As said brought earlier, no federal funding agency has assumed responsibility for supporting basic research in this area and worse no one "owns" this problem. The moot point here is that we observe a miniscule funding of small sporadic research projects in relation to the problem and more importantly no one has questioned the underlying assumptions on cyber security that were established in the 1960s mainframe environment.
In the words of Prof Wm. A. Wulf, president of the National Academy of Engineering and AT&T Professor of Engineering and Applied Science in the Department of Computer Science at the University of Virginia, “Little research that is being done is focused on answering the wrong question!”.
Ipso facto, one such suggested approach by Prof Wulf is :-
- The need for a new "model" of the threat to replace the "Maginot Line" model
- The need for a new definition of cyber security
- The need for "active defense"
- The need for coordination with the legal, and regulatory systems.
We will cover each one of the concepts one by one
The Maginot Line Model
Most research on cyber security is based on the assumption that the thing we need to protect is "inside" the system. Therefore, we have tried to develop "firewalls" and the like to keep outside attackers from penetrating our defenses and gaining access or taking control of it. This model of computer security--The Maginot Line model--has been used since the first mainframe operating systems were built in the 1960s. Unfortunately, it is dangerously flawed.
First, like the Maginot Line, it is fragile. In WWII, France fell in 35 days because of its reliance on this model. No matter how formidable the defenses, the attacker can make an end run around them, and once inside, the entire system is compromised. The Maginot Line model is especially inappropriate in a networked environment, which does not have an "inside" or "outside" defined by the hardware. Many attempts have been made to simulate a networked environment, especially through various cryptographic techniques, but so far these have not worked.
Second, the Maginot Line model fails to recognize that many security flaws are "designed in." In other words, a system may fail by performing exactly as specified. Flaws are not always "bugs" or errors--they can also result when a system behaves as designed, but in ways the designers did not anticipate. In 1993, the Naval Research Laboratory did an analysis of some 50 security flaws and found that nearly half of them (22) were part of the requirements or specifications. It’s impossible to defend or provide a firewall against security flaws that were conceived of as perfectly legitimate--that were, in fact, considered requirements of correct system behavior!
Third, the Maginot Line cannot protect against insider attacks. No one has ever compromised the CIA by mounting a frontal assault on its external fence in Virginia. But security breaches have been made by employees inside the fence. The analogy to computer systems is clear. If we only direct our defenses outward, we ignore our greatest vulnerability, the legitimate insider.
Fourth, one need not "penetrate" a system to do major damage. This was demonstrated by the distributed denial-of-service attacks on Yahoo, Google and others last year, which showed that expected behavior can be disrupted or prevented without any form of penetration. Simply by flooding a system with false or legitimate requests for service(Recent examples of blocking Mastercard and Visa in retialation to Wiki leaks), it became impossible to respond to legitimate requests. We can be grateful that so far these denial-of-service attacks have been against Internet sites and not against major services in major cities.
Finally, the Maginot Line model has never worked! Every system ever built to protect a Maginot Line-type system has been compromised--including the systems I built in the 1970s. After 40 years of trying to develop a foolproof system, it’s time we realized we’re not likely to succeed. It’s time to change the flawed inside-outside model of security.
Definition of Security
The military definition of security emphasizes protecting access to sensitive information. This is the basis of the compartmentalized, layered {confidential, secret, top secret} classification of information. The slightly broader definition of security used in the research community includes two other notions: integrity and denial of service.
Integrity implies that information in the system cannot be modified by an attacker. In some cases, medical records for instance, integrity is much more important than secrecy. We may not like other people seeing our medical records, but we may die if someone alters our allergy profile.
Denial of service is just what it says--the attacker does not necessarily access or modify information in a system but does deny its users a service provided by that system. In the case of logistical operations for instance, the ability to flood a communication channel with traffic can cripple an operation. Several years ago, for example, the Joint Chiefs of Staff asked a small team to see whether they could disrupt a major multi-service military exercise call Eligible Receiver; in fact the team caused the exercise to be cancelled, in part by using denial of service techniques. This relatively unsophisticated form of attack could also be used against phone systems (military base exchanges, 911, etc.), financial systems, and, of course, Internet hosts.
In fact, a practical definition of security is more complex than privacy, integrity, and denial of service. A proper definition will differ for each kind of object-- credit card, medical record, tank, aircraft flight plan, student examination, and so forth. The notion of restricting access to a credit card to individuals with, say, secret clearance is nonsensical. Other factors, such as the timing, or at least the temporal order, of operations, correlative operations on related objects, and so on, are essential to the security of real-world information. (An example often cited is that the best way to anticipate major U.S. military operations is to count the pizza deliveries to the Pentagon).
The military concept of sensitive but unclassified information has a counterpart in spades in the cyber world. Indeed, the line between sensitive and nonsensitive information is often blurred. in cyberspace. In principle, one must consider how any piece of information might be combined with innumerable other pieces of information and used in some way to compromise our interests. The vast amount of information available on the Internet and the speed of modern computers make it impossible to anticipate how information will be combined or what inferences will be drawn from such combinations.
A simple model of "penetration" does not reflect any of these dimensions of realistic security concerns. Hence an analysis of the vulnerability of a system in terms of how it can be "attacked" in terms of the inside-outside Maginot Line model--is unlikely to reveal its true vulnerabilities.
Active Defense
Passive defense alone will not work, especially if one holds to the Maginot Line model. Effective cyber security must include some kind of active response, some threat, some cost higher than the attacker is willing to pay, to complement passive defense. Our current computer security is primarily passive (although there are a few laws against crimes using a computer). Our ability to identify and respond to attack, in the cyber world or the physical world, can be improved substantially, but these approaches are not being aggressively pursued. Much better models of passive defense are possible--especially models such as the immune system model that distribute the responsibility for protection and defense rather than concentrating it at the Maginot Line.
Developing an active defense will not be easy. The practical and legal implications of active defense have not been determined, and the opportunities for mistakes are legion. The international implications are especially troublesome. It is difficult, sometimes impossible, to pinpoint the physical location of an attacker. If the attacker is in another country, could a countermeasure by a government computer be considered an act of war? Resolving this issue and related issues will require a thoughtful approach and careful international diplomacy.
Coordination with the Legal and Regulatory System
Any plan of action must begin with a dialog on legal issues. There can be two kinds of issues which should be addressed soon: (1) issues raised in cyberspace that do not have counterparts in the physical world; and (2) issues raised by place-based assumptions in current law.
The first category includes everything from new forms of intellectual property (databases, for example) to new forms of crime (spamming, for example). Issues of particular interest to this discussion are right(s) and limitation(s) on active countermeasures to intrusions (indeed, what constitutes an intrusion). Issues raised by place-based assumptions in current law include many basic questions. How does the concept of jurisdiction apply in cyberspace? For tax purposes (sales taxes in the United States and value-added taxes in Europe ), where does a cyberspace transaction take place? Where do you draw the line between national security and law enforcement? How do you apply posse comitatis?
Not all of these issues are immediately and obviously related to cyberspace protection. But cyberspace protection is a "wedge" issue that forces us to rethink some fundamental questions about the role of government, the relationship between the public and private sectors, the balance between privacy and public safety, and the definition of security.
Addressing the Problem
Most of the solution execeuted or being cortemplated are short term measure and woefully lack all the imperative brought about earlier.
QED.
In the next post we would take on the rigours of classical cyber security.
