Legislation Alone Is not Sufficient to Ban Spam

Dr. Eugene Spafford
Dr. Eugene Spafford

What do you think are the biggest security threats facing enterprises?

Spafford: If we define threats as those actors that might exploit vulnerabilities to compromise assets, then the biggest threats are probably dishonest insiders and external criminal enterprises. The insiders may be interested in fraud and/or theft of services, while the outside criminals have a number of motives based on available resources – theft of identity information, extortion, theft of service are three common ones, but simple random acts of vandalism, viruses for example, are also a threat.

What do you think is the first thing CIOs and their staff need to do to begin to secure their companies?

Spafford: Understand the nature and scope of their information assets. They cannot erect appropriate defenses unless they know the full extent and placement of those assets. This knowledge needs to take into account the criticality and value of those assets, and their exposure.

Are you worried that cyber security and cyber crime aren’t taken serious enough by governments around the world?

Spafford: Yes, I am. Governments need to increase their efforts, both individually and collectively, to investigate and prosecute computer crime. —-There needs to be more support given to research and application in this realm, of course. Consider that the Department of Homeland Security’s budget request for Calendar Year 2005 was $ 1.069 billion. However, only 1.67 percent of that was for cyber security. That is one obvious measure that government is not taking the issue seriously!

There needs to be more support given to the actual investigation and prosecution of cyber crime. Consider that despite over 100,000 viruses and worms released over the last 20 years, and despite all the attacks and damage, only about 10 authors have ever been identified and prosecuted. In part, this is because of a lack of resources, training, and government support.
Governments should use their roles as large customers – and their responsibilities as custodians of public data – to set good examples by demanding high-quality, high-security products, and by purchasing those products rather than purchasing lowest-cost, weak systems. Government should establish formal job categories for cyber security specialists working in various agencies, set some minimum standards for those positions, and compensate them reasonably.
They also need to do a better job of holding vendors and ISPs to some reasonable standards of performance to protect the public good. For example, ISPs need to filter or shut down client machines that are being used in spam or Distributed Denial of Service attacks, or else be held liable. Examples for ISPs would be to:

  • block outgoing traffic that has faked IP source addresses
  • disconnect clients shown to be sending spam
  • disconnect clients running machines with known vulnerabilities

Vendors should perhaps have some liability for providing software that is shipped without security controls turned on by default, or that include vulnerabilities that are in classes of flaws known for decades, for example buffer overflows. Lots of these are coming from “zombie” machines – home users and small businesses where the machines are installed and used without any knowledge of security and without the application of patches.
The best solution is to ship those machines without flaws. The second best is to require the vendors and ISPs to provide scanning and patching for those machines so as to reduce the risk to the rest of the community. Having the vendors and ISPs blame the end users is akin to blaming drivers for having faulty brakes in their cars, or for auto thefts at the rest stops on the highway.

Some experts including Bill Gates believe that spam can be eradicated in a couple of years. What are your thoughts?

Spafford: I think it can be reduced with some effort, but I do not see how it can be eliminated without also eliminating e-mail, or radically changing the way we run the Internet. Spam is, in part, subjective – what is spam to one person may be a great idea to another. Thus, there will always be some people who actually want some of it!

The biggest problem with spam right now is that the spammers refuse to abide by some procedure that will let users opt out of getting it. The fraud used in sending spam – both deceptive titles and hijack of machines – compounds the problem. If we can cut down on the fraudulent use of servers, and impose some really strong authentication on the advertisements that remain, then perhaps we can control spam … but it is doubtful we will be able to eliminate it completely in only a few years.
This problem is so large and complex, it was named as one of the CRA Grand Challenges. Those four challenges are:

  • Eliminate epidemic-style attacks – worms, viruses, spam, phishing and denial of service attacks.
  • Discover how to design and build large-scale, distributed computing systems that must be highly reliable even in the face of probable attack. Examples include medical health records, law enforcement databases, and financial system computing.
  • Develop quantitative cyber risk measurement techniques to a point at least the equal of current quantitative financial risk measurement techniques. This will allow us to compare security solutions, measure risk appropriately, and invest the right amounts into protection of our cyber assets.
  • Develop mechanisms to allow computing users to set their own levels of data protection and privacy in understandable, repeatable, and reliable manners. Thus, we want each person to be able to interact with systems in a way that allows them to choose how much information to entrust to the systems, and at what level to protect it. Those interfaces should be understandable and simple to use.

Do you think that spam can be legislated away and have you any thoughts on how that could work?

Spafford: No, legislation alone is not sufficient. However, it could help – if enforced. First, there would need to be a penalty against spammers that was actively applied. This would mean active investigation to find the spammers and prosecute them. Second, there would need to be a substantial penalty against those who support the spammers – the merchants whose goods are advertised in the spam and who pay, directly or indirectly, the spam producers. Third, we would need some kinds of penalties against the users and ISPs whose machines are used to send spam.

Should software companies do more to make their products secure?

Spafford: Yes. They are in the best position to produce safer, more easily configured and controlled, and secure software. As an example, the automotive industry doesn’t depend on after-market vendors to install airbags and roll bars. Many people believe the lack of meaningful liability suits against vendors exacerbates this problem – with little competition based on quality of product, some vendors have had no inventive to make their products more secure.

You are on record as saying that when it comes, for example, to worms we have not learned from the past. What do you mean?

Spafford: We learned 15, 20, 30 years ago that we needed to be careful how we programmed, that we should limit network services, and that we should diversify our environment. The same programming and design errors are being made today, systems are shipped with too many services enabled, and we have developed more of a vulnerable monoculture than we had back then. This is not learning from the past.I did an invited paper on this topic for the 2003 ACSAC conference. Basically the paper points out that it was – at the time of writing – 15 years since the first known Internet worm … and little has been learned since then. Systems are deployed with inexcusable flaws, networks are configured with misplaced trust, and incident response is uncoordinated and of minimal effectiveness.

As a member of the President’s Information Technology Advisory Committee, what is its thinking as regards computer security?

Spafford: I cannot speak officially for the committee at this time. A preliminary version of our report is available online, however. See http://www.itrd.gov/pitac and look at the materials for the Nov 19th session. Our preliminary findings are that government has an important role to play in cyber security and has largely failed to fulfill that role.

I believe you are a part-time senior advisor at National Science Foundation on cyber security and cyber crime programs. What does that entail?

Spafford: I was. I spent the year from October 2003 to October 2004 there. I helped advise the people there who were setting up programs in security research, including the Cyber Trust program, about the scope of the field. I spent some time talking to various program managers about cyber security education needs, and about the cross-disciplinary nature of the education and research issues. I worked on some special projects for the Assistant Director of CISE relating to security. I provided some advice in-house to the CIO. And I spent a lot of time as an interface to people at other Federal agencies and external groups, explaining about NSF thrusts and concerns, and seeking their input and cooperation with NSF.

One time a group of computing users and experts from around the world gathered for three days to discuss problems in cyber security and privacy. As a group, we tried to come up with a short list of major problems that are really important to solve, will not have a single point solution, and will undoubtedly require considerable effort to solve.
Furthermore, we chose problems that are not purely the domain of computer scientists and engineers, and which we are unsure can be completely solved in 10 years – if ever. However, the problems chosen are important enough that even some progress and partial solutions could have a far-ranging effect on society and technology.