Fred Schneider '75 urges America to guard its cyber frontier
Fred Schneider '75 urges America to guard its cyber frontier
Computer science professor Fred Schneider '75 serves on the Department of Commerce Information Security and Privacy Advisory Board and co-chairs Microsoft's external advisory board on trustworthy computing. In June, he testified about the need for increased cyber-security before a House subcommittee on science and technology.
Cornell Alumni Magazine: How serious is the cybersecurity threat in America?
Fred Schneider: Today, it's not a crisis—it's a nuisance. For some people it's a big nuisance. If you have your identity stolen, you're looking at many hours and a lot of heartache trying to restore your credit-worthiness. But in about a decade, we will move to a world in which life and limb are at stake.
CAM: How so?
FS: The U.S. is increasingly dependent on networked computers for our day-to-day lives—the financial and transportation systems, the power grid, gas pipelines. But the systems are much too big for us to really understand, and systems we don't understand are likely to have vulnerabilities. So we're more and more dependent on systems that will fall victim to attacks.
CAM: How could lives be at stake?
FS: Attackers could cause planes or trains to crash. Taking out traffic lights may cause accidents. Taking out communications may make it difficult for the police to react. Turning off power has collateral effects. It may cause hospital patients to die—and the way the grid works, there aren't extra components sitting around, so if an attack causes a generator to burn out, capacity may be gone for six months to a year. If the financial system is destabilized, it could have a big effect on peoples' lives. For example, if an attacker can make it look like the economy is tanking during a national election, it might cause the incumbent to lose support. So there are means of changing the world order with these attacks.
CAM: How much—or how little—are we as a society being watchful about these threats?
FS: As a society, not at all. The federal government has recently become proactive. The Obama Administration undertook a big public study and has claimed it's going to hire a White House official in this area. There's legislation pending in both the House and Senate on making systems more secure. But getting those policies in place is going to take a long time, and it's not clear that our society is going to go for it.
CAM: Why not?
FS: Systems are not going to become more secure unless we spend money—and somebody's going to have to pay. Either software producers spend more money and charge higher prices, or the government spends money and our taxes go up. And we're trading off these investments against feeding the poor, dealing with health insurance, and all the other national priorities. So we need to think about whether we can afford to make these investments. It's a tough problem. But that's what we'll be up against if we want to create systems that are as trustworthy as we'll need them to be if we continue to computerize our lives.
CAM: If we're not being vigilant, what are we doing?
FS: Generally it's a cat-and-mouse, attacker-defender game. An analogy is how we deal with disease. To some extent we're reactionary: if you get sick, you take medication. But we're also proactive: when you were young, you got vaccinated. We didn't force you to be vaccinated, but you weren't allowed to go to school if you weren't; you had an incentive to get vaccinated and it ensured a kind of herd immunity. But beyond these proactive measures, we spend money on basic medical research. In cybersecurity, we're not creating the foundation of basic research so we can be proactive. You can't ever win a reactionary game because you're always lagging behind the attacker.
CAM: How often in our day-to-day lives do cyber attacks occur?
FS: All the time, everywhere. "Cyber attacker" is a broad term; it encompasses both a maladjusted teenager and a nation-state actor. How often are nation-states attacking each other? I don't know of any public discussion of that, and I suspect it's the type of thing that governments would try to keep secret. How often are banks or military bases being compromised, either by nation-states, terrorists, or random hackers? Well, those are not only attractive targets but they have a real incentive not to alert people when they've been attacked.
CAM: How much is the average PC under siege?
FS: As soon as you plug into the network, somebody will attack it within minutes and attempt to load a "bot"—software that's controlled by somebody else—onto your PC. If you're running an up-to-date version of the operating system, chances are good that the attack will be repelled. There are armies of bot-nets; I have heard estimates that there are nets on the order of a million processors. And this is a business model: these machines are harnessed to send spam. Also, they could steal files—for example, your bank account number. Some monitor what you're typing to recover passwords. That is pretty widespread, and it's a grave concern.
CAM: How can users protect themselves?
FS: There's the analogy of practicing safe sex: being careful about visiting websites. The way to know what site you're visiting is not necessarily to look at what's displayed in your browser but at the URL— make sure it's the right URL as opposed to one for a site out of Mongolia that doesn't have a branch of your bank. Make sure you have your operating system updated. Don't give out your password just because somebody asks for it. And be careful about unsolicited e-mails. You shouldn't open attachments unless you trust the sender.
CAM: What other ways is information stolen?
FS: Nowadays, you can access the Internet easily via wi-fi. And that's great, but I'd suggest you not do banking over wi-fi because somebody could be monitoring your communications and figure out your account number and PIN.
CAM: What about downloads like ring-tones or games?
FS: If you know you're dealing with a bona fide business, that's fine. But downloads could bring dangerous things onto your machine. On the other hand, if you're running an anti-virus program and you're good about periodically scanning the machine, some of that will be detected.
CAM: What symptoms might hint that your computer is infected?
FS: You used to be able to suspect an infection if your machine was running slowly or if you were hearing the disk being accessed but weren't actually doing anything. But operating systems have become more sophisticated, so they do lots of work in the background, and when you hear your machine running you won't know if it's a bot-net doing damage or one of the legitimate background activities. It's not a bad idea to turn off your machine every night—but I agree that it's a pain to re-boot it in the morning.
CAM: What about hackers who invade systems for the fun of it?
FS: It's analogous to painting graffiti on the subways. What's interesting is they don't usually cause much damage, and if the way they did it is discovered then they're doing us a favor by exposing vulnerabilities. On the other hand, it's fairly disconcerting that our systems are not strong enough to rebuff that sort of attack. And people who violate the law just for the heck of it—that's a funny culture.
— Beth Saulnier