A few weeks ago I participated in a cyber roundtable pulled together in Washington DC. This was, in part, a meeting to kick off a new organization that will seek to bring security technologists and policy makers together. (Much more on this at a later date).
The participants (who met under the Chatham House Rule*) included uber security geeks, privacy advocates, Defense Industrial representatives, and policy influencers.
There was quick acknowledgement from all of the participants that there are multiple problems in the way the cybersecurity challenge is being met, including technology and R&D investment, information sharing, and a lack of understanding of those problems as evidenced by the bills wending their way through Congress.
So I was heartened to see that the US Networking and Information Technology Research and Development (NITRD) consortium is stepping up to address at least the technology issues.
NITRD is supported by 14 Federal agencies including the National Science Foundation and DHS. They held a meeting May 19th to propose three areas of investigation that would lead to game-changing research and development and opened the discussion to public comment.
Herewith are my comments that I submitted to their forum. (The comment period ends today, June 18).
The first proposed theme is Tailored Trustworthy Spaces. This theme, while at first glance appearing overly academic, is crucially important and is actually evolving on the Internet.
It reflects the way we change how we behave and interact depending on the particular forum we are participating in.
A Skype conversation with a child away at school, funds transfers between bank accounts, executing stock trades, using a VPN to enter the corporate network, commenting anonymously on blogs, a Linkedin discussion group, Craigslist, Twitter, and Facebook, are all examples of different trust environments we participate in.
We adjust how we interact, who we trust, what information we reveal, and in some case adjust our browsers or even the computer we use to participate.
A bank may still require Internet Explorer to access its online accounts but the security conscious will use FireFox for general web browsing. Some people have even started to use separate computers for some activities.
Research should begin with what is working today and what about those solutions is succeeding. The concept of segmentation should be included to provide damage control when a trustworthy space is breached. As new models are developed they should be deployed and tested quickly to discover their failings.
Behavior monitoring should be used to alert when new and unusual behaviors arise. Remember Network News Groups? Initially NNTP (Network News Transfer Protocol) gave rise to vast forums where like minded people could discuss politics, cats, even knitting.
When spammers started spewing postings to the thousands of groups NNTP died out. Built in defenses against spam behavior may have saved News Groups.
The key point is that all possible attacks on a Trustworthy Space cannot be predicted. Monitoring, reporting, and alerting should be included (along with privacy protections.)
The second theme is Research into Moving Target (MT) technologies.
This is a great concept and ties into the next theme of economics. Few will disagree that monocultures, thanks to the wide deployment of a single code base, rife with vulnerabilities, is the single biggest cause of the cybersecurity challenge.
While technologies such as Solidcore (just acquired by McAfee) can be installed to make a Windows machine impervious to attack via essentially randomizing memory and system call registries and other randomizing in the network can add to the investment at attacker must make to be successful, there is one area that is ripe for exploration.
The decades long movement towards platform consolidation should be reversed and R&D efforts should support that reversal. Certain environments (critical infrastructure, DoD, the intelligence community) should move to multiple platforms just to increase the number of systems an attacker must have tools to compromise.
As a start Windows systems should be limited to desktops only. All servers for DNS, directory services, databases, applications, and cloud computing should be on non-Windows platforms.
This would ensure that popular vectors, developed by cyber criminals to attack and control the target rich consumer space would not also lead to infections of SCADA controllers, transaction processors, or real time environments.
Certainly handhelds, ships, tanks, airplanes, medical equipment and manufacturing systems should never share a code base with a dominant consumer product. Over time even desktop environments should be transitioned to multiple different platforms.
R&D efforts could enhance the management of multi-platform environments. Open source communities could be supported to enhance the protections of Linux variants.
The third proposed theme is Cyber Economic Incentive.
In October, 2006, I was asked to join a workshop on modern malware hosted by the Santa Fe Institute and co-chaired by Matt Williamson, principal research scientist from Sana Security, and Esther Dyson.
I can sum up the overall sense that was shared by the participants at the end of the second day: This is a war. The enemy is organized, well financed and smart. Reactive measures such as research and signature generation are falling behind.
Most important, when the workshop convenes again, at least half the time and effort should be devoted to understanding the economics of cybercrime.
As far as I know that follow-on meeting never occurred (or I was not invited :-) While the intent of this theme seems focused on providing economic incentive for improving the security practices of the good guys I would not neglect research into understanding the motivations of the bad guys as well.
NITRD has asked the right questions and proposed valuable avenues of future investment. I applaud this effort and hope that support for it comes from the member agencies.
One final suggestion is that international participation should be invited. We are all in this together and only by pulling in the brilliant researchers around the world can cybersecurity challenges be addressed.
* "When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed".
* * *
Attention! Richard Stiennon's new book, "Surviving Cyberwar" has been published:
After a five month period of editing, indexing, and finally printing, Surviving Cyberwar has been published by Government Institutes, an imprint of Scarecrow Press, a division of the Rowman and Littlefield company...