Internet security is much in the news. At a retail level, consumers are concerned primarily with identity theft and invasion of privacy. At the nation-state level consumers are concerned with damage inflicted by a sovereign adversary. Both are troublesome, but they call for different protections and responses.
While still better than nothing, retail antivirus software offers diminished effectiveness. McAfee, Norton and others seem unable to keep pace with some hacker exploits and they seem less effective against some attack styles – such as those relying on Java.
Some of the consumer level challenges come via Java. Oracle, a respected software firm acquired Java when it bought Sun Microsystems. While Oracle has been hurrying to plug vulnerabilities in Java’s Runtime Engine, it seems outpaced by hackers. Defense and intelligence agencies will not allow Java or other easy targets on their computers, but many popular applications that are Java-based are still in use by individuals and businesses. Convicted hackers should fulfill a mandatory full restitution obligation.
The Java language is popular with application developers, because the Java Runtime Engine allows Java to run in diverse computer environments – achieving “platform independence” and saving costs and reducing “time to market.” Java language is not insecure per se. It is the Java Runtime Engine that interprets Java commands into those compatible with different platforms. That is where the insecurity arises.
At least 25 nation-states use surveillance software called “FinSpy” that can “grab images off computer screens, record Skype chats, turn on cameras and microphones and log keystrokes.” This supports legitimate police work, suppression of dissent, and intelligence collection. Tools even more sinister are custom developed in about a dozen countries with cyber warrior agencies. Training cyber warriors is far less costly than nuclear weapons development, and they are durable – not just single-use like suicide bombers.
Sovereign cyberattacks are a fact of life for American intelligence agencies. Attacks on critical infrastructure are a serious threat to civilian lives and our economy – in other words terrorism. While we might defend against attacks, the attacks will continue until we make the cost to the attacker far higher than the benefit of attack. In effect, we need a response that’s the cyber equivalent of an accurately aimed drone strike. Tough talk may earn camera time, but it will protect no one. International rules are just a striped-pants conceit unless they are backed by credible force. This topic will remain unsettled for years.
Alan Daley is a retired businessman who lives in Florida and who follows public policy issues from a consumer’s perspective.