Time for government to get tough

In an extract from his bestselling book, security expert Bruce Schneier calls for legal reform to curb the activities of hackers...

In an extract from his bestselling book, security expert Bruce Schneier calls for legal reform to curb the activities of hackers

At first glance cyberspace is no different from any other piece of our society's infrastructure: fragile and vulnerable. But the nature of the attacks is very different.

Oklahoma bomber Timothy McVeigh had to acquire the knowledge, go to a farm and practise, rent a truck, fill it with explosives, drive to a federal building, set the fuse, and get away. Mass murderer Harold Shipman had to build a medical practice in Greater Manchester and meet his patients. Both criminals had to get close to their targets, put themselves at risk, get in, get away, make mistakes. And they had to know what they were doing.

Cyberspace is different. You can be elsewhere, far away from the site you are attacking. You can have no skill, nothing more than a software package you downloaded from some website somewhere. And you do not even have to put yourself at risk.

An ethical hacker could describe a vulnerability on the internet, a criminal hacker with fewer ethics could write an exploit that demonstrates the vulnerability, and then someone with no skill or ethics could use it to break into computers.

A student could write a worm that infects 10 million computers, and costs £5.5bn in damage, time, and lost productivity. Or maybe there is a website in some badly policed country that includes a Java application: "Click here to bring down the internet".

In the late 19th century, French sociologist Emile Durkheim postulated that anomie - a disregard for accepted social and moral standards - led people to become criminals. You can extend his arguments to the hacker psychology we are seeing now: no one is connected to anyone else, people feel anonymous behind their handles, and there are no repercussions to actions; this leads some people to do anti-social things. The miasma of the internet virtually guarantees it.

Technology alone cannot prevent this, just as it could not prevent McVeigh or Shipman. Both of them were captured, and others were dissuaded, by security processes: detection and response. In the case of Shipman, the detection and response processes were well known, and although he got away with his massacre for decades, forensic techniques figured out what happened, investigative techniques figured out who did it and laws punished the guilty.

There are no technical solutions for this social problem. Laws are vital for security. If someone invented the unpickable door and window lock or the perfect burglar alarm system, no one would turn around and say, "We do not need police or those obsolete breaking and entry laws."

If the history of criminal activity has shown anything, it is the limits of the technology. We need tough and up-to-date laws to prosecute people who engage in electronic commerce fraud, computer trespassing, and theft, or people who write the tools that facilitate these crimes.

We can deploy the best technology we can to prevent them from doing it in the first place. We can deploy the best technology we can to detect their crime after the fact. But we are going to have to rely on guards to catch them and the judicial system to convict them. We can make it as hard as possible for a marketing firm to collect data on people, but we need laws to prosecute the infractions.

In short, we need to ensure that people put themselves at risk when committing crimes in cyberspace.

A revised paperback edition of Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier was published this year by Wiley priced £11.99


Read more on IT risk management