer-facing and some business-to-business applications for Internet services as we know them. It doesn’t mean the communication services themselves but really more of the application layer.

Steven Cherry: Well, this would include everyone from Google and YouTube to IEEE Spectrum.

Ari Schwartz: Right. To the media that we know and also e-commerce companies like eBay and those kind of companies as well. Banks are not included in that space because they’re considered critical infrastructure. Banks, health, energy companies, telecommunications companies themselves are considered part of the critical infrastructure.

Steven Cherry: So, you know these are all businesses and libertarians and liberals can debate how much government involvement is appropriate, but just stepping back from that, maybe we should ask what can government actually do here?

Ari Schwartz: Well, in this space what we see the thing we can do best is help the industries and the subsectors involved here to come together and highlight standards and best practices in this space that can address the concerns, because a lot of times they can’t communicate because there’s antitrust or competition concerns. We’re trying to allow the government to create a place where you can have more of an open discussion about those issues with the broader public involved in that discussion. And in this kind of space, where you’re not talking about critical infrastructure, it’s easier to do that, and that’s one of the reasons why we separate that out.

Steven Cherry: You know, the IMF attack, the RSA attack, the one that hit Google’s Gmail users last month including some government officials, they all involved phishing attacks aimed at getting passwords to important systems. That’s not a technical problem so much as a human problem and I guess I’m wondering again, like, where the government role is and even what business can do at that point?

Ari Schwartz: Right. So there are a number of standards that are out there that can help to address some of those issues, and not one standard is going to solve every issue. And that’s why we talk about in this space, kind of building codes of conduct and working with industry to help build codes of conduct, but one thing that we can do in the short term is to promote secure e-mail standards like SPF and DKIM that we think have been successful for the companies that have tried to use them, and then also to move away from such a heavy reliance on passwords.

Steven Cherry: Yeah, I noticed you have an article in the current issue of Communications of the ACM that talks about identity management infrastructure. How is that different from passwords?

Ari Schwartz: Well, the idea is that you’re getting the right kind of log-in and authentication for the transaction at hand. So we see a move, you know, one thing that Google did after these most recent attacks, is to promote their new Google Authenticator, which gives one-time passwords to individuals out there and that is a solution for some types of these efforts. The basic idea is that if we can move to two-factor authentication, just getting a password or getting something that’s static kind of a password system, we’re going to be able to solve some of those problems.

Steven Cherry: Well, you mentioned Google and, you know, they have this sort of simple two-step verification. When you log in on a new computer, they send you an e-mail just to make sure that it’s really you on this different computer. And it seems pretty clear that most people are going to not bother with that. It’s completely optional and people are always trading off security and privacy for convenience. How are you going to make them stop?

Ari Schwartz: Well, in that space the goal is to try and make it more convenient at the same time. So if we can have accounts that are more secure, so an identity provider that can issue you commercial accounts in different places, right?

Steven Cherry: You know in your current article you say that “we have a rare opportunity to build an identity management infrastructure with the right characteristics and this opportunity may be our last.” Now, you wrote that even before this most recent wave of serious attacks, but is that what you had in mind that things are getting worse pretty quickly?

Ari Schwartz: Things are getting worse and that some people think that the solution is to come up with a national identity card. To me that’s the wrong answer. We need to work on this. What has made the Internet so successful has been the decentralized model, the commercial model out there and there, are some people out there that think that that’s not going to be successful enough in securing the system. So I do think that this is a rare opportunity that we have to sit down and make this work, but because we knew that this round of attacks was on the way and we need to move quickly in order to try and address them, and the solutions are not going to be quick solutions out there, right? Even when we talk about building an identity ecosystem it’s going to take even in the fast assessments five years, right? To get it to the point where it’s something that’s usable across the network and it’s probably going to take longer than that even.

Steven Cherry: Well, if it’s going to take that long to fix the problems and they’re getting worse quicker and quicker, maybe they just won’t get fixed and maybe we just have to live with a world in which major systems are being broken into all the time.

Ari Schwartz: There is, sort of, this kind of worst-case scenario out there, which is, What do you do if systems are getting broken into all the time? But then the problem with that is we don’t have the kind of long-term innovation that I think a lot of people are expecting from the Internet and that we need to motivate the economy to move to the next level. So we feel as though we need to get started on this immediately, that there are solutions—a range of solutions that we need to implement. In the paper we go through a list of seven or eight different kinds of standards that are widely considered consensus standards. They’re things like DNSEC, IPSEC, HTTPS for cloud kind of services that can help move us to the next level in security as well as the authentication implementations, right?

Steven Cherry: Well, fair enough. Ari spending your day worrying about the basic plumbing of our telecommunications system is thankless enough, but to worry about the security of the plumbing is even more thankless. So on behalf of our listeners and everyone else, thanks.

Ari Schwartz: Thank you.

Steven Cherry: We’ve been speaking with Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology, which is part of the U.S. Department of Commerce, about how government can help businesses deal with an epidemic of cyberattacks. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.

This interview was recorded on 13 June 2011
Follow us on Twitter @spectrumpodcast
Segment Producer: Ariel Bleicher
Audio Engineer: Francesco Ferorelli

NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum's audio programming is the audio version.