Fame, but No Riches, For Cybersecurity

[Dave Farber <dave () farber net>]

I strongly recommend that Ipers read the full set of articles in the
Spectrum on-line, however knowing Ipers I wanted to be sure they had easy
access to my contribution.

Dave

http://www.spectrum.ieee.org/WEBONLY/publicfeature/jan03/compi.html

Fame, but No Riches, For Cybersecurity

It's time for government and industry to put their money where their mouths
are 

By David Farber 

Protecting computers from intrusion or destruction was once the largely
esoteric province of computer scientists, mid-level information technology
(IT) managers, and the occasional policy wonk. Now, suddenly, cybersecurity
is on the lips of senior government officials, high-level corporate
executives, and even casual computer users who hadn't a clue what it was six
months ago. 

There's no mystery why. Scattered terrorist attacks over the past year and a
half have frayed nerves and heightened awareness of vulnerabilities of all
kinds. So when hackers last October attacked the 13 computers that play a
key role in translating domain names (such as www.ieee.org) to numerical
Internet addresses, it made front-page news [see "Took a Licking, Kept on
Ticking," IEEE Spectrum, December, p. 49]. Never mind that the attack was
unsuccessful and had nothing to do with international terrorism.

In the United States that same month, the White House itself issued a
long-awaited report, the "National Strategy to Secure Cyberspace," which,
among other things, proposed a Network Operations Center, a single
data-collection and analysis point for cybersecurity incidents. Meanwhile,
the Markle Foundation (New York City), a communications media and
information-technology think tank, reached almost the opposite conclusion,
arguing in its report, "Freedom in the Information Age," against a
"centralized, 'mainframe' information architecture in Washington, D.C." (The
author was a member of the Markle report's advisory committee.)

The U.S. National Academy of Sciences also weighed in last fall with a
500-page report. Its "Making the Nation Safer: The Role of Science and
Technology in Countering Terrorism" examined "the application of science and
technology for countering terrorism" and prepared research agendas in nine
key areas, including infosecurity.

But amid all the white papers and all the solemn pronouncements, we've seen
little real action, while the sources of cybervulnerability have hardly
changed in years. 

Cybersecurity encompasses most of the domain of computer communications
technology and management. To protect a cyberinfrastructure, you must
protect each building block. For example, it does little good to protect the
computer system hardware and software if untrustworthy operators and
programmers can make compromising changes. Every facet of the infrastructure
must be examined and protected. These include physical locations, computer
hardware, networking, operating systems, applications, and management
practices. 

The one thing that has changed is the ubiquity of the Internet. It is no
longer enough for us to protect individual systems‹we're all connected now.
Indeed, if nothing else, the attacks on the World Trade Center made that
abundantly clear. Among other things, the Internet was for some people the
only way to get news immediately afterward. It was also the best way to
contact family and friends in the northeast United States, as the telephone
system overloaded, in part because of the destruction of a key installation
at Ground Zero that handled local and cellular service. Had the Internet
also crashed that day, the communications chaos would have been compounded.

Who pays? 

The Internet belongs to everybody and nobody, making it especially difficult
to secure. The embarrassing truth is that buyers of computer systems have
been unwilling to pay extra for security even for their own systems, and
thus have dispensed with devices that foster trusted, secure environments.
But this attitude is changing. For one thing, a post-9/11 rise in requests
for insurance against cyberfailures has led insurance carriers to ask
questions and adjust rates in the light of security issues. This is an
economic forcing function‹if one's insurance rates go down because
demonstrably secure systems are in place, security becomes a money saver
instead of an expense.

Not all secure systems proposals are without controversy. The Trusted
Computer Platform Alliance (TCPA), launched in 1999, by now has been joined
by almost 200 leading hardware and software vendors, whose goal is to create
a foundation for a secure trusted hardware environment for individual
computers and networks. The TCPA is a useful first step, and much of its
work derives from the simple observations that only a secure computer system
can securely host software, and only a secure host can protect and control
the information that flows increasingly through computer systems.

------------------------------------------------------------------------
There is a dramatic disconnect between the problems these institutions face
and their willingness to make an investment in protecting themselves
------------------------------------------------------------------------

A good deal of the controversy stems from some TCPA vendors' support for
digital rights management systems governing the use of digital media such as
books, software, movies, and music, and because of the support that large
media trade groups have given the TCPA. Many believe that such systems will
harm traditional fair uses of copyrighted information, and would spell the
death of open software, in the course of protecting and limiting the use of
certain commercial software products.

So the hazy debate forming about this area ends up sounding like a choice
between no secure computer systems and damage to established copyright
mechanisms and freedom of speech. What we need is a discussion within the
cybersecurity community of how to have both. After all (to once again state
the obvious), without secure systems, it is hard to see how we can really
protect our infrastructure.

  

Size matters 

Even given secure trusted hardware, we still have the problem that our
software systems have grown in size and complexity. No major software
product‹especially an operating system‹is without problems. Some stem from
sloppy coding practices, but some from nothing more than the enormous size
of these products. Information technology managers may say they care as much
about security as new features, but for years their spending patterns have
said the opposite. The result: ever more options, power, and complexity‹and
flaws. 

Systems never have the chance to become even relatively bug free before
being replaced with still more complicated systems with a new set of
critical bugs. Our understanding of software design methodology has
improved‹but at nowhere near the pace needed to match the rapid increase in
complexity. 

At the same time, many network administrators have eschewed security
mechanisms for other reasons. When first designed, the Internet was an
extremely complex and novel research effort. To have added comprehensive
security would not only have been difficult, it would have violated the
mores of a group of people who knew and trusted each other. The Internet
protocols evolved with little worry about cyberattacks. As with all complex
systems, it is hard‹maybe impossibly hard‹to retroactively patch security
into a design that did not initially plan for it.

So the firmament of any new cyberstructure sits, in fact, on muddy ground.
Shore it up in one place, and it sinks in another. We have bandaids to help
with the wound‹such as virtual private networks‹but they are local solutions
difficult to scale up in size. Meanwhile, research money tends to be
invested in short-term payoffs (more bandaids) rather than in any kind of
fundamental look into long-term re-design. (Mechanisms proposed by the TCPA
for the network may hold promise here.)

Thus the road to a secure computer infrastructure still has lots of
potholes. Perhaps the deepest and widest is the attitude of senior
management in government and industry toward cybersecurity. Often they say
the right words as they scale back the research support and manpower needed
to study the issues involved and start to fix it. Financial institutions,
which are among our most vulnerable, lay off people with security
backgrounds. Computer professionals with excellent skills are walking the
streets with no job prospects. There is a striking disconnect between the
problems these institutions face and their willingness to make an investment
in protecting themselves. Meanwhile, the clock is ticking. The time for
report-writing is past.
------------------------------------------------------------------------

To Probe Further 
The White House's Critical Infrastructure Protection Board has a Web site at
http://www.whitehouse.gov/pcipb. Its report, "A National Strategy to Secure
Cyberspace," is available there

The Markle Foundation task force report, "Protecting America's Freedom in
the Information Age," is at http://www.markletaskforce.org/

The U.S. National Academy of Sciences' report, "Making the Nation Safer,"
can be ordered at http://www.nap.edu/catalog/10415.html?onpi_newsdoc062402 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/