[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.]
I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it then or since. I know it faded from my memory! Other than CERIAS WWW sites and the AAAS itself, a Google search reveals almost no references to it.
As background, in early April of 2002, I was asked, somewhat at the last moment, to prepare a paper and some remarks on the state of information security for a forum, Technology in a Vulnerable World, held on science in the wake of 9/11. The forum was sponsored by the AAAS, and held later that month. There were interesting papers on public health, risk communication, the role of universities, and more, and all of them are available for download.
My paper in the forum wasn't one of my better ones, in that it was somewhat rushed in preparing it. Also, I couldn't find good background literature for some of what I was writing. As I reread what I wrote, many of the points I raised still don't have carefully documented sources in the open literature. However, I probably could have found some published backup for items such as the counts of computer viruses had I spent a little more time and effort on it. Mea culpa; this is something I teach my students about. Despite that, I think I did capture most of the issues that were involved at the time of the forum, and I don't believe there is anything in the paper that was incorrect at that time.
Why am I posting something here about that paper, One View of Protecting the National Information Infrastructure, written seven years ago? Well, as I reread it, I couldn't help but notice that it expressed some of the same themes later presented in the PITAC report, Cyber Security: A Crisis of Prioritization (2005), the NRC report Towards a Safer and More Secure Cyberspace (2007), and my recent Senate testimony (2009). Of course, many of the issues were known before I wrote my paper -- including coverage in the NRC studies Computers at Risk: Safe Computing in the Information Age (1991), Trust in Cyberspace (1999) and Cybersecurity Today and Tomorrow (2002) (among others I should have referenced). I can find bits and pieces of the same topics going further back in time. These issues seem to be deeply ingrained.
I wasn't involved in all of those cited efforts, so I'm not responsible for the repetition of the issues. Anyone with enough background who looks at the situation without a particular self-interest is going to come up with approximately the same conclusions -- including that market forces aren't solving the problem, there aren't enough resources devoted to long-term research, we don't have enough invested in education and training, we aren't doing enough in law enforcement and active defense, and we continue to spend massive amounts trying to defend legacy systems that were never designed to be secure.
Given these repeated warnings, it is troubling that we have not seen any meaningful action by government to date. However, that is probably preferable to government action that makes things worse: consider DHS as one notable example (or several).
Compounding the problem, too many leaders in industry are unwilling to make necessary, radical changes either, because such actions might disrupt their businesses, even if such actions are in the public good. It is one of those "tragedy of the commons" situations. Market forces have been shown to be ineffective in fixing the problems, and will actually lead to attempts to influence government against addressing urgent needs. Holding companies liable for their bad designs and mistakes, or restricting spending on items with known vulnerabilities and weaknesses would be in the public interest, but too many vendors affected would rather lobby against change than to really address the underlying problems.
Those of us who have been observing this problem for so long are therefore hoping that the administration's 60 day review provides strong impetus for meaningful changes that are actually adopted by the government. Somewhat selfishly, it would be nice to know that my efforts in this direction have not been totally in vain. But even if nothing happens, there is a certain sense of purpose in continuing to play the role of Don Quixote.
Sancho! Where did I leave my horse?
Why is it that Demotivators® seem so appropriate when talking about cyber security or government? If you are unfamiliar with Despair.com, let me encourage you to explore the site and view the wonderfully twisted items they have for sale. In the interest of full disclosure, I have no financial interest or ties to the company, other than as a satisfied and cynical customer.
On a more academic note, you can read or purchase the NRC reports cited above online via the National Academies Press website.
[A portion of this essay appeared in the October 2008 issue of Information Security magazine. My thanks to Dave Farber for a conversation that spurred me to post this expanded version.]
[Small typos corrected in April 2010.]
I’d like to repeat (portions of) a theme I have been speaking about for over a decade. I’ll start by taking a long view of computing.
Fifty years ago, IBM introduced the first all-transistor computer (the 7000 series). Transistors were approximately $60 apiece (in current dollars). Secondary storage was about 10 cents per byte (also in current dollars) and had a density of approximately 2000 bits per cubic inch. According to Wikipedia, a working IBM 7090 system with a full 32K of memory (the capacity of the machine) cost about $3,000,000 to purchase—over $21,000,000 in current dollars. Software, peripherals, and maintenance all cost more. Rental of a system (maintenance included) could be well over $500,000 per month (in 1958 dollars). Other vendors soon brought their own transistorized systems to market, at similar costs.
These early computing systems came without an operating system. However, the costs of having such a system sit idle between jobs (and during I/O) led the field to develop operating systems that supported sharing of hardware to maximize utilization. It also led to the development of user accounts for cost accounting. And all of these soon led to development of security features to ensure that the sharing didn’t go too far, and that accounting was not disabled or corrupted. As the hardware evolved and became more capable, the software also evolved and took on new features.
Costs and capabilities of computing hardware have changed by a factor of tens of millions in five decades. Currently, transistors cost less than 1/7800 of a cent apiece in modern CPU chips (Intel Itanium). Assuming I didn’t drop a decimal place, that is a drop in price by 7 orders of magnitude. Ed Lazowska made a presentation a few years ago where he indicated that the number of grains of rice harvested worldwide in 2004 was ten quintillion—10 raised to the 18th power. But in 2004, there were also ten quintillion transistors manufactured, and that number has increased faster than the rice harvest ever since. We have more transistors being produced and fielded each year than all the grains of rice harvested in all the countries of the world. Isn’t that amazing?
Storage also changed drastically. We have gone from core memory to semiconductor memory. And in secondary storage we have gone from drum memory to disks to SSDs. If we look at consumer disk storage, it is now common to get storage density of better than 500Gb per cubic inch at a cost of less than $.20 per Gb (including enclosure and controller)—a price drop of nearly 8 orders of magnitude. Of course, weight, size, speed, noise, heat, power, and other factors have all also undergone major changes. To think of it another way, that same presentation by Professor Lazowska, noted that the computerized greeting cards you can buy at the store to record and play back a message to music have more computing power and memory in them than some of those multi-million $ computers of the 1950s, all for under $10.
Yet, despite these incredible transformations, the operating systems, databases, languages, and more that we use are still basically the designs we came up with in the 1960s to make the best use of limited, expensive, shared equipment. More to the theme of this blog, overall information security is almost certainly worse now than it was in the 1960s. We’re still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more valuable information coming online every week.
Why have we failed to make appreciable progress with the software? In part, it is because we’ve been busy trying to advance on every front. Partially, it is because it is simpler to replace the underlying hardware with something faster, thus getting a visible performance gain. This helps mask the ongoing lack of quality and progression to really new ideas. As well, the speed with which the field of computing (development and application) moves is incredible, and few have the time or inclination to step back and re-examine first principles. This includes old habits such as the sense of importance in making code “small” even to the point of leaving out internal consistency checks and error handling. (Y2K was not a one-time fluke—it’s an instance of an institutional bad habit.)
Another such habit is that of trying to build every system to have the capability to perform every task. There is a general lack of awareness that security needs are different for different applications and environments; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond, all with maximal flexibility and capacity. Ostensibly, this uniformity is to reduce purchase, training, and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical when applied to almost any other area of technology, so it is perplexing they are still rampant in IT.
For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers, and deep water naval interdiction—so long as we add on a few aftermarket items and enable a few options. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upwards to tailor it for specific needs, and to harden it against specific dangers. Why cannot we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee’s pie recipes is NOT equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions, and more? Trying to support everything in one system results in huge, unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to attempt to shore up the inherent problems introduced by the complexity. Meanwhile, we require more complex hardware to support all the software, and this drives complexity, cost and power issues.
The situation is unlikely to improve until we, as a society, start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machine “must-have” products are used because the underlying systems aren’t trustworthy—as we keep discovering with increasing pain. A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications only, and then ensure they are not used for anything beyond those limitations. By having a defined, crafted set of applications we want to run, it will be easier to deny execution to anything we don’t want; To use some current terminology, that’s “whitelisting” as opposed to “blacklisting.” This approach to design is also craftsmanship—using the right tools for each task at hand, as opposed to treating all problems the same because all we have is a single tool, no matter how good that tool may be. After all, you may have the finest quality multitool money can buy, with dozens of blades and screwdrivers and pliers. But you would never dream of building a house (or a government agency) using that multitool. Sure, it does a lot of things passably, but it is far from ideal for expertly doing most complex tasks.
Managers will make the argument that using a single, standard component means it can be produced, acquired and operated more cheaply than if there are many different versions. That is often correct insofar as direct costs are concerned. However, it fails to include secondary costs such as reducing the costs of total failure and exposure, and reducing the cost of “bridge” and “add-on” components to make items suitable. Smaller and more directed systems need to be patched and upgraded far less often than large, all-inclusive systems because they have less to go wrong and don’t change as often. There is also a defensive benefit to the resulting diversity: attackers need to work harder to penetrate a given system because they don’t know what is running. Taken to an extreme, having a single solution also reduces or eliminates real innovation as there is no incentive for radical new approaches; with a single platform, the only viable approach is to make small, incremental changes built to the common format. This introduces a hidden burden on progress that is well understood in historical terms—radical new improvements seldom result from staying with the masses in the mainstream.
Therein lies the challenge, for researchers and policy-makers. The current cyber security landscape is a major battlefield. We are under constant attack from criminals, vandals, and professional agents of governments. There is such an urgent, large-scale need to simply bring current systems up to some bare minimum that it could soak up way more resources than we have to throw at the problems. The result is that there is a huge sense of urgency to find ways to “fix” the current infrastructure. Not only is this where the bulk of the resources is going, but this flow of resources and attention also fixes the focus of our research establishment on these issues, But when this happens, there is great pressure to direct research towards the current environment, and towards projects with tangible results. Program managers are encouraged to go this way because they want to show they are good stewards of the public trust by helping solve major problems. CIOs and CTOs are less willing to try outlandish ideas, and cringe at even the notion of replacing their current infrastructure, broken as it may be. So, researchers go where the money is—tried and true, incremental, “safe” research.
We have crippled our research community as a result. There are too few resources devoted to far-ranging ideas that may not have immediate results. Even if the program managers encourage vision, review panels are quick to quash it. The recent history of DARPA is one that has shifted towards immediate results from industry and away from vision, at least in computing. NSF, DOE, NIST and other agencies have also shortened their horizons, despite claims to the contrary. Recommendations for action (including the recent CSIS Commission report to the President) continue this by posing the problem as how to secure the current infrastructure rather than asking how we can build and maintain a trustable infrastructure to replace what is currently there.
Some of us see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough people that “cheap” is not the same as “best,” and that we can afford to do better. Let’s see some real innovation in building and deploying new systems, languages, and even networks. After all, we no longer need to fit in 32K of memory on a $21 million computer. Let’s stop optimizing the wrong things, and start focusing on discovering and building the right solutions to problems rather than continuing to try to answer the same tired (and wrong) questions. We need a major sustained effort in research into new operating systems and architectures, new software engineering methods, new programming languages and systems, and more, some with a (nearly) clean-slate starting point. Small failures should be encouraged, because they indicate people are trying risky ideas. Then we need a sustained effort to transition good ideas into practice.
I’ll conclude with s quote that many people attribute to Albert Einstein, but I have seen multiple citations to its use by John Dryden in the 1600s in his play “The Spanish Friar”:
“Insanity: doing the same thing over and over again expecting different results.”
What we have been doing in cyber security has been insane. It is past time to do something different.
[Added 12/17: I was reminded that I made a post last year that touches on some of the same themes; it is here.]