President Obama’s new approach to cybersecurity likely is more of an Internet game-changer than many appreciate. Initial reporting and commentary has been superficial and has not connected dots or analyzed the broader logical implications of this new policy emphasis and trajectory.

Why is it a game-changer for the Internet?

  • First, it formalizes a new leading priority for the Internet.
  • Second, it formalizes the lack of cybersecurity as the Internet’s leading problem.
  • Third, it practically redefines what “open Internet” means.
  • Fourth, it practically takes any extreme form of net neutrality off the table.

Moreover, the new cybersecurity focus will likely have a practical effect on the trajectory of Internet 3.0, which embodies:

  • Cloud computing (where security has not been a primary priority by many);
  • The Mobile web (where security has always been a very high priority); and
  • The Internet of Things (where security will be imperative to prevent theft, intrusion, and sabotage).
 

 

I. Cybersecurity — New #1 Internet Priority

President Obama said:

  • This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”
  • In short, America’s economic prosperity in the 21st century will depend on cybersecurity.” …”It’s about the privacy and economic security of American families.” “…this is also a matter of public safety and national security.”

From the White House Cyberspace Policy Review:

  • The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security. Consequently, a growing array of state and non-state actors are compromising, stealing, changing, or destroying information and could cause critical disruptions to U.S. systems.”

     

In short, while security may have been an afterthought or a lower priority for the Internet before, increasingly cybersecurity will be the #1 priority for the Internet/cyberspace going forward. If the Internet/cyberspace is not safe and secure, other Internet priorities/benefits cannot be achieved.

 

 

II. Lack of Cybersecurity: the Internet’s Leading Problem

President Obama said: “It’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. President Obama called cyber-attacks: “weapons of mass disruption.”

So why is security/safety such a core problem for the Internet?

  • The Internet’s original co-designer, Vint Cerf, explained the Internet’s inherent security flaw last year:
    • It’s every man for himself…” “In the end, it seems every machine has to defend itself. The internet was designed that way.”… “
    • “The idea of a virtual private network was not part of the original design…” “It was actually an oversight. It didn’t occur to me that it would be useful until afterwards.”

In other words, the inherent security problem with a pure end-to-end IP network architecture (with no reasonable network management of bits) is that every user is architectually alone, isolated and vulnerable to attack and abuse from any anonymous cyber-attacker anywhere in the world.

  • A serious practical problem in compensating for the Internet’s inherent security flaw is that the vast majority of end users do not have the expertise, time or inclination to fully protect themselves or their devices from the continuous and exploding number of cyber threats. Simply the phalanx of cyber threats has vastly outpaced any end user’s ability to protect him/herself.

As President Obama said: “The status quo is no longer acceptable — not when there is so much at stake. We can and we must do better.”

In a word, the President has designated cybersecurity as the new #1 Internet/cyberspace problem to solve.

III. Practically Redefines an “Open Internet”

 

 

The President’s cybersecurity statements in support of privacy, civil liberties, and net neutrality were widely reported and I include them here.

  • Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.”

What has not been reported or analyzed is what the rest of the President’s remarks mean on balance for the practical definition of an “Open Internet.” The President also said:

  • From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority.”

Clearly these competing goals must be balanced, integrated and coordinated.

If cybersecurity is indeed important, it is now fair to assume that an “open Internet” does not practically mean:

  • An unprotected Internet where there is no means of closing or barring against threats or dangers;
  • A lawless Internet that protects offenders at the expense of victims; or
  • An every-person-for-him/herself Internet where end-users are abandoned and alone to defend themselves from cyber-threats.

Moreover, the President’s commitment to public/private partnerships and not dictating private standards in tackling the cybersecurity challenge, strongly suggests the Government is not going to force “openness” on the private sector in the form of dictates or mandates.

 

 

  • President Obama said:
    • “...we will strengthen the public/private partnerships that are critical to this endeavor. The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector. So let me be very clear: My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.”

Given the President’s above committment to collaborate with the private sector, it is fair to practically assume the Government won’t be forcing an “open Internet” that:

  • Abandons smart network precautions, prevention, and protections;
  • Invites new dangers, risks and harms; or
  • Prohibits common sense discretion, judgement and reasonable network management to enable rapid and effective responses to, and recovery from, crises, intrusions, infections and outages.

Simply, the dual goals of an “open and free Internet” and a “safe and secure Internet” will require a balanced policy approach and public/private partnership.

VI. Practically Takes Extreme Net Neutrality Off-the-Table

The President’s new emphasis on cybersecurity creates a new and very different policy context for the net neutrality issue to play out.

  • In effect, the emphasis on cybersecurity appears to practically take off the table the extreme net neutrality position of an end-to-end architecture principle where no bit can be interfered with in any way. Let’s analyze why.

In the The White House’s 78 page Cyberspace Policy Review “Assuring a Trusted and Resilient Information and Communications Infrastructure” “net neutrality” was not mentioned once.

  • However, near the end of long remarks making cybersecurity a new national security priority and mobilizing Federal, State and local governments and the private sector to protect our digital infrastructure, the President devoted one sentence to net neutrality:
    • I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.

Given that the President has made cybersecurity the #1 Internet policy priority, and given that the President also said: “… let me be very clear: My Administration will not dictate security standards for private companies,” it is logical that the President’s general support of net neutrality would not involve dictating net neutrality standards/regulations that could limit or handcuff network companies’ ability to protect the nation’s communications infrastructure from cyber-attack.

Moreover, it appears that the scope of “reasonable network management” in the FCC’s Broadband Policy Statement for all practical purposes now involves a new and substantial cybersecurity dimension.

  • Since most cyber-threats/attacks use the Internet to reach their targets or victims, reasonable network management is not the problem, but an essential part of the cyber-security solution.
  • In the new cybersecurity context, the extreme net neutrality position of a pure end-to-end IP network, where any bit interference is assumed to be illegal discriminaton, would:
    • Force every end-user and end-device to battle cyber-risks alone; and
    • Prevent network operators from offering consumers and businesses the choice of network mangement protections from known cyber-threats.
  • Listening to the totality of the President’s approach and remarks on the critical importance of cybersecurity and the need to “strengthen the public/private partnerships that are critical to this endeavor,” it is not logical to assume that the President’s support for the concept of net neutrality would not allow for network operators to contribute to improving cybersecurity.
  • This is especially true because of the critical importance reasonable network management protections can/will play in the future to counter ever expanding and ever more sophisticated cyber attacks.
    • Network operators could more quickly, broadly, efficiently, and effectively address many types of cyber-attacks than relying on end-user patch-work application defenses that are routinely out-of-date for many of the users that use them.
    • And only network operators, not end-users, could address or hope to thwart some of the more sophisticated and severe cyber-attacks that involve rapidly-changing and distributed (p-2-P) sources of cyber-attack.
  • Simply, the Government’s definition of:
    • “Net neutrality” is unlikely to mean no one but an end user may counter cyber-threats on the Internet; and
    • A “neutral Internet” is unlikely to mean an unprotected Internet where the President’s strong commitment cannot be fulfilled:
      • We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”

In short, net neutrality is no longer just about the watchwords of net neutrality proponents: “discrimination,” “block,” “degrade,” “impair,” the President has implicitly added new important watchwords to the Internet lexicon: “deter,” “prevent,” “detect,” “defend” and “recover.”

In conclusion, the President’s new approach to cybersecurity is more of a game-changer than many appreciate because it:

  • Formalizes cyber security as the Internet’s #1 priority for the first time;
  • Formalizes the lack of cybersecurity as the Internet’s #1 problem for the first time;
  • Redefines an “open Internet” effectively to not prevent reasonable network protections; and
  • Takes the most extreme net neutrality position — a pure end-to-end IP architecture with no bit interference — practically off-the-table of serious consideration.
 

 

 

 

 

 

 

 

 

 

In a significant blow to U.S. advocates of Government-mandated open access networks — over facilities-based broadband network competition — the European Commission (EC) just declared “no need for State intervention” in geographic zones where there are at least two facilities-based broadband network competitors, because that means “there is no market failure.”

  • The EC made the declaration in its just-released report:”Community Guidelines for the application of State aid rules in relation to rapid deployment of broadband networks.” This is the EC guidance for spending economic stimulus funds for promoting broadband.
    • “2.3.2.2. “Black areas”: no need for State intervention (37) When in a given geographical zone at least two broadband network providers are present and broadband services are provided under competitive conditions (facilities-based competition), there is no market failure. Accordingly, there is very little scope for State intervention to bring further benefits. On the contrary, state support for the funding of the construction of an additional broadband network will, in principle, lead to an unacceptable distortion of competition, and the crowding out of private investors. Accordingly, in the absence of a clearly demonstrated market failure, the Commission will view negatively measures funding the roll-out of an additional broadband infrastructure in a “black zone”.

           

This is a highly significant development because proponents of a more Government-directed U.S. broadband policy, which includes mandating net neutrality/open access, routinely cite European policy as a model for the U.S. to emulate.

Far from viewing facilities-based “broadband duopoly” competition as a problem to be fixed, the EC emphatically sides against state support of a third Government-supported broadband network (like the Australian “Fiber Mae” proposal), as an “unacceptable distortion of competition and the crowding out of private investors.

It is ironic that some in the U.S. are calling for a more European-style state intervention in the broadband industry when the European Commission is declaring its desire to move in the opposite direction — away from state intervention in broadband deployment — in favor of facilities-based competition like the U.S. has achieved in most of the country.

  • “…it must be ensured that State aid does not crowd out market initiative in the broadband sector.” (Para (5))

Put another way, the EC aspires to achieve what the U.S. has already achieved, in that an estimated 80+% of American households have a facilities-based choice of either cable modem or DSL/fiber, and 90+% of American households have access to three or more broadband facilities (including cable modem, DSL, fiber, mobile and satellite broadband technologies).

As this latest EC Broadband Policy report indicates, the Europeans appear to be shifting away from their longstanding policy emphasis on deeply-discounted resale of incumbents on a wholesale open access basis toward trying to better promote facilities-based competition. The core reason for this policy shift is that private investment in super-fast next generation networks (fiber) in Europe has largely stalled because many EC nations’ incumbents see insufficient prospects for a return on wide-scale fiber investment.

In sum, fissures are showing up in the conventional wisdom that European open access resale competition has been more successful than U.S. facilities-based broadband competition.

  • If that conventional wisdom was correct, why would the European Commission be shifting their broadband policy emphasis from promoting open access resale competition to more closely emulating the facilities-based broadband competition success achieved in the U.S.?
  • And if that conventional wisdom was correct, why would the latest OECD data show that “the U.S. is no longer falling behind on broadband?”

What have the Europeans learned from experience that the D.C. conventional wisdom has not?

 

The latest data from the OECD and other sources indicate that the U.S. is no longer falling behind the rest of the world in broadband.

  • These latest data are relevant to assumptions underlying the FCC’s National Broadband Strategy due to Congress next February and also to broadband policymakers’ interest in more data-driven policymaking.
  • In particular, the OECD broadband rankings have been prominently cited by some as important evidence to justify a reversal of current facilities-based broadband competition policy, in favor of a more government-centered broadband policy.

The latest OECD broadband data were released yesterday and indicate in several statistics and rankings that the dynamic/trend of the U.S. falling behind other countries in broadband has changed, that at a minimum the trend has stabilized and most likely that the dynamic/trend has begun to reverse.

First, on a macro level, the most cited OECD statistic, broadband penetration, has stabilized — the U.S. in 2008 remained 15th in the OECD broadband penetration rankings the same as in 2007.

  • Note that this is a clear inflection point in the statistical trendline.
    • Per the OECD, the U.S ranked 8th in 2002, 10th in 2003, 12th in 2004, 14th in 2006, 15th in 2007 and 15th again in 2008.
    • These data suggest something has changed affecting the trend.

Second, the OECD highlighted in the second point of their press release that the U.S. had the seventhstrongest per-capita subscriber growth over the year behind the Slovak Republic, Greece, New Zealand, Norway, Germany and France.”

  • This greater than average growth penetration suggests a stabilization or reversal of the prior trend.

Third, the OECD highlighted in the fourth point of their press release that the U.S. was the #1 broadband market by size in the OECD with 80 million broadband subscribers, or ~30% of the OECD total.

Fourth, and maybe most importantly, the OECD’s broadband ranking of the U.S. — in the higher-bandwidth-technologies that are more important to the future and innovation — is much higher than the overall 15th position ranking.

  • That is perfectly understandable divergence because the U.S. facilities-based broadband competition policy has resulted in market forces naturally de-emphasizing one of the oldest and relatively slowest wireline broadband technologies, DSL, in favor of faster cable-coax and fiber technologies.
    • Where 60% of all OECD broadband subscriptions are copper-wire DSL, only 42% of U.S. broadband subscriptions are DSL.
  • When one breaks out the OECD data by lower bandwidth potential technologies vs. higher bandwidth potential technologies, the new story and new trend becomes more clear.
    • In 2008, the OECD ranking of the U.S. in broadband penetration was 21st for DSL, 8th for technologies other than DSL, cable or fiber, 8th for fiber, and 2nd for cable modems.
    • A reason for the high ranking of cable modem penetration is that the U.S. is the only nation in the OECD with cable broadband deployment to ~95% of potential households. This also means that the U.S. is the only country in the OECD with nationwide facilities-based competition for stationary broadband.

Fifth, the latest data from other sources confirm that the U.S. is reversing the broadband ranking trend decline.

  • On Fiber: Per IDATE, a European research firm in February 2009:
    • In fiber to the home deployments, “Europe is still lagging the U.S. and Japan.”
    • Per IDATE’s data and Verizon‘s, one U.S. company, Verizon, may have deployed more fiber to the home than all of Europe by the end of 2008.
  • On Cable: The roll-out of DOCSIS 3.0 technology, which now enables 50-100+ Mbs of speed for roughly $100 a home upgrade, is being rapidly deployed in the U.S.
    • Pike and Fischer estimates that “U.S. cable operators will have deployed DOCSIS 3.0 to 99% of homes passed by 2013.” … “Comcast, for example, plans to complete the deployment of DOCSIS 3.0 across its entire footprint by the end of 2010, estimated to be 50.3m homes.”
    • DSL Prime estimates that 60+% of U.S. homes will have DOCSIS deployed by 2010.
  • On Wireless Broadband:
    • The growth of broadband wireless smartphones almost doubled from 12% of handset sales at the end of 2007, to 23% of all U.S. handset sales at the end of 2008, led by AT&T’s iPhone, per NPD Group research.
    • According to ComScore, there were over 74m 3G wireless users in the U.S. in January 2009 — that total number is close to the 80m total number of stationary broadband subscribers per the OECD. Moreover, CTIA surveys indicate that ~80% of U.S. wireless consumers have web-capable phones.
      • This is important because the major U.S. wireless broadband carriers, (Verizon, AT&T, Sprint and T-Mobile) are all in the process of upgrading their national networks with faster 4G/LTE speeds in the next few years.
      • And at the same time, Clearwire is building yet another nationwide wireless broadband network using WiMax technology in the next few years.
    • Recent data submitted to the FCC by the CTIA, showed that the U.S. wireless market is among the most competitive wireless market in the world, with some of the heaviest wireless use of anywhere in the world.
    • All these data suggest that the U.S. wireless broadband market is among the leaders in the OECD and is on path to rapidly increase wireless broadband speeds nationwide in the next few years.  

In short, the latest data suggest that the previous trend — that the U.S. was falling behind the rest of the world in broadband — has changed.

  • The latest data also suggest that the U.S. is rapidly deploying a variety of super-fast wireline broadband technologies and faster wireless broadband technologies — more quickly than most other OECD countries.

 

Addendum: Additional studies also indicate the U.S. is not falling behind the rest of the world in competitiveness:

No less than seven independent studies conclude that America is at, or near the top, in worldwide competitiveness in the converging sector of Internet, broadband, communications, and information technology.

  1. World Economic Forum: Global Information Technology Report – 2008-2009: Ranks the U.S. third in “Networked Readiness” — up one place in the world rankings from last year.
  2. ITU -2009: The U.S. has the most affordable broadband in world.
  3. University of Calgary – 2009: The U.S. ranks #1 in the world in their “Connectivity Scorecard.”
  4. IMD Swiss Business School – 2008: The U.S. ranked #1 in the world for the 14th year in a row in the 2008 World Competitiveness Yearbook.
  5. World Economic Forum – 2008: The U.S. ranked #1 in competitiveness in its 2008-2009 Competitiveness Report.
  6. Economist Intelligence Unit: The U.S. was ranked tied for second in the world in “e-readiness” per their latest rankings.
  7. Nielsen – 2008: The U.S. ranked #1 of 16 countries surveyed in mobile Internet penetration.

 

 

 

 

 

 

New evidence continues to spotlight the Open Internet’s growing security problem.

  • The growing catalogue of evidence from mainstream sources is getting harder and harder to ignore. See previous parts of the series: I, II, III, IV, V, VI, VII, VIII, IX, & X.

“Hackers get into UC Berkley Health Records Database” FoxNews.com

  • University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk the personal information of 160,000 current and former students, alumni and others.” …
  • “Evidence uncovered to date suggests that this attack was launched by highly skilled criminal operations based overseas,” the school said.”

“Cyber Threats to Health IT, Smart Grid All to Real” Internet News

  • As a sobering side note on this, last month in collaboration with one of the members of Conficker Working Group from Georgia Tech, we identified at least 300 critical medical devices from a single manufacturer … that were infected with Conficker,” Joffe said. “The hospitals had no idea. The manufacturer had no idea. When we called them they were honestly shocked.” … “They should never have been connected to the Internet,” Joffe said.”

Cyber-squatting crooks profit on marketers’ brand names” USA Today

  • Shady marketers are using so-called cybersquatting to do their digital stealing. They drive people to a “squatted” site via e-mails or through paid search. Once they’ve led someone there, they hope to steal credit card information, spur clicks on ads to skim revenue from online ad networks or sell fake products, such as pharmaceuticals or pricey handbags. … “We’re at a point in which marketers need a wake-up call in what’s happening to their brand…”

“Zombie computers on the rise” BBC

  • The massive expansion of these botnets provides cyber-criminals with the infrastructure they need to flood the web with malware,” said Jeff Green, senior vice-president of McAfee. … “Essentially, this is cyber-crime enablement.”

“The downside of friends; Facebook’s hacking problem” Time

  • In the ’90s, scammers used e-mail,” says Michael Argast, a security analyst at Sophos, an antivirus software company. “Today, it’s social networking.” Argast explains that although people have been trained not to click on suspicious e-mails, they don’t operate with the same sense of caution when presented with a link on Facebook or Twitter. Maybe that’s why the number of phishing attacks on these kinds of sites — in which people are fishing for account information, as opposed to infecting your computer with a virus — has skyrocketed recently, from 4,600 attacks in 2007 to 11,000 in 2008. This year doesn’t look any better, with 6,400 attacks in the first three months of 2009.”

“Government networks still have weak links” Government Computer News

  • In the absence of robust security programs, agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions and privacy breaches, underscoring the need for improved security practices,” testified Gregory Wilshusen, director of information security issues at the Government Accountability Office.”

“Hackers demand ransom for medical data” vnunet

  • Hackers have taken control of the Virginia Prescription Monitoring Program (PMP), and are demanding a $10m (£6.6m) ransom for the return of millions of patient records.”

“Image spam returns with a vengence” Computer World

  • “The return of image spam could be the first resurrection of other once-popular tactics, she warned. “We may see others come back,” Stewart said, and ticked off MP3 spam — mail that replaced text with an audio clip — and PDF-based spam. Both were popular in 2006 and 2007 for junk stock pushers. Of the discarded tactics, Stewart selected PDF spam as the one most likely to reappear. …rigged PDFs exploiting Adobe bugs have been on a tear of late.”

“Facebook users hooked in new ‘phishing’ scam” AFP

  • Facebook did not say how many of the 200 million users of the social network had been affected in the latest hacker attack. An unknown number of Facebook users received a message on Thursday from a friend’s account urging them to visit websites such as “151.im.” “The sites were realistic-looking replicas of the social network’s log-in page but were actually controlled by the hackers. The bogus page would capture password information when a user logged in.”

After attending FreePress’ “Changing Media Summit” yesterday in D.C., I have some more questions for FreePress, in addition to the ones I asked earlier upon the release of their new report.

  • How can Government deploy broadband better, faster and cheaper to most Americans than the current trajectory of private sector facilities-based competition, investment and deployment?
  • How would reversing current broadband policy accelerate broadband progress in the short-term to aid the economic recovery?
  • How would FreePress’ implement their recommendations in practice?
  • What effect would implementing FreePress’ recommendations have on current broadband investment and deployment?