Tufts students packed into the Alumnae Lounge on Friday night to attend a panel discussion titled "Cyber Security: Policy, Science, and Ethics" hosted by the Tufts Democrats.
The panel, the Tufts Democrats' annual Issues of the Future 2011 lecture, featured Susan Landau, a visiting scholar in computer science at Harvard University specializing in cyber security, Ben Mazzotta, a postdoctoral fellow at The Fletcher School of Law and Diplomacy, and Alva Couch, an associate professor of computer science at Tufts.
"We were really pleased with the turnout," Tufts Democrats President Catey Boyle, a junior, said. "I don't think we've ever had that many people at one of our symposium events." Boyle estimated that the event had over 100 attendees.
The issue of cyber security, which received media attention after the 2010 Stuxnet worm attack on Iran's nuclear facilities in Natanz, has continued to challenge policymakers in recent years and is important in both the domestic and foreign domain, Boyle said.
"It's a great topic because cyber security is such a vast, unknown topic and it's not really talked about," she said.
The panelists discussed recent cyber attacks such as the Stuxnet attack, Gh0stNet, which was a 2009 cyber−spying operation allegedly carried out by China that targeted foreign ministries, government offices and embassies, and the 2007 Russian cyber attacks on Estonia that flooded government ministries' servers, including those of the Estonian Parliament.
Landau explained that cyber attacks usually take the form of Distributed Denial of Service (DDoS) attacks, which use a large number of computers to overwhelm the servers of a target.
The computers used in DDoS attacks, referred to as botnets, are typically owned by users who are never aware that their computers are being used, making it difficult to track down perpetrators of the attack, she said.
In the 2007 attack on Estonia, most of the computers used in the attack were located in the United States, Landau added.
Mazzotta explained that after a cyber attack, victims are typically reluctant to relay information to the public about the attack for fear of exposing security weaknesses in their systems.
"No one who has been attacked wants to talk about the attack or what lead it to take place," he said. "It's really hard to figure out what happened and why."
Mazzotta highlighted the difficulties of addressing cyber security from a defense policy perspective, noting that policymakers in Washington currently have more questions than answers.
"We're still talking basic definitions: Who's involved in these attacks? Is cooperation possible? What qualifies as a cyber attack? Who has jurisdiction? What is cyberspace? How do we assess risks to businesses? The government? The military? How do we mitigate those risks?" he said. "Cyber security is a really hard policy problem."
Mazzotta said that although the past three U.S. administrations attempted to tackle cyber security issues, little progress has been made.
"Policymakers have been looking for information since the '90s, and there's been little progress [on cyber security] since the 2000s," he said.
He cited President Bill Clinton's 1998 Presidential Decision Directive 63, President George W. Bush's 2003 National Strategy to Secure Cyberspace and President Barack Obama's 2009 Cyberspace Policy Review, which created a "cyber czar" under the National Security Council and the Exchange Commission.
Mazzotta added that because no norms in the international realm currently exist that address cyber security, using cyber weapons as a form of warfare or statecraft could set a dangerous precedent.
"Should [the United States] develop malicious code? Who has the authority to deploy it?" he asked.
Landau added that cyber crime has also been used to steal information from governments, noting that the United States directly accused Russia and China of cyber theft in a recent report.
She added that while large scale cyber attacks targeting Supervisory Control and Data Acquisition systems such as power grids, stock exchanges and nuclear facilities like the one in Natanz pose a significant threat, the most dangerous long−term security risk cyber crime poses is theft of intellectual property.
"I'm making an argument for more cyber security, because alongside that comes privacy," she said. "Security and privacy are not opposed."
