What can be done to mitigate these threats?

Let’s examine each medium:

Radio Frequency – to date, the deterrent to the compromise of the RF communications infrastructure is based solely on the law and legal enforcement as interference is detected. Government agencies, via methods of triangulation, determine locations of interference and act as necessary to address the source. If someone was not concerned with the legal repercussions it would be virtually impossible to prevent deliberate interference.

Telecommunications – again, as with all of these mediums, we have the law and its enforcement as a significant deterrent. The only truly viable means to mitigate a DOS or DDOS attack on the telecommunications infrastructure is to build private telecom networks. Many exist and have existed for years. However, it should be noted that much of the private telecommunications traffic has moved to transit over the public Internet. This presents an Achilles-heel which could be exploited.

Internet – the Internet by its very nature and design is a network of trust, largely only regulated by each participant’s common sense. In some ways it is similar to a large road and highway infrastructure, but with no police or legal authority to enforce common sense.

Typically problems are only “noticed” when it is too late and the impact of the problem is felt by multiple people. The current protocols in use on the Internet do not offer explicit nor implicit security. If we begin to layer on new protocols and allow the old protocols to persist, we leave ourselves open to nearly all of the problems of the older protocols. In response to the problems, a significant step would be to disallow the old protocols. However, this would be very painful. Potentially a new Internet could be deployed which addresses these inherent issues and only allow peering with compliant participants.


What is the biggest challenge in protecting sensitive information at the government level?

At a basic level, information should be encrypted in both its stored and transmitted states. However, while decryption is rather difficult, it is not impossible and can be easily achieved. The simplest vector for breaking encryption is that of social-engineering - convincing another person to give up access to confidential information. If the information in question is being accessed over anything that touches the Internet, that information is fundamentally less secure than information not passing over the Internet. Several high profile news reports have shown that people can misplace laptops containing large amounts of sensitive data, or backup tapes can be lost or misplaced. Data in its non-encrypted state is not protected at all. Further, when computers in the wild (taken home, or used outside of strictly controlled conditions) are used to access encrypted data, the same data is also in the wild and subject to compromise. Encryption is only as effective as the lack of persistence the perpetrator has. If you have the time, you can break most encryption schemes.

What do you think about the full disclosure of vulnerabilities?

First let’s think about this from a different angle… let’s say that a consumer product is discovered to have a short coming - for example - a child’s toy has small parts which could come off and cause choking. We would all want to be informed of this issue so that we can protect ourselves and children. Full disclosure is just that – letting the people who are depending on the technology know its flaws so that they can avoid the potential danger.

Going back to the child’s toy example, if some unscrupulous person continues to sell the questionable toys and doesn’t comply with the recall, they are potentially exploiting the buyer. We mostly operate by buyer beware, but when was the last time you checked if there were any recalls on the toys your children play with. The major difference here is the agent involved in exploiting the problem.