1. Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference September 26, 2002

2. Overview n Home broadband benefits and risks n Existing proposals for the security risks n Internet privacy as a useful analogy n A proposal to speed protection of security and privacy in home broadband

3. I. Home Broadband n Benefits of home broadband – 56 K dial-up not good enough – Slows growth of e-commerce and the economy – Educational and many other desirable aps – Consensus policy goal to encourage home broadband – Similarly, encourage small business broadband

4. Risks of Home Broadband n Always on – Static or near-static IP addresses help attackers – Attackers scan for weak defenses, and can get in before the user signs off n Broadband – Broadband itself makes many attacks easier -- bigger pipe to the home computer – Broadband means that user can do applications and not notice the overhead of spyware or non-approved uses

5. Wipeout -- Risks to the Individual User n Many users have no firewall or virus detection n Risk of virus -- lose data or wrecked hardware n Risk of no firewall -- attacker takes control of the home computer n HARD to install today -- often not part of standard installation

6. Zombie -- Risks to Critical Infrastructure n Zombie sites controlled by the attacker – Used to launch distributed denial of service attacks in winter, 2000 – Can be used to disguise source of all cyber- attacks (attack coming from John Smiths home) n Now installing millions of broadband users, each a potential zombie site

7. II. Proposed Solutions n Draft Cybersecurity Report, 9/02 – Correctly identifies the risk to critical infrastructure – Recommendation that home broadband users should consider installing firewall software. – Recommendation that it is important to update this software regularly

8. Solution -- User Education n FTC Commission Swindle initiative on home computer security n Yes, an essential part of the solution – How to move users up the learning curve? – Car users learn they have to get an oil change -- government doesnt require them every 3,000 miles n Publicity, education are essential

9. Solution -- Legislation? n I dont think so. n Do we know how to write one rule for the diversity of home computer systems? – DSL and Cable – Different sorts of home, small business users – Very hard to write the rules

10. Legislation (continued) n Should solutions be hardware or software? n What about the liability for ISPs or software vendors? n Would take a long time to work out these complex issues, even if legislation were a desirable outcome n Conclusion -- do not support legislation, at least until we have tried other routes

11. III. Internet Privacy as an Analogy n Similar structure -- how make progress on a social concern (privacy, security) while encouraging use of the technology (the Web, broadband) n Similar complexity and fear of legislation – So many kinds of web sites, did not even know what a good privacy policy would look like – Now, so many kinds of broadband -- we dont know the one best approach

12. Internet Privacy Comparison n Role of Bully Pulpit – Involvement of Dept. of Commerce Secretary Daley in making the case for better Internet privacy -- praise for industry leaders – Involvement of FTC, including Chairman Pitofsky n The role of public reporting – 1998, survey shows 15% have privacy policies – 2000, survey shows 88% have privacy policies

13. Internet PrivacyComparison n Why we got progress on Internet Privacy – Public reporting -- pressure not to be a laggard – Leadership by the Administration -- privacy policy was the right thing to do – Credible, often unstated threat, that would have more intrusive government action if industry did not act responsibly

14. IV. Sketch of a Proposal n Recognize home broadband risks: – Security of home computer (wipeouts) – Security of critical infrastructure (zombies) – Risk to privacy of home users when attackers get through n Administration leadership on the issue – Praise for industry leaders – Message to industry -- patriotic duty to respond to these important threats

15. Proposal (continued) n How to create information and surveys about installation of protection – Reporting by ISPs? – Reporting by major software vendors? – Other ways to learn the baseline of having protection and progress over time? n The Federal government should lead by example, be a place to try out solutions

16. Conclusion n Known, significant cybersecurity and privacy problem of unprotected home broadband n How to get on a path to improvement n Vital now as millions of broadband users - come on-line n Without legislation, we can create momentum for much better protection