|In this edition
Five Questions: The Heartbleed bug and the future of cybersecurity
Earlier this month, a Google employee discovered a major Internet security bug that came to be known as Heartbleed. The bug exposed Web servers for popular sites such as Yahoo and Facebook to vulnerabilities that allowed theft of the servers’ private keys — the data websites rely on to decrypt sensitive information, including users’ passwords, and banking and health information. “Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet,” wrote Forbes cybersecurity columnist Joseph Steinberg.
Chris Bronk, fellow in information technology policy and director of the Program on Energy and Cybersecurity at the institute’s Center for Energy Studies, offered his insights on Heartbleed and the future of cybersecurity for our “Five Questions” feature. The series aims to shed light on current events, institute research and policy issues by tapping into a vast store of knowledge at the Baker Institute: our 55 fellows and scholars.
1. How did the Heartbleed bug affect users? Did most people overreact or underreact to the problem?
The Heartbleed discovery — that the underlying function of the OpenSSL encryption software libraries was fundamentally broken going back to 2012 — impacts almost anyone who uses “HTTPS” sessions on the Internet to send mail, access social media or engage in transactions. Reaction to the bug has been mixed, but generally speaking the best reaction for those tech firms employing OpenSSL was to get it fixed quickly. The best bet for Internet users was simply to change their passwords.
2. What kind of information can Heartbleed uncover?
Heartbleed allows an attacker to call for lots of data from an affected server. Any unpatched OpenSSL device can be compromised and made to divulge large quantities of information. For instance, the Heartbleed bug lets an attacker grab a lot of information employed to authorize access to systems. That information can then be used to access other systems if the usernames and passwords are recycled, which they often are.
3. What are the implications of Heartbleed for U.S. cybersecurity policy?
Heartbleed is yet another indicator that the underlying infrastructure of the Internet and cyberspace is incredibly compromised. Societal trust in our capacity to employ the Internet — the global digital communications backbone — is thus eroded to a degree. Heartbleed will challenge the idea that open-source software is best for the Internet ecosystem. An open-source project is only as good as the programmers participating in it, and with the case of OpenSSL, there just wasn’t a large number of programmers participating in the project. Heartbleed happened because a small group of clever programmers failed to catch a mistake. Now that the tech industry has recognized the issue, resources are flowing to OpenSSL.
4. As more of our personal information is stored online, do you anticipate greater threats to cybersecurity in the future?
Ten years ago, bank robbers in the U.S. [physically] stole roughly $70 million in cash and other loot. Last year that number was half as large. Where are things headed? Online, of course. Cybercrime is lucrative, relatively easy, and the chances of getting caught remain low.
5. What steps can Internet users take to safeguard their information from bugs like Heartbleed?
On this one, there was very little users were able to do. This was a structural problem, not a narrow hack. Something very important was fundamentally broken. I think we’ve reached the point where we probably need to start talking about liability in software and — dare I say it — some form of deeper regulation with regard to cybersecurity.
Internet users need to be vigilant and become acquainted with practices like two-factor authentication, in which a username and password are coupled with a token, like a number generated via a text message to a cell phone. Additionally, keeping systems (computers, phones, tablets, etc.) up to date and avoiding clicking on links to things too good to be true are good basic practices to adopt.
To learn more about Heartbleed and cybersecurity, read Bronk’s recent Forbes blog “What Heartbleed Means for Critical Infrastructure.”
[back to top]
Women's rights after the Arab Spring
The Baker Institute’s Women and Human Rights in the Middle East Program recently hosted its inaugural International Conference on Gender and Human Rights in the Middle East, focusing on the status of women after the Arab Spring. The conference brought together leading experts to discuss topics that affect Arab women’s lives, such as domestic violence, employment and Islamic law. As Marwa Shalaby, director of the Women and Human Rights in the Middle East Program, observed in her opening remarks, “Women’s engagement at all levels of society is a prerequisite for stability and growth in the region in the coming years, and must be a priority for policymakers within and outside the region.”
Through social media, blogging and protests, Arab women took part in the Arab Spring movement on an unprecedented scale — but they have fared better in some countries than others, Valentine Moghadam, professor and director of the International Affairs Program at Northeastern University, noted in her keynote address. For example, Tunisia — which already had a vocal women’s rights movement before the Arab Spring — passed a law requiring equal numbers of women and men as electoral candidates, while Egypt actually scrapped a previous gender quota law requiring reserved seats for women. Moghadam also highlighted the importance of civil society — especially women’s rights organizations — in shaping newly democratic countries that provide a greater voice to women.
Panel discussions explored topics such as Islamic law and gender equality, women’s political and economic empowerment, and societal change after the Arab Spring. The speakers examined ways to advance women’s rights in the Middle East, from legislative reform to encouraging social movements.
Though women in the Middle East still face numerous barriers and setbacks, conference speakers emphasized the importance of women’s participation in the economic, political and social spheres — and provided valuable insight into how the future of Arab women has changed, and continues to change.
To find out more about the conference, watch Moghadam’s keynote address and the panel discussions on the Baker Institute website.
[back to top]
For a complete list of upcoming events, visit our events page.
Research and News
For a complete list, visit our research library.
- What Heartbleed Means for Critical Infrastructure, by Chris Bronk, fellow in information technology policy. April 23
- Voting Histories Could Count in Runoffs, by Mark Jones, fellow in political science. April 22
- Don't Overestimate Iran-Oman Embrace, by Kristian Coates Ulrichsen, fellow for Kuwait. April 22
- New Biotechnology Patent Guidelines Needed, by Kirstin Matthews, fellow in science and technology policy, and Maude Rowland Cuchiara, scholar for science and technology policy. April 22
- The New HHS Secretary and America's Neglected Infections of Poverty, by Peter Hotez, fellow in disease and poverty. April 18
- Vigilantism in Mexico: A New Phase in Mexico's Security Crisis, by Gary Hale, nonresident fellow for the Mexico Center. April 18
- U.S. Energy Security and the Weakening of U.S.-Saudi Ties, by Jim Krane, Wallace S. Wilson Fellow in Energy Studies. April 16
- Rebooting Trade Between the Gulf States and China, by Kristian Coates Ulrichsen, fellow for Kuwait. April 16
[back to top
Baker Institute Blog
For a complete list, visit the Baker Institute Blog.
[back to top]
[back to top]
Rice University's Baker Institute is a nonpartisan public policy think tank located in Houston, Texas. The institute's distinguished fellows and scholars conduct research and collaborate with experts from academia, government, the media, business and private organizations on domestic and foreign policy issues with the goal of bridging the gap between the theory and practice of public policy.
Get involved with the Baker Institute
Follow us on Facebook
Follow us on Twitter
Watch us on YouTube
Join the discussion on our blog