Perspective: Home isn't where security is

In 1944, the U.S. government kicked off the Smokey Bear campaign to teach citizens how carelessness with smoldering matches could set off raging forest fires.

Now the government is making another call to arms--this time to defend cyberspace from intruders. The most recent draft of the Bush administration's "National Strategy to Secure Cyberspace" plan calls for users of the Internet to secure their own part of the worldwide network.

Like the Smokey Bear campaign, this call to arms focuses on ordinary people doing their part to put out the small fires before they can turn into something big. It's an argument that resonates with computer industry executives like Symantec CEO John Thompson, who argues that a Smokey-like campaign could indeed help raise the awareness of citizens and convince them to use firewalls and antivirus products to protect their systems--product lines coincidentally supplied by Symantec.

But while such a campaign would obviously do wonders for Symantec's quarterly profit statement, relying on home computer users for national security just won't work. The simple reason is that home users are (at best) unreliable.

Some still call tech support wondering why they can't connect to the Internet because they didn't know to plug the computer into the wall. Others continue to blithely click on e-mail attachments, oblivious to the torrents of media coverage about how this often leads to the spread of computer viruses. One home user fell victim to an e-mail scam, sending $2.1 million of her company's money to an account in the Cayman Islands. (The FBI arrested her for embezzling funds.)

The experts are guilty of wrongheaded thinking in relying upon home users to shore up the nation's security. Frankly, that's somebody else's job. Home users are responsible for protecting their own important data. But it's a dangerous illusion to believe they will take better precautions after authorities ask them to upgrade their cyberdefenses.

The experts are guilty of wrongheaded thinking in relying upon home users to shore up the nation's security.

Two months ago, several security companies came under attack from hackers armed with denial-of-service attack tools. Hundreds of computers--most of them home PCs with broadband hookups--were ordered to flood the companies' connections to the Internet with data. During this kind of deluge, even professional security firms have trouble keeping their connections unclogged.

"It is getting worse," said a consultant at one of the affected companies who asked not to be identified. "It is absolutely getting worse."

There's a lesson to be learned. The National Strategy plan makes no bones about suggesting that each company secure its employees. It should also require each Internet service provider to protect cyberspace from home users.

There are simple technologies for doing this. Source egress filtering--a technique for preventing users from sending data with a false source address, useful in denial-of-service attacks--should be the norm. Companies filter e-mail messages for any viruses and disallow several types of executable attachments; ISPs (Internet service providers) should do the same.

Dorothy Denning, a computer science professor at Georgetown University and security expert, says the most likely outcome will be for home users to find themselves picking up the tab. "Once you start formalizing where we are going to put liability, the questions start coming up (about) who's going to pay for it," she says. "And, almost anywhere you put it, the costs are going to end up coming back to the users."

Another unfair tax arrangement? Maybe. But would you feel better relying on folks who still think e-mails from deposed Nigerian princes are the real deal? I wouldn't.