160 likes | 167 Views
This paper discusses the benefits and risks of home broadband, existing proposals for addressing security risks, and proposes solutions to improve protection for security and privacy in home broadband. It also draws parallels with internet privacy and highlights the role of user education, industry leadership, and government involvement in addressing these concerns.
E N D
“Better Security and Privacy for Home Broadband”Peter P. SwireMoritz College of LawThe Ohio State UniversityMorrison & Foerster LLPPrivacy 2002 ConferenceSeptember 26, 2002
Overview • Home broadband benefits and risks • Existing proposals for the security risks • Internet privacy as a useful analogy • A proposal to speed protection of security and privacy in home broadband
I. Home Broadband • Benefits of home broadband • 56 K dial-up not good enough • Slows growth of e-commerce and the economy • Educational and many other desirable aps • Consensus policy goal to encourage home broadband • Similarly, encourage small business broadband
Risks of Home Broadband • “Always on” • Static or near-static IP addresses help attackers • Attackers scan for weak defenses, and can get in before the user signs off • Broadband • Broadband itself makes many attacks easier -- bigger pipe to the home computer • Broadband means that user can do applications and not notice the “overhead” of spyware or non-approved uses
“Wipeout” -- Risks to the Individual User • Many users have no firewall or virus detection • Risk of virus -- lose data or wrecked hardware • Risk of no firewall -- attacker takes control of the home computer • HARD to install today -- often not part of standard installation
“Zombie” -- Risks to Critical Infrastructure • Zombie sites controlled by the attacker • Used to launch distributed denial of service attacks in winter, 2000 • Can be used to disguise source of all cyber-attacks (attack coming from John Smith’s home) • Now installing millions of broadband users, each a potential zombie site
II. Proposed Solutions • Draft Cybersecurity Report, 9/02 • Correctly identifies the risk to critical infrastructure • Recommendation that home broadband users “should consider installing firewall software.” • Recommendation that it is important to update this software regularly
Solution -- User Education • FTC Commission Swindle initiative on home computer security • Yes, an essential part of the solution • How to move users up the learning curve? • Car users learn they have to get an oil change -- government doesn’t require them every 3,000 miles • Publicity, education are essential
Solution -- Legislation? • I don’t think so. • Do we know how to write one rule for the diversity of home computer systems? • DSL and Cable • Different sorts of home, small business users • Very hard to write the rules
Legislation (continued) • Should solutions be hardware or software? • What about the liability for ISPs or software vendors? • Would take a long time to work out these complex issues, even if legislation were a desirable outcome • Conclusion -- do not support legislation, at least until we have tried other routes
III. Internet Privacy as an Analogy • Similar structure -- how make progress on a social concern (privacy, security) while encouraging use of the technology (the Web, broadband) • Similar complexity and fear of legislation • So many kinds of web sites, did not even know what a good privacy policy would look like • Now, so many kinds of broadband -- we don’t know the one best approach
Internet Privacy Comparison • Role of Bully Pulpit • Involvement of Dept. of Commerce Secretary Daley in making the case for better Internet privacy -- praise for industry leaders • Involvement of FTC, including Chairman Pitofsky • The role of public reporting • 1998, survey shows 15% have privacy policies • 2000, survey shows 88% have privacy policies
Internet Privacy Comparison • Why we got progress on Internet Privacy • Public reporting -- pressure not to be a laggard • Leadership by the Administration -- privacy policy was the right thing to do • Credible, often unstated threat, that would have more intrusive government action if industry did not act responsibly
IV. Sketch of a Proposal • Recognize home broadband risks: • Security of home computer (“wipeouts”) • Security of critical infrastructure (“zombies”) • Risk to privacy of home users when attackers get through • Administration leadership on the issue • Praise for industry leaders • Message to industry -- patriotic duty to respond to these important threats
Proposal (continued) • How to create information and surveys about installation of protection • Reporting by ISPs? • Reporting by major software vendors? • Other ways to learn the baseline of having protection and progress over time? • The Federal government should lead by example, be a place to try out solutions
Conclusion • Known, significant cybersecurity and privacy problem of unprotected home broadband • How to get on a path to improvement • Vital now as millions of broadband users -come on-line • Without legislation, we can create momentum for much better protection