Managing Network Security

The Balancing Act

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Security vs. Freedom

"Those who would trade freedom for security deserve neither" - Benjamin Franklin

In information protection we are always balancing one thing against another. The classic risk management formulation uses money as the ultimate ejudicator because money can be used as a common metric between most things. You can buy lots of things, and perhaps you can even, sometimes, buy your freedom, at least in some sense. But in security in general and in information protection in particular, we are always balancing freedoms with protection, and we often forget about the freedom side of the equation when we do our work.

In most businesses, the business own the assets including the information assets associated with the business. With reasonable policies in place, the company, as owner, is allowed to examine anything stored in or transmitted between any of the computers they own, at least for the purpose of properly maintaining their function and, in most cases, for any legitimate business purpose they so choose.

Recent events have caused a fervor that has moved toward the creation of the Digital Millennium Copyright Act in the United States, and statutes in the European Union and the United Kingdom that are starting to match those in some of the countries we normally associate with oppression. As we move toward the edge of war, still more of these rights have been abandoned by a Congress anxious to find evildoers. We now have 48 hour telecommunication and Internet taps at the discretion of a prosecutor - no judge required - and more still to come, no doubt.

Privacy and Power

"But who shall guard the guards, themselves?"
-(Sed quis custodiet ipsos custodes? - Juvenal (AD c. 55 - c. 130) Satires.)

I am not as much of a historian as many others, but I know enough to know that the last time the United States went down this road it led to the McCarthy era, to tapping of political enemies of the executive branch, to the defamation of character and ruining of careers of many thousands, and the list goes on and on. Freedom did not ring for many black-listed Americans during that era, and it is now being cut back for all Americans once again, all in the name of a war that did not exist only a few short days ago. By the time you, my readers, get this, it will have been a few months, and you can assess for yourselves how things have changed since then.

This is of particular concern when we consider that the current administration in the United States was, in some sense, appointed by the Supreme Court and anointed by the first all republican congress in memory. The US oil companies were gouging prices to Americans in states that did not vote for Bush until one republican senator decided to leave the party to allow the Senate to become a Democratic majority (of 1), at which time the oil prices miraculously balanced across states - they called it market forces.

This, to me, exemplifies how close the balance of power can be, even in a nation of hundreds of millions of people. And the abuses that we saw during the 1950s, 60s, and 70s that were asserted to be due to the "Cold War" are being reinvoked with even more furor and far tighter controls at the beginning of the "Terror War". As we give up more of our freedoms for the supposed security we are to gain, we are in fact gaining neither.

The Hypocritic Oath

I did not misspell it. I am, of course, talking about the oath we will have to all take to hypocrisy. It is an oath many in the information protection community have taken before, and one that the greater community seems to be taking now. Here's how it goes:

It is hypocrisy at its worst, and its most terrifying. The US just increased all aspects of personally invasive security measures at airports, but not one of them, including the one that tells us we cannot bring even the smallest pocket knife on board a plane, could have stopped the incidents that took place on 9/11/2001 (the so-called 911 attacks). And furthermore, the response time to mitigate the threat of such attacks being repeated took about 20 minutes. By the time the last of the 4 flights in the air turned toward Washington, DC, the passengers already knew what was going to happen and they chose the earlier loss of their own lives by trying to take back control of the jet. The next person who tries to pull a knife on a plane for this purpose will probably never get much past standing up before they are subdued by the other passengers. They will be lucky to survive it.

The new measures are, of course, almost useless when it comes to preventing a similar attempt. How hard is it to hide a hard plastic knife in a hard plastic briefcase? It is simple to do and there are even bags that already provide this. The X-Ray machines and the detailed searches of these bags will not likely have any effect on eliminating that threat - which has already been defeated by the acts of passengers. All of this increased security is just another withering of the privacy rights of people - which will eventually lead down the road to a system like that of the Soviets before the breakup.

Self Defense in Cyber Space

While physical assault can be legally met with adequate (but not excessive) force to provide for self defense, in the cyber arena, responses have historically been legally limited to defensive maneuvers only. The doctrine of self defense must eventually come into play with at least the possibility of returning information attacks with information counter-attacks. As denial of service attacks become more rampant and more forceful, purely defensive responses become less and less effective. The fear of collateral damage will soon be outweighed by the harm to self by passive response, and a doctrine must arise that allows the defenders to become aggressive.

The current phrasing is something like 'active defense', but there are limits to what can be done with purely passive response or response that does not somehow influence the attackers, whether they be automated, manual, or combinations thereof. Recent defenses have escalated somewhat by providing packet responses that slow or stop the attacker from proceeding from place to place. One example is a 'SYN ACK' response to a 'SYN' followed by ignoring subsequent traffic. This causes many TCP stacks to stop sending more data. But this is only the beginning.

Recent results in deception have demonstrated that deceptions against automated attack mechanisms are relatively easy to design and can be quite effective at slowing attacks or causing them to behave very differently than they otherwise would. It is only a small step from there to move toward responses to attacks that cause crashes in attacking systems. The technology already exists to do this, but there is some fear in the community around what will be legal in what cases. But it seems clear that as the stakes rise, increased responses will become acceptable, perhaps even encouraged.

Where will it end - or will it?

In the end, the ill-defined term 'terrorism' will be used like all other 'ism's - as a way to divide people into groups and thus conquer them. New laws making unauthorized computer hardware and software illegal will allow those with money and power to eliminate all competition, while at the same time they spend the money of the average person to build new weapons and capabilities to use against those people.

It is the height of foolishness to think that those who flew planes into the World Trade Center and the Pentagon failed to understand this. Indeed, they almost certainly counted upon it. Indeed this is a form of an unholy alliance.

Those with money have privately funded our 'elected' representatives to take from the retirement funds of all US citizens (i.e., the Social Security [un]lock[ed] box) and give to the wealthy corporate interests (i.e., those who can afford to get 'certified' systems and those in the military industrial complex). The 'tax cut and spend' republicans have used the opportunity to explain away the recession that they helped to bring about, while the democrats have bent to their will in all but the most obvious ways.

But the battle has just begun...

I was taking one of my daughters home from a Dance class today and listening to the radio with its stories of the effects of the terrorist incidents. She indicated that, although she hated to admit it, she was losing interest in this whole story. Indeed, the saturation effects of the media have desensitized many of us to the situation - and our politicians and media have declared that 'America has changed forever'.

In my view, this is not a commentary on the past events, but a battle cry for next step toward the end of our freedoms. I explained to my daughter that the situation is not as stable and boring as she might be led to believe. Indeed, from what I can tell, the battle against freedom for citizens of the US, and as a side effect, the rest of the 'Western' world, has just emerged and shown it true form.

Freedom cannot be taken from you. The only way to lose it is to freely give it up. And that is just what the so-called free people of the world are doing.

This is no less than a call to arms. It is a call to arms, not only in the quest to hunt down those who would use terror against non-combatants, but also for those who would protect freedom by protecting the rights of the barely free peoples of the world. This is the time to fight for your rights - of free speech and expression - of privacy and the expectation thereof - and of other rights that I will not list here individually.

At about noon today, a bomb threat cause Kennedy airport in New York to be evacuated. Information warfare at its best, and terrorism at its apex. The proper response, in my view, is a lot simpler. If we yield to such threats by invoking evacuations, we only harm ourselves and give in to the attackers. It is time to stand less for safety than for freedom. The proper response to a bomb threat is not to evacuate, but to rapidly seek out and arrest the person who made the threat, and to publicly and rapidly sentence them to an appropriate length of jail time. The moment the threat shows up, the perpetrator has given up their rights to privacy and they may be traced. It should not require a judge or anything else - it should be automatic. But until that moment when the threshold is exceeded, their privacy should be guaranteed.

Cry HAVOC indeed! And let slip the rights you have been guaranteed.

About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting