Is the Internet "Critical Infrastructure"?

A new report by a security analyst Gadi Evron, analyzes the recent Estonian cyber-attacks and makes recommendations about how to deal with such attacks in the future. A blogger for Techdirt writes that while it makes some good suggestions, it also rather dramatically overstates the nature of the threat. For example: “The Estonian authorities need to revise some of their former preconceptions and define the Internet as critical infrastructure, equally strategic to national security as its electricity grid and water supply.” This, the blogger opines, is rather silly. If the water supply is cut off, people can die of thirst or sanitation problems. If the electricity grid fails, it can lead to the death of old people dependent on their air conditioners or medical devices. If the Internet fails, it is a big headache for a lot of people, but it is unlikely to be a life-threatening emergency.

The report points out that some mission-critical activities, including voting and banking, are carried out via the Internet in some places. To the extent that this is true, the lesson of the Estonian attacks is not that the Internet is “critical infrastructure” on par with electricity and water, but that it is stupid to build “critical infrastructure” on top of the public Internet. There is a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea. The Internet’s architecture is optimized to be cheap and ubiquitous; such a network is never going to be perfectly secure or reliable. There are too many botnets, incompetent administrators, and other problems on the Internet — so transactions that absolutely have to be done correctly and on time need to be done on a dedicated network, or at least the people doing them need to have a backup plan in case the Internet has problems.

The blogger writes that Evron’s report takes the opposite approach, essentially concluding that because people do important things on the Internet, the Internet needs to be treated as an essential national security asset. This reaches absurd lengths when Evron writes that because attacks often originate from botnets consisting of compromised personal computers, “personal computers need to be reprioritized and considered as critical infrastructure.” He does not discuss what that means in any detail — maybe they can post soldiers with automatic weapons outside peoples’ home offices. Evron concedes that “the attacks in Estonia did not hurt critical infrastructure, energy, and transportation,” but nevertheless insists that “an Internet-staged attack on energy could easily disrupt entire supply and distribution chains, prompting severe shortages.” He never elaborates on how that would work, but if he is right, the solution is to do a better job of separating critical infrastructure from the public Internet. Wide-scale cyber-vandalism is a real problem, and it is good to be talking about ways to respond to it more effectively, but we need to keep a sense of perspective. “Launching a distributed denial-of-service attack — even a really big one — is nothing like conventional warfare or a terrorist attack,” the blogger concludes. “Terrorism and warfare lead to massive loss of life and destruction of property. Internet vandalism rarely involves more than a few hours’ inconvenience and lost productivity. That’s certainly something we should try to prevent, but we shouldn’t blow it out of proportion.”