The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.
Instead, we engaged in a series of four nontechnical solutions:
- Defense by marketing
- Defense by politics
- Defense by deterrence
- Defense by semantics
Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.
Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.
Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.
Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.
Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.