“The government has to protect users from themselves”

At the Alpbach Technology Forum, Ernst Piller and Johann Haag presented a package of measures that they feel would be capable of making the Internet a safer place. futurezone spoke with the two network security experts about their proposals, the NSA and government control on the Internet.

How much have you dealt with the PRISM scandal?
Piller: I don’t understand the hype about the NSA. They aren’t the real danger on the Internet. I can download almost anything, conduct sabotage on the Internet and spy on companies today. Companies are especially at risk of losing sensitive data. It’s not companies from the USA that spy on small Austrian companies, it’s more likely competitors from home that could obtain a direct competitive advantage from the information, for example how much a company is bidding for a contract. Companies are more interesting targets for espionage activities. This makes what happens locally much more interesting than the escapades of the NSA, but the intelligence agency story sells better.

How can companies and private individuals protect their data?
Piller: The bad thing is that there are now many tools on the Internet that allow attacks. And too little is provided for defense. We need a secure Internet. But this would require legal and technical measures. Like for cars, where there are laws and technology that provide for safety. On the Internet, companies and private individuals should not assume that they will not be attacked. Extensive protective measures such as cryptography tools are available on the market.

Haag: But the lawmakers also have to do their part. We can draw parallels to road traffic here, as well. The number of accidents rose considerably before corresponding minimum requirements and regulations were introduced. Drivers risk their lives without laws, even though they are aware of the danger. The same is true on the Internet. The government has to protect users from themselves and introduce legal requirements.

Isn’t it already too late for that?
Piller: Yes, we are 20 years too late. But it’s like with the economic crisis. The rules were much too loose, until everything crashed. This is also going to happen on the Internet. I don’t know what the catastrophe will be exactly, but something is going to happen, and then lawmakers will react. With the spread of smartphones, which are considerably less secure than computers, the big crash will come in no more than five to ten years. Until then, all we can do is offer solutions that allow individuals to move about the Internet safely. But these tools will not be used at a large scale until they are required by law.

What measures do you recommend?
Piller: We especially need strict rules for companies. It must be possible to uniquely identify users on the Internet. The Internet should remain anonymous for private individuals. That is important, as we recently saw in Iran and North Africa. On the other hand, it must be possible to uniquely and reliably identify companies. Thirteen years ago, the government granted digital signatures the same status as an actual signature. All companies should be required to use such signatures. Like in road traffic, where seatbelts alone were not enough; we also needed a law requiring their use.

What else can the lawmaker regulate?
Piller: A big problem is how easy it is to distribute unsafe software. Anyone can write a program for smartphones and offer it as a download to millions of people.

Haag: Right now, only the end customer decides on the quality of the software. But security requires monitoring and certificates. And we need a qualified, independent agency for that. Otherwise, only the manufacturers are responsible, and all they do is meet customer demand for attractive, simple apps. The manufacturers don’t care whether or not their software poses a security risk. We of course can’t do this overnight, but we should start changing the way we think about this. Manufacturers also bear responsibility. When Microsoft finds a vulnerability, the first question should be why it was not caught in the first place. Toasters also have to be tested and certified before they are offered for sale.

But then the manufacturers would have to reveal their proprietary code. Why should they do this?
Piller: A lot of things are confidential in our economy today. But things are still inspected, it can work. The risk associated with security vulnerabilities is also rising. Today, we would have no drinking water without computer systems. At present, IT certification is mostly limited to the healthcare industry, when it is completed at all.

But certifying all software would be a herculean task, especially with the speed at which new software is being developed. How would that work?
Piller: It would be nice if everything were certified, but we have to start small. We would be a good bit farther if even just sensitive software were certified. A restaurant guide app for Vienna is not the issue.

What other proposals do you have?
Piller: The question of liability must be clarified. We need an Internet police that ensures liability across all borders. But this also depends on the reliable identification of companies. When conducting transactions on the Internet, users must have access to legal recourse when the agreement is not fulfilled. This is only possible when you know who you are dealing with. We need laws for this. This must also apply to programmers of software that is sold over the net, such as apps. Here, it could help if software from other countries where there is no legal security were prohibited.

How would you do this?
Piller: The Internet needs limits. As in the real world, the networks of the individual countries, or of the EU, for example, should be marked. When data is coming from another country, users should be warned. This should also apply to private users. This could prevent spam from Africa from infiltrating a system. The browsers could always tell the user when data is coming from a different country. But this would require international standards, and reliable identification.

That sounds like you are saying that all Internet threats come from outside of Austria.
Piller: Of course there are also people with malicious intent in Austria, but I can seek redress relatively easily when they cause me damage. If our ideas were implemented, it would be possible to reliably identify the source of malware and then sue that person or organization. If identification is not possible, the browser would have to recognize the content as dangerous.

Haag: And the browsers themselves would have to be certified, of course. They are the input method of the future, and are already used as a replacement for many programs, such as office applications. But the many plug-ins create numerous vulnerabilities. This is slowly improving thanks to new technologies such as HTML5, but that is not enough. The manufacturers of browsers must be made liable for their products. Then, they would be more interested in creating a secure overall package, and would put the makers of plug-ins under pressure. The makers of plug-ins should also be liable for security flaws.

How can we get browser makers to do that?
Piller: Legal standards and certifications would have to be introduced.

Under your proposals, government influence on the net would rise considerably.
Piller: A free and anonymous net is very good, but the system does not regulate itself in a positive way in all instances. The market is failing. We need a few crashes, like the NSA scandal – which came as no surprise to insiders – to bring about a change in the way we view this issue. In that sense, the current media hype is a good thing. Politicians will do nothing about IT security on their own.

But in light of the revelations about the NSA, many people do not want the government to have too much control over the Internet. But that would be necessary for implementing your rules. Do you see any chance of your proposals being adopted right now?
Haag: The governments should pass suitable laws and regulations, and not monitor content on the net.

How do you want to make sure that the government does not abuse its power?
Piller: We have to be careful here. Information is the crude oil of our time, and is of course highly coveted. It is extremely valuable. But in a democratic country, one can expect that the government will guarantee security without abusing its power.

But that doesn’t seem to be the case.
Piller: I don’t think that government influence is a major problem if it means that we get a more secure Internet. Suitable security measures, which are possible even today, have to be capable of preventing sabotage and spying on the Internet, whether on a national level or by the NSA.

What can users do themselves?
Piller: The Internet itself has a built-in security mechanism in the form of https, for example. All you have to do is use it. And digital signatures, cryptography and other measures offer many additional possibilities.

Is the encryption really secure?
Piller: There are methods and key lengths that cannot be cracked with a reasonable amount of effort. But the software has to be certified so that artificial loopholes don’t reduce the level of security.

Also not by the NSA?
Piller: The publicly developed and widespread AES method is virtually uncrackable. I think that better people are working in the worldwide community that is behind this system than work for the US intelligence services. Back doors would have been discovered a long time ago.

Doesn’t encryption make communication too complicated?
Piller: That is a problem. Both sides always need keys. And even with an encrypted system, data is sent to the screen in plain text.

How much risk is involved with saving data in the cloud?
Piller: Anyone who has a secure computer at home is better off saving their data there.

Haag: Especially “free” services like Dropbox are a risk. They also have to earn money. And when the user doesn’t pay anything, he – or his data – are usually the goods being sold. Vacation pictures may not be a problem for many, but I would not save a job application letter there. Google analyzes everything, including everything in its cloud.

Are there any initiatives at the government level to implement your proposals?
Piller: Little is being done in this direction in Austria right now.

Haag: Austria can accomplish little by itself in this area anyway. A lot more has already been done in Germany than here. Austria usually evaluates German initiatives, and then follows suit in many cases.

Piller: We are in middle field in terms of net regulation. But we are moving towards more control. In England, for example, the demand is more for an open net. But we have to start exerting more pressure, and something might happen at the EU level in a few years. For Austria as a neutral and economically very strong country, this would be an opportunity to be at the forefront. But we need someone to bring fresh wind into the discussions. A Sebastian Kurz for IT, regardless of what party he belongs to.

About our guests

Ernst Piller and Johann Haag

Ernst Piller is the director of the Institute for IT Security Research at the St. Pölten University of Applied Sciences. Among other things, he works with electronic facial recognition and the identification of malware.

Johann Haag is the director of the degree programs for IT Security and Information Security at the St. Pölten University of Applied Sciences. He works above all on concepts for Internet security.