The Cybersecurity Mess
Outline of Talk
Cybersecurity is a Wicked Problem that can't be solved
In fact, attempts to solve it make it worse.
Today's systems are less secure than those of the 1970s
- Computers are more complex — more places to attack them.
- There are multiple ways around each defense.
- It’s easier to attack systems than defend them.
- It’s easier to break things than to ﬁx them.
Consider last week's headlines from Info Sec News
- [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
- [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
- [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
- [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
- [ISN] March 13, 2014: For EC-Council, Mum's the word
- [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
- Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability
- Most attention is focused on technical issues:
- Malware and anti-viruses
- Access Controls, Authentication, Encryption & Quantum Computing
- Supply chain issues
- Non-technical issues are at the heart of the cybersecurity mess.
- Education & career paths
- Manufacturing policy
We would do better if we wanted to do better.
- High-capacity portable storage
- Fully connected networks.
- Multiple networks & bridging
Cybersecurity is expensive
- Global cybersecurity spending: $60 billion in 2011 (Cyber Security M&A, pwc, 2011)
- Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
- 172 Fortune 500 companies surveyed
- Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks
- Raising spending to $10.2 billion would stop 84% of the attacks
- Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
- 95% is not good enough.
Cybersecurity is undefined
We don't have a good definition of cybersecurity
- "Preventing computers from being hacked"
- Using “network security” to secure desktops & servers
There is no way to measure cybersecurity
- Which OS is more secure?
- Which computer is more secure?
- Is “open source” more secure?
We do know one thing about cybersecurity...
- Spending more money does not make computers more secure.
Cybersecurity research does not make computers more secure
- “Reducing successful hacks” creates too big a target.
- Targets include data, apps, OS, network, human operators, hiring process, supply chain, family members, ...
- Security research creates better attacks.
- The environment is less secure:
- Increased interconnectedness
- Computers in more positions of trust
- Attacks today do more damage than attacks in the 1990s.
The more we learn about securing computers, the better we get at attacking them
Cybersecurity is an insider problem
- bad actors
- good people with bad instructions
- remote access
If we can stop insiders, we can secure cyberspace... But we can’t stop insiders.
Cybersecurity is a “network security” problem.
We can’t secure the hosts, so secure the network!
- Isolated networks for critical functions.
- Stand-alone hosts for most important functions.
But strong crypto limits visibility into network traffic, and... ... ... stuxnet shows that there are no isolated hosts.
Every computer is connected to every other computer on the planet.
- USB sticks, DVDs, printers (“yellow dots”), scanners.
- Downloaded software (OS, applications), firmware, microcode
- Every system is part of a computational ecology.
“to a first approximation, every computer in the world is connected to every other computer.” --- Robert Morris (1932-2001), to the National Research Council’s Computer Science and Technology Board, Sept. 19, 1988
"Secret Code in Color Printers Lets Government Track You" (October 16, 2005) Tiny Dots Show Where and When You Made Your Print San Francisco - A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
Cybersecurity is a process problem
Security encompasses all aspects of an organization’s IT and HR operations.
Microsoft Security Development Lifecycle
- Few organizations can afford SDL.
- Windows 7/8 is still hackable...
Windows RT hack
- Microsoft controlled the hardware and the software.
- Windows RT — still hacked
- January 8, 2013
Cybersecurity is a money problem
Security is a cost.....Not an “enabler” No ROI
Chief Security Officers are in a no-win situation: Security = passwords = frustration No reward for spending money to secure the infrastructure Money spent on security is “wasted” if there is no attack
“If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” Spaf’s first principle of security administration Practical Unix Security, 1991
Cyber Security is a “wicked problem”
- No clear definition of the wicked problem
- You don’t understand the problem until you have a solution.
- No “stopping rule”
- The problem can never be solved.
- Solutions not right or wrong
- Benefits to one player hurt another — Information security vs. Free speech
- Solutions are “one-shot” — no learning by trial and error
- No two systems are the same. The game keeps changing.
- Every wicked problem is a symptom of another problem
- Rittel and Webber, “Dilemmas in a General Theory of Planning,” 1973
- Dave Clement, “Cyber Security as a Wicked Problem,” Chatham House, October 2011
Why is Cybersecurity so hard?
Cyber Security has an active, malicious adversary.
- Turns your bugs into exploits
- Adapts to your defenses
- Waits until you make a mistake
- Attacks your employees when your systems are secure
For example... Compiler bugs are security vulnerabilities! (VU#162289)
C compilers may silently discard some wraparound checks The adversary chooses:
- What to exploit
- When to exploit it
- How to exploit it
We have seen:
- Optimizations can become security vulnerabilities
- The same errors are repeatedly made by different programmers
What’s difference between a bug and an attack?
- The programmer’s intent.
CPU bugs are remotely exploitable
Kris Kaspersky - Remote Code Execution Through Intel CPU Bugs, 2010
- Programs that are “secure” on one CPU may be vulnerable on another.
- Auditing the code & the compiler isn’t enough.
- “Fact: malware that uses CPU bugs really does exist;”
- “not apocalypse, just a new threat;”
The supply chain creates numerous security vulnerabilities
- Wireless providers
The attacker is smarter than you are, and has more time to find a good attack.
- ACComplice - Location Inference using Accelerometers on Smartphone
- Automotive security papers:
- Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno.
USENIX Security, August 10–12, 2011.
- Experimental Security Analysis of a Modern Automobile, Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010
Any system can be hacked...
The Good News
Fortunately adversaries are not all powerful.
Adversaries are impacted by:
- Economic factors
- Attention span
- Other opportunities
You don’t have to run faster than the bear….
There are solutions to many cyber security problems...
... but we don’t use them.
- As of March 22, 2014
Windows 7 has vulnerabilities, but it’s better.
Apple users don’t use anti-virus.
- Yes, Apple tries to fix bugs, but
Most “SSL” websites only use it for logging in.
Many people liken cyber security to the flu.
DHS calls for “cyber hygiene”
- install anti-virus
- update your OS
- back up key files
“STOP, THINK, CONNECT”
Another model might be obesity....
Making people fat is good business:
- Farm subsidies
- Healthcare and medical utilization
- Weight loss plans
- Few make money when Americans stay trim and healthy.
Lax security is also good business:
- Cheaper cost of deploying software
- Private information for marketing
- Selling anti-virus & security products
- Cleaning up incidents
- Few benefit from secure computers
Cyberware is more like bioware than nuclear war
- Cheap to produce
- Easy to attack
- Hard to control
- Hard to defend
- No clear end
Non-technical factors impact cyber security.
These factors reflect deep divisions within our society.
- Shortened development cycles
- Education: General failure in teaching science, engineering & math
- HR: Inability to attract and retain the best workers
- Immigration Policy: Foreign students; H1B Visa
- Manufacturing Policy: Building in your enemy’s factories is a bad idea
Solving the cyber security mess requires solving these issues
Short development cycles
- Security not “baked in” to most products.
- Few or no security reviews
- Little Usable Security
- Testing does not uncover security flaws
- No time to retest after fixing
- Little monitoring for security problems
- Difficult to fix current system when new system is under development
Education is not supplying enough security engineers
Security HR Pipeline
- High School → College → Graduate School → Career
- Many professional programmers learn their craft in college.
- College English graduates: 16 years’ instruction in writing
- College CS graduates: 4 years’ instruction in programming
- Is it any wonder their code has security vulnerabilities?
CS Education Stats are terrifying
- 73% of states require computer “skills” for graduation.
- Only 37% require CS “concepts”
- Teachers are poorly paid!
- Salaries for beginning & average teachers lag CS engineers by 30%
- Adjusting for cost-of-living and shorter work week.
- Linda Darling-Hammond, Stanford University, 2004 http://www.srnleads.org/data/pdfs/ldh_achievemen_gap_summit/inequality_TCR.pdf
===High school students do not take the AP computer science (peaked in 2002) http://computinged.wordpress.com/2014/01/01/detailed-ap-cs-2013-results-unfortunately-much-the-same/
2013 CS AP:
- "No females took the exam in Mississippi, Montana, and Wyoming.
- "For states that had some females take the exam the percentage female ranged from 3.88% in Utah to 29% in Tennessee.
- "11 states had no Black students take the exam: Alaska, Idaho, Kansas, Maine, Mississippi, Montana, Nebraska, New Mexico, North Dakota, Utah, and Wyoming.
- "Nationally 29,555 students took the AP CS A exam in 2013. This was a big increase (19.25%) from the 24,782 students who took it in 2012. The number of teachers who passed the audit was 2,253 versus 2,103 the previous year. The number of female exam takers was 5,485 which was up from 4,635 the year before. The number of black students was 1,090 which was an increase from 1,014 the previous year. The number of Hispanic students was 2,408 up from 1,919 the previous year.
- "The percentage female was 18.55% which was lower than the previous year 18.7%. The overall pass rate was 66.85% which was up from 63.2% the previous year.
- "The female pass rate was 62% which was up from 56.4% the year before. The Asian pass rate was 73%. The white pass rate was 69.23%. The Hispanic pass rate was 45%. The black pass rate was 35.5%.
Talubee Survey Report
2012 results: http://cra.org/resources/taulbee/
- Peaked in 2003, on the rise again.
- 2011 enrollment is same as 2004.
- 15,975 Bachelor degrees in CS, CE and I awarded in the US. (6.9% non-resident alien)
- 10,518 Masters degrees awarded (7,462 CS, 878 CE, 2178 I); (53.8% non-resident alien)
- 1929 PhDs (50.1% awarded to non-resident alien)
2009 Study by Lindsay Lowell at Georgetown=
50% of graduate students in sciences are foreigners because salaries aren’t high enough.
“...the problem may not be that there are too few STEM qualified college graduates, but rather that STEM firms are unable to attract them.
Highly qualified students may be choosing a non-STEM job because it pays better, offers a more stable professional career, and/or perceived as less exposed to competition from low-wage economies.”
- US did not buy WW2 aircraft in Germany
- But we do buy our computers from China
There is no obvious way to secure cyberspace
- We trust computers…
- but we cannot make them trustworthy. (A “trusted” system is a computer that can violate your security policy.)
- We know a lot about building secure computers...
- but we do not use this information when building and deploying them.
- We know about usable security…
- but we can’t make any progress on usernames and passwords
- We should design with the assumption that computers will fail…
but it is cheaper to design without redundancy or resiliency.
- Despite the new found attention to cyber security, our systems seem to be growing more vulnerable every year.
- 7% of Bachelor's degrees awarded to "nonresident alien"
My vision of the future
- Technical societal collapse.
- National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008)
- "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.)
Cybersecurity Mess Slides
- 2013-May-16 — Talk to MIT Club of DC
- 2013-Jan-11 — Talk in Alexandria to Scholarship for Service students
- 2012-04-25 — First talk @MIT
Famous Cyber Attacks
- Garfinkel, S. The Cybersecurity Risk, Communications of the ACM, June 2012