Cybersecurity Advice for (Possible) President Obama
In a recent campaign appearance, Barack Obama made a number of proposals regarding "cyberterrorism". (Eugene Spafford was at the speech and blogged about it; be sure to read his description. You can find the text of Obama’s speech here and a fact sheet with more details here.) I’m glad to hear that Obama is taking cybersecurity seriously (and I’ll be glad to post a similar note if I see similar news stories about John McCain), but I fear he may be barking up the wrong tree. I can summarize my concerns in four points: the issue is cybersecurity, not cyberterrorism; there are no magic bullets; execution and policy matter a lot; and (of course) we need to do more research. I’ll discuss each of these in turn.
Cyberterrorism versus CybersecurityObama spoke specifically about "cyberterrorism" — the risk that terrorists might use cybercapabilities to attack U.S. interests. The the problem, though, is that this focus characterizes the threat too narrowly. The Internet Security Glossary gives this explanation (among others) for "threat"
To be likely to launch an attack, an adversary must have (a) a motive to attack, (b) a method or technical ability to make the attack, and (c) an opportunity to appropriately access the targeted system.This is the classic trinity known to all mystery fans: motive, means, and opportunity. In principle, defenders can use any one of the three to foil an attack.
Motive is the hardest one for an outsider to assess. At best,it’s a matter of delicate intelligence assessments about what an enemy plans to do. There have been many news stories about, say, Chinese government-sponsored hacking; there have been many fewer articles about al Qaeda’s cyber plans. Perhaps there have been fewer leaks; perhaps there has been less information to leak. Regardless, it seems clear that there has been serious activity by nation-states.
Of course, the flip side is that everyone — the U.S., other countries, and the terrorists — uses the Internet. There has been a lot of speculation that the Internet is too useful to the bad guys as a communications system for them to want to damage it. There is an irony here: the less they fear to use the Internet, the more likely it is that they won’t want to risk loss of their own access by launching a cyberattack. If there is too much U.S. government monitoring of Internet communications, in the hope of catching terrorists, the less reason they’ll have to refrain from attacking.
When it comes to means, the situation is considerably bleaker. Lots of people can launch cyberattacks; many of them are mercenary and sell exploits to the highest bidder. They don’t care if the buyer is a government, a terrorist group, an extortionist, a credit card number thief, or a spammer; what counts is profit. While we can safely assume that nation-states have very great capabilities, both they and the terrorists can easily purchase capabilities they don’t have. The publicly-known capabilities of the bad-guy hackers are demonstrably enough to do great damage. (It is worth noting that even ordinary attacks can affect the sorts of infrastructure targets that cyberterrorists may go after.)
Opportunity — for our purposes, that is the remaining security holes that exist in our systems — is the most promising avenue for the defenders, since we can to some extent control it. We have little control over whether or not someone can attack us, and exploits are much more easily distributed and obtained than, say, highly enriched uranium. But we can (to some extent) plug our own holes. This, then, has to be the focus of our work: defending our systems, regardless of who the attacker is.
Some will object that cyberterrorists and nation-states have greater capabilities than commercial attackers. While arguably true, it’s irrelevant: we aren’t even doing an adequate job defending against the "easy" attacks. And these attacks are devastating; TJX alone lost more than US$250 million to one group of attackers.
Focusing on generic cybsecurity will help against real, serious vulnerabilities without needing to speculate on enemy intentions or capabilities. That is, the same cybersecurity efforts we need to defend against cybercriminals defend against cyberterrorists.
No Magic BulletIt is very important that our next president recognize that there is no magic bullet that will solve the cybersecurity problem. Most security problems are due to buggy code; I regard buggy code as the oldest unsolved problem in computer science, and I do not anticipate a solution any time soon. More than 20 years ago, Fred Brooks wrote a classic essay "No Silver Bullet" (a copy appears to be here). In it, he noted that
I believe the hard part of building software to be the specification, design, and testing of this conceptual construct, not the labor of representing it and testing the fidelity of the representation. We still make syntax errors, to be sure; but they are fuzz compared with the conceptual errors in most systems.The same is true for cybersecurity (a subset of the reliability issues Brooks was talking about).
If this is true, building software will always be hard. There is inherently no silver bullet.
By the same token, a Manhattan Project-type effort won’t work. We don’t know how to produce secure, bug-free code; we don’t even know if it’s possible for human programmers to do it. We’re not dealing with the laws of physics, which very clearly do permit at least some chain reactions; we’re dealing with the limitations of the human brain. We’ve also seen many failed attempts at panaceas. Throwing a large pile of money at the problem will not magically cause a solution to appear.
Execution and Policy MatterFor all my pessimism about complete solutions, we can certainly do a lot better than we’re doing today. Some of the advice is mundane and familiar: patch your systems. (Other conventional advice, such as "pick strong passwords", is at best overblown and arguably harmful.) Other aspects are more difficult: proper system design counts for a lot. A cybersecurity czar with both a bully pulpit and some regulatory authority might accomplish a lot. To give just one example, many banks have insecure web sites. Are government regulations the cure, or at least part of it?
Some will argue that market mechanisms will solve the problem. Companies with poor security practices — again, think TJX — will pay the price. Unfortunately, there are serious market failures, such as end-user license agreements that shield some actors from liability. Similarly, consumers have little knowledge of (and often little choice about) software choices and their security implications. Perhaps liability and its corollary, insurance, are part of the solution. One important role for a cybersecurity czar is to develop a comprehensive set of policies (including proposed new laws and regulations) that will let the market function. There will be — there must be — a lot of debate over the issues. To give just one example, what will be the effects of liability (let alone strict liability) on open source software development and distribution? These questions do not have obvious answers, but it will be easier to discuss the questions in the context of a comprehensive solution.
More ResearchI’m an academic, so of course I’m calling for more research. The argument, though, is simple: we don’t know how to solve the problem. While I don’t think we’ll ever have perfect solutions, are there unknown techniques that could help? We don’t even know if firewalls are useful or not.
There is a lot of room for more research. I served on a recent National Academies study committee that outlined some important research issues; I’ll only mention two here. First, if some level of insecurity is inevitable (and I think it is), how do we minimize the damage? Second, there is a need for long-term, sustained effort; short-horizon programs won’t produce fundamental break-throughs. There have been press reports that DARPA has moved away from such a focus (note: this is not a conclusion I’m attributing to the committee).