Ignoring the Issue: Cuckoo’s Egg and Internet Security

There is a Japanese proverb, “kaigai no kaji” which roughly translated means “a fire on the opposite riverbank” and is more freely translated as “it’s not my problem.” This idea is one that, while pragmatic at times, is often responsible for long lasting security issues that never seem to get better. After all, why should we fix a problem if it doesn’t impact us? It is this poor attitude that Clifford Stoll fights against in his experiences detailed in The Cuckoo’s Egg and, in a larger sense, the roadblock that the realm of internet security is often stuck against. However, ethics dictates that security issues not be ignored. This issue can be viewed in three areas: those who truly don’t see the need to fix a problem, those who want to provide a solution but can’t, and those who feel responsible and will, essentially, “put out the fire.”

Cliff Stoll spends more than a year of his life trying to track the hacker who had caused a 75 cent accounting error in the system he was in charge of monitoring. It is fair to say that all of his efforts were something that could have been written off early on, but the initial issue was in a real sense “his problem.” On the other end of this spectrum are those people and groups that have no desire or interest of getting involved. Stoll’s first several attempts to get help from the FBI were met with a resounding “No” (Stoll, 35). The perceived loss was too small and the effort required to fix it would be too large, a common excuse for leaving security threats open and not addressing or fixing them. This disinterested attitude was also held by several of the agencies Stoll called to warn and by many from which he tried to get help. Sadly, this is the sentiment many internet users succumb to today. Why bother solving a problem that is in somebody else’s system? Why fix a problem if nobody will find it or reward me if I do? Many users would rather exploit such issues than fix them, acting much like the hacker in Stoll’s story. Lack of interest or acknowledgement is a troubling obstacle.

More vexing for the proactive problem solver is getting stuck in a situation where another person or group wants to help, but can’t. In terms of internet security, this is likely the largest obstacle where most issues and solutions get stopped. Stoll first hits this wall when he tries to get a phone trace, but is missing the warrant to do so (36). It is not that the agencies don’t want to help him, but rather that they are legally unable to do so. Indeed, internet legal policies and privacy rights are a fickle field, miring many in their idiosyncrasies. Sometimes there simply are no practical means to solve the problem at hand. Perhaps this is because the tools don’t exist, or maybe nobody knows how to start fixing the bugs and backdoors in a program. Most frustrating are cases where the users of a system don’t want to make things less convenient for themselves, and so system managers must stand back and hope for the best ala Stanford’s approach (94). If it were possible, these problems would be solved and fixed speedily. However, outside factors cause the status quo to remain, despite any glaring weaknesses to the system they present.

Yet there is hope when people like Stoll are on the job. He spent many sleepless nights and invested time and effort creating systems, tools, and traps to solve his security problem (209). His persistence and discoveries were a result of his unwillingness to let go of the problem or say it wasn’t his to fix. This is the realm of internet security where hackers find problems, trace and test them, and then warn those responsible so they are fixed. Here, not only do the developers feel responsible, but the users make them responsible. Stoll was only able to get the big players involved when they realized the threat and felt a need to act (168). Similarly, many companies only work to fix security issues after a breach or loss of data. It is preferable to have responsible, security-minded coders involved early on so such issues are found in the design phase of development and never reach the internet proper. Basically, it is better to fix a security threat before it ever exists, and that only happens when people feel responsible and act accordingly.

Disinterest, inability, and responsibility are the three mindsets that hinder or help internet security. Clifford Stoll was fortunate to have a personality and attitude which allowed him to take responsibility for the error found on his watch, overcome the technological and legal roadblocks, and motivate those who were uninterested in helping him solve his problem. Because of his efforts, a minor problem that was caused by a major threat was properly found and many security issues were fixed along the way. As the world becomes more dependent on the internet for business and everyday life, it is important to learn from The Cuckoo’s Egg and take responsibility for finding and fixing the myriad issues that may arise. Security and privacy will only become more important as networks grow, so diligence, too, must increase. Even though the fire may be burning on the other side of an ocean instead of just a river, putting it out is still the most ethical thing to do.

Stoll, Clifford. The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage. New York: Doubleday, 1989. Print.