Professor of computer science John Savage recently returned to campus after a year working on Internet security issues as a Jefferson Science Fellow at the U.S. State Department. We asked him how the experience affected his thinking about cybersecurity.
BAM How worried should we be about a cyber attack on the United States?SAVAGE I don't believe that other nations would find it in their interest to cripple our computer systems because we're too interdependent economically. But would terrorists want to do it if they could? I think the answer is yes.
BAM How easy would it be?
SAVAGE In most situations, it's not. The financial system seems to be very well protected. But if you look at the electrical power grid in the United States, there have been published reports that say it's not at all safe. And there is a portion of our electrical grid that, if you take it down, it will take down the entire system.
BAM Is there anything that can be done?
SAVAGE We have to change the culture. Right now, when you and I acquire software from a vendor, the software vendor makes us sign a contract that says, "Hey, it's your problem now. We're not responsible for this software crashing, being penetrated, or anything else." That has to change, in my opinion.
BAM Why?
SAVAGE The people who can make the software secure are the people who write the code. I, as a user, can't make it more secure. I am at the mercy of the vendor or of some intruder.
BAM Any other ideas?
SAVAGE My own personal view is that we should be talking about whether you need a license to go on the Internet. We have our automobiles inspected once a year, why shouldn't we have our computers inspected to make sure they're secure?
BAM Can we ever really hope to be 100 percent secure?
SAVAGE When I started my study of this, I thought there might be a silver bullet. Now I've decided there is none.