Theory & Practice

Theory and Practice of Computer Security

By Roy D. Follendore III

November 13, 2005

Society has come to depend on increasingly complex and interdependent long distance organizational relationships to perform difficult but necessary tasks. Keeping our society safe from terrorism while maintaining freedom and human rights is just one example of such a complex and critically important tasks that law enforcement needs to be performing.

It has been found that static philosophical approaches to communication security between the FBI and the CIA directly contributed to the events of 911. The ability of man to travel to and from our planet and work in orbit is another operational environment that requires very high degrees of secure computer coordinated complexity. The static approach to management communications also directly contributed to the insecurities involved in both the Challenger and the Columbia space shuttle disasters. The point is that many of the things that we do on earth are far more complex.

Within our millennia, society is being forced to recognize the fact that static philosophies in security can be dangerous. Of course the problems associated with complex communications did not originate within our millennia. It began long ago as we began to define the things that we could do with computers that are networked. Our engineers just confidently forgot to include a proper notion of how to manage appropriate security philosophies as the technologies we use evolved.

The criteria of what is and is not a crime is important to managing the best security philosophy. In order to both recognize and legislate enforceable laws that protect society, it is important that we understand and agree upon the boundaries of security. This is a serious and difficult problem that has few solutions. Who owns data when it is being passed on through the internet? When does the ownership of data that moves through societies begin and end? When should user accountability and societal regulation take place?

A decade ago, the idea that society might be willing to consider the creation and distribution of unsolicited email as a crime would have been unacceptable. This is not true today. Five years ago it was generally considered improbable that the evolution of commercial spyware programs would have evolved to the point where they are now considered a security problem. Ethics and cyber education have been teaching us that technical security affects the performance of people to earn a living. In terms of productivity, both of examples as those just mentioned, have become expensive societal problems that also represent serious security risks to the general public.

Many people in society work from home these days and large institutions depend on employees who telecommute. The productivity of American society depends on our ability to maintain a secure philosophy with respect to our computers and our computer networks. When citizens have their identities stolen it translates into an economic crime that affects that person and the social system in which they live.

If the same degree of risk to the general public were to be expressed on a public highway, such concerns would be handled effectively and efficiently by the local police departments. Obstructions to the necessary pathways to public performance get cleared and citizens get prosecuted. At the Federal level, the jurisdiction for securing cyberspace is not a very high priority while at the local level, where security of citizens is important, the local police are unable to deal with the complexities of securing cyberspace.

Obviously the ability to create a local philosophy that is able to successfully regulate parameters that lead to public security is of critical importance. No one seems to be keeping track of the statistics of cyber crime in our communities. If the same degree of risk to security were to be expressed in terms of bank robberies, the average county in this country would have an alarming rate of crime and there would be public outrage. Until the proper means for accounting for cyber crime is addressed local authorities will not be given the mandate to deal with the problems that their communities face.

In the mean time, basic local laws are constantly being broken are being ignored because we simply do not deal with the fundamental philosophical changes in the notion of security that have been taking place all around us. We are now not just speaking about technical security in terms of anonymous digital theft; these crimes silently disrupt local communities and prevent average citizens from earning their daily bread. The costs that arise from unearned income is simply not being expressed in terms of crimes that involve schemes, and the theft of bandwidth, throughput and processing time owned by consumers.

Intellectual property in our community is being stolen; merchandise is being purchased but remains undelivered, while a person can harass anyone while claiming just about anything. Local law enforcement has not caught up and there are some pretty good reasons for that.

The simple truth is that for the volume of crime there is no local police force to take action. Politicians apparently do not want to create issues for which they might be held accountable in the eyes of voters. Credit theft is played down by the credit card companies who transfer and spread costs to the general public. The general public remains unaware of how vulnerable they are and even the Police officers who witness the complaints of citizens often do not understand why they too remain vulnerable to cyber crime. With all of the noise about cyber crime it is no wonder that everyone is confused about the theory and practice of computer security.

News organizations on which our community has depended on for reaching public consensus have a hard time talking about computer security philosophies. For instance, MSNBC.com alarms us that "the next time you connect to your online bank it'd be a good idea to check on your firewall and update your antivirus software," while ABCNews.com simultaneously questions reports that with respect to identity theft, "one in five Americans has been hit." (Beware the Numbers Hype About ID Theft) They question the "common statistic is that 10 million people fall victim every year." They and their experts also argue their own philosophical point by stating that individual citizens are not necessarily being individually victimized. "Too often overlooked, many analysts argue, are savvy "synthetic" fraud schemes that frequently don't directly victimize individual consumers. In such schemes, criminals invent fictitious identities and use them to ring up phony charges. By some estimates, this accounts for three-quarters of the money stolen by identity crooks."

But even if this were true the question that arises is who then pays for such crime?

Perhaps we should also claim that bank fraud is a victimless crime and write that off as an unimportant and unenforceable crime as well. That certainly eliminates the statistic. The point is that what we are reading from the mainline media about technical security problems are sensational primarily because they represent half truths. On the other hand... maybe we should begin to listen to the policemen who actually take the citizens complaints and begin to discuss better ways to think about the common need for better computer security within our communities.

Fortunately the common sense approach to this problem does begin with better understanding from the law enforcement community as well as the community as a whole. We need to begin that process of understanding without generating a community fears from foolish regulations which could very well end up stomping all over citizens rights if technical security is not implemented well. The only way that the endemic problems of security theory and practice can be managed is to begin an internal common sense dialogue with law enforcement that deals with the issues that technical security presents to us all, in direct, rational and non-threatening ways.

.