Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/28/2011
01:43 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Internet 'Kill' Switch: Balancing Security And Freedom

Why it's important to have controls in place before deploying such a powerful tool

Security and freedom often seem at cross purposes, and that hasn't been any clearer this week than in Egypt where virtually all public communications have been cut off in an attempt to quell an internal uprising. There are good reasons to have an Internet "kill switch" -- reasons that are security-related and have nothing to do with sustaining government control, like stopping the spread of a particularly nasty virus until a remedy can be discovered. Even in the case of an attack either internally by a minority or externally by a foreign power, eliminating services like the Internet or GPS could save lives and protect the legitimate government. But if the tools were misused to protect an illegitimate government or to directly harm the people, then it would be a bad thing.

The question being asked is whether a tool that can be used powerfully for good or evil should be allowed to exist. If the answer is no, then virtually all tools -- from hammers to nuclear energy -- should be eliminated. This suggests the focus on the tool is foolish; the focus should be in on the protections surrounding tools.

This speaks to arguments pro and con about gun purchase and even the exploration of alternative energy sources. But particularly with security tools, which mostly all have a dark side, controls should be in place before they are allowed -- not the other way around. With the Internet kill switch, a discussion of whether there should or should not be one is moot. The benefits of having one are simply too great against what is clearly an increasing risk. However, if the discussion is to have merit, then it needs to change to the protections over such a switch to make sure it isn't used as it was in Iran -- and maybe in Egypt -- against the people it was envisioned to protect.

But this isn't easy because excessive control would likely eliminate its usefulness in its intended purpose, while inadequate controls won't provide the necessary protection. This suggests that the final decision to use such a tool should reside outside of elected government and with a small number of people who would not benefit personally from the misuse of the tool, couldn't be bribed or coerced to act improperly, but could still act quickly enough to stop a real threat. Such an entity might have to be created because existing law enforcement doesn't have the needed independence. While the Supreme Court in the U.S. fits many of the requirements, even that wouldn't likely be able to act quickly enough. The formation of such a group should precede any deployment of tool with this much power.

Security tools often have the ability to both provide great protection and to do great harm. An Internet kill switch is no different, so before it is deployed, controls need to be placed over its use that still make it effective but prevent abuse.

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23371
PUBLISHED: 2021-04-12
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
CVE-2020-24285
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
CVE-2021-29379
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...