Vint Cerf, widely known as a “Father of the Internet,” told a recent gathering of the Maryland Cybersecurity Council in Annapolis that the war for cyber security is being lost and the government must enforce greater security measures and create liability for bad computer software.
The Maryland Cybersecurity Council consists of legislators, members of federal agencies and other experts, and is chaired by Maryland Attorney General Brian Frosh. University of Maryland University College provides support staff to the council.
The Council works with the National Institute of Standards and Technology, other federal agencies, businesses and private cyber security experts to review and conduct risk assessments and to determine which local infrastructure sectors are at the greatest risk of cyber attacks and need the most enhanced cyber security measures.
Safety, privacy and security are not all the same thing, Cerf emphasized in his remarks to the Council. Everyone involved with the Internet—including users—is responsible for achieving all three conditions.
Cerf, who is Google’s chief Internet evangelist, said that one of the reasons the Internet is wonderful is that it connects everything, and one of the bad things about the Internet is that everything is connected.
“I can’t think of anything more critical to our future than figuring out how we secure ourselves in this online cyberspace environment,” he added.
The average Internet user must accept that while certain security practices will be inconvenient for them” they are also essential to keeping them safe on the network, Cerf said.
Legislators may also need to pass regulations to deal with people who refuse to act responsibly, said Cerf, who compared these regulations to those that govern the use of seatbelts while driving or restrict where people can smoke.
There is also a need to impose liability on Internet service-providers, equipment builders and software writers to force them to take more seriously their role in protecting against hackers.
“It’s time to tell them, you need to shoulder the burden for the quality of the software that you write,” he said.
But even after 70 years of trying, no one is able to write bug-free software, Cerf said. And the Internet has made writing software more difficult because programmers cannot conceive of where their software will end up, and they lack the necessary tools to tell them when they have made a mistake.
Cloud computing is helping to solve this problem, he said. Instead of having software distributed to untold numbers of desktops, laptops and handhelds, it is all concentrated in one place where it can be watched for bugs and updated. Any time a program seems to be deviating from a normal range, technicians can jump in to find out why.
Cerf proposed a “cyber fire department” that would help individuals and businesses—especially small businesses—that do not have the capability of responding to a cyber attack.
While restrictions on access to computer systems must be made stronger, he said, they also have to be made easier to implement. Otherwise people won’t use them, making the entire Internet more vulnerable to attack.
Providing security and international understandings on a national level is crucial to avoiding World War III, Cerf said. If a country believes it is under attack from another country, it must be sure where the attack is coming from. A counterattack against the wrong country could easily escalate out of control.
Another complication in cybersecurity is the explosive growth in the “Internet of things,” he said. “When we started doing this work 40 years ago, it didn’t occur to us that picture frames and refrigerators would be part of the Internet. But here we are.”
If there are a couple of hundred items in a house that have Internet connections, and if we know that all programs have bugs in them, then how can we protect and monitor all of those devices, he asked.
Said Cerf, “the headline I worry about is, ‘100,000 refrigerators attack Bank of America.’”