Let's start with the Heartbleed bug.
Since the announcement of Heartbleed last week, everyone has been paying attention to security vulnerabilities - a typically niche technical subject. Most internet users are, rightfully, concerned. What can they can do to protect themselves in the short term? What can Internet providers and government agencies do to help protect them in the long run? In a series of posts, I will identify and discuss the technology and policy issues involved in this important question: how can we keep the Internet secure and protect user privacy?
Last week, we found out that there is a vulnerability in the encryption code that enables about 70% of the Internet's secure connections. This story gained some traction in popular news reporting, but there wasn't much to tell without delving into a decade-long series of legal and technical conversations between lawyers, policymakers, technologist, cryptographers, engineers, and politicians. In a brief interview for Reuters, I was asked to advise consumers on how best to protect themselves from loopholes in crypto. But that's an impossible question to answer right now. Not only because there is almost nothing that individuals can do to guard against Open SSL vulnerabilities (although that is true), but also because I could not propose a solution to a problem that no one has diagnosed.
The Heartbleed bug is a flaw in Open SSL encryption that allows hackers to steal data silently and without a trace. This is obviously a problem unto itself, and it was diagnosed brilliantly by Antti Karjalainen, Riku Hietamäki, and Matti Kamunen of Codenomicon, as well as Neel Mehta of Google. But it is also a symptom of a much larger problem: a failure of both private sector companies and government agencies to protect some of our most important critical infrastructure - core Internet security protocols. This is a complex issue that relates to recent debates over cyber warfare and the role of the U.S. defense agencies in information assurance, national security, the market for security vulnerabilities, and encryption standards.
Recent debates about "cybersecurity" circle endlessly around these themes. Who is responsible for protecting Internet security? Can it be the NSA, an agency that notoriously devotes copious resources to cracking code and breaking crypto? Can the U.S. regulate so-called "bug bounties," in which the government pays independent coders to locate zero-day vulnerabilities? Is the private sector obligated to inform the government if "zero-day" security vulnerabilities are found? And, if so, which agency is responsible for informing the public -the NSA, tasked with "information assurance," or DHS, tasked with protecting "critical infrastructure?" The brightest minds have so far been talking around and past each other in an effort to unify all these conversations into the legal and technical panacea that would prevent future Heartbleeds. The questions are too weighty to tackle all at once, but too interconnected to answer individually.
My goal in this series of blog posts is to pull apart the threads of these interconnected conversations. I would like to examine each issue in turn, in the hopes that by looking at each element of the precipitate, we may find the key to the solution. In my next post, I plan to discuss "critical infrastructure:" what we mean when we say it, who is tasked with protecting it, whether (and if so, how) it includes the Internet, and whether in the context of critical infrastructure, "the Internet" includes the protection of cryptographic protocols.