Schneier on Security
A blog covering security and security technology.
« Interview with Me on Cloud Security |
| Friday Squid Blogging: Squid Pasta »
May 29, 2009
Obama's Cybersecurity Speech
I am optimistic about President Obama's new cybersecurity policy and the appointment of a new "cybersecurity coordinator," though much depends on the details. What we do know is that the threats are real, from identity theft to Chinese hacking to cyberwar.
His principles were all welcome -- securing government networks, coordinating responses, working to secure the infrastructure in private hands (the power grid, the communications networks, and so on), although I think he's overly optimistic that legislation won't be required. I was especially heartened to hear his commitment to funding research. Much of the technology we currently use to secure cyberspace was developed from university research, and the more of it we finance today the more secure we'll be in a decade.
Education is also vital, although sometimes I think my parents need more cybersecurity education than my grandchildren do. I also appreciate the president's commitment to transparency and privacy, both of which are vital for security.
But the details matter. Centralizing security responsibilities has the downside of making security more brittle by instituting a single approach and a uniformity of thinking. Unless the new coordinator distributes responsibility, cybersecurity won't improve.
As the administration moves forward on the plan, two principles should apply. One, security decisions need to be made as close to the problem as possible. Protecting networks should be done by people who understand those networks, and threats needs to be assessed by people close to the threats. But distributed responsibility has more risk, so oversight is vital.
Two, security coordination needs to happen at the highest level possible, whether that's evaluating information about different threats, responding to an Internet worm or establishing guidelines for protecting personal information. The whole picture is larger than any single agency.
This essay originally appeared on The New York Times website, along with several others commenting on Obama's speech. All the essays are worth reading, although I want to specifically quote James Bamford making an important point I've repeatedly made:
The history of White House czars is not a glorious one as anyone who has followed the rise and fall of the drug czars can tell. There is a lot of hype, a White House speech, and then things go back to normal. Power, the ability to cause change, depends primarily on who controls the money and who is closest to the president's ear.
Because the new cyber czar will have neither a checkbook nor direct access to President Obama, the role will be more analogous to a traffic cop than a czar.
Gus Hosein wrote a good essay on the need for privacy:
Of course raising barriers around computer systems is certainly a good start. But when these systems are breached, our personal information is left vulnerable. Yet governments and companies are collecting more and more of our information.
The presumption should be that all data collected is vulnerable to abuse or theft. We should therefore collect only what is absolutely required.
As I said, they're all worth reading. And here are some more links.
I wrote something similar in 2002 about the creation of the Department of Homeland Security:
The human body defends itself through overlapping security systems. It has a complex immune system specifically to fight disease, but disease fighting is also distributed throughout every organ and every cell. The body has all sorts of security systems, ranging from your skin to keep harmful things out of your body, to your liver filtering harmful things from your bloodstream, to the defenses in your digestive system. These systems all do their own thing in their own way. They overlap each other, and to a certain extent one can compensate when another fails. It might seem redundant and inefficient, but it's more robust, reliable, and secure. You're alive and reading this because of it.
EDITED TO ADD (6/2): Gene Spafford's opinion.
EDITED TO ADD (6/4): Good commentary from Bob Blakley.
Posted on May 29, 2009 at 3:01 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Education is also vital, although sometimes I think my parents need more cybersecurity education than my grandchildren do."
I'd say those in the most dire need of a little more education on the subject are the legislators themselves.
The law has an awful track record with regards to the Information Age, most recently the "'sexting' as child pornography", and Linda Sanchez's horridly written proposal for outlawing 'cyber-bullying'.
It's important that the people in charge of legislation of this kind, and its eventual acceptance or denial, understand it at least as well as their grandchildren do.
"Protecting networks should be done by people who understand those networks."
Case in point, in principle.
"The presumption should be that all data collected is vulnerable to abuse or theft. We should therefore collect only what is absolutely required."
Yes! For god's sake yes.
However, 'what is absolutely required' depends on who you ask, and what their incentives are for collecting said data. If the free market will always gain from collecting as much data as possible, they aren't likely going to stop because we asked them to. This goes back into your statement on Obama's optimism regarding the need (or lack thereof) of legislative measures, which I don't share for obvious reasons.
The free market has an awful track record too, namely in regards to doing what's 'right' in the face of lower profit margins.
I hope this doesn't mean another Operation Sundevil is in the works. This marblecake thing is pretty funny... I know, I know, it's all fun and games until someone shuts down a power plant.
Disappointing yes, surprising... not in the least. I wouldn't even be surprised to see 'Human Beings' make the list... or simply 'Mother Nature'.
How long will it be until file sharing becomes a national 'cybersecurity' problem?
Centralized control enables centralized abuses.
Speaking of unnecessary and abusive data collection, check this out:
Its called The 2009 American Community Survey and is now an annual supplement to the census (?) hitting 2% of the populationg each year. It is more affectionately known as the flush toilet count.
More data to be abused. Invasion of privacy.
One interesting name on Obama's short list is "Shuce Breier". Does anyone on this blog have some interesting news to share?
I worry about the coordination between the newly appointed U.S. Chief Technology Officer, the Federal Chief Information Officer, and the "cybersecurity coordinator". Certain tasks seem to overlap based on their job descriptions.
I can't help but think that these appointments hint at the old problem of "security" being an afterthought. Security must be built into the processes from the start: hardware, software engineering, and policies and practices at the user and local administrator level. Just look at a supposed "limited or restricted network". The military has been fending off threats since the "Titan Rain" attacks started in 2003 and their defenses are still being breached. If the military can't protect themselves, who can. Will there be a "Great Firewall of the United States" erected instead?
How will these initiatives work in the private sector? Will it help stop illegal spam and botnets?
A commentator on television today mentioned SCADA systems, electric grids in this case. He said that they must be protected since they're on the Internet and not on private connections. Ironically, the electric utilities moved their systems onto open networks to save money.
I like the immune system analogy as it also encompasses a warning of what happens when there are problems with the bodies defences. An over-active immune system leads to annoying allergies and chronic debilitating conditions like lupus, colitis, asthma, thyroiditis, multiple sclerosis etc. Regulation and balance in defence are essential or otherwise the body destroys itself.
President Obama's remarks include:
"A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion."
From a legal dictionary steal implies larceny, and:
The unauthorized taking and removal of the Personal Property of another by an individual who intends to permanently deprive the owner of it; a crime against the right of possession.
$400 million corporate espionage incident at DuPont
The $400-million in intellectual property 'theft', was prosecuted under Title 18 USC 1832, Theft of Trade Secrets, a new federal crime promulgated by the Economic Espionage Act of 1996.
The operative statute violation appears to be knowingly committing an offense by someone causing injury to any owner of a trade secret. The offender -
without authorization copies, duplicates, sketches, draws,
photographs, downloads, uploads, alters, destroys, photocopies,
replicates, transmits, delivers, sends, mails, communicates, or
conveys such information.
See, no actually theft without destruction or alteration (which wasn't reported).
Information on this particular episode was made public in 2007 by the Delaware Attorney General, one Joseph R. Biden III. The perpetrator was fined $30,000 and ordered to pay $14,500 in restitution for this $400 million dollar 'theft' and sentenced to 18 months following a guilty plea, the sentence being considered fair by Robert Kravetz an assistant U.S. attorney in Delaware. There is no indication that the new employer the perpetrator was performing this service for is being investigated or prosecuted. There might not be economic justification or simply political grounds, the new employer was a UK based company.
Former DuPont worker gets 18-month sentence for insider data thefts
It might be reasonable to expect that the $1 trillion claim might prove to be similarly exaggerated. While it isn't clear exactly what a cyber security czar will do any justification for promoting the appointment should perhaps be questioned.
The Economic Espionage Act of 1996 makes for an extremely long and flexible nose of the camel reaching under the tent skirt to include any Internet related activity wherein it may be impossible to avoid interstate or international commerce.
This same argument [overlapping systems] is why the "efficiencies" of the market set up the economy for catastrophic failure. Efficiency argues for one arm; survival argues for two. Ditto the organs
Speech is correct. Trial lawyer power insurgency process, not correct.
Reminds me of all the CIA grandstanding Political Circus on the torture issue. How about another standing protest at the CIA? Hayden made the right decision, move along nothing to see.
I do like how this Cybersecurity article is written, optimistic, but details matter.
I do not agree with the traffic cop concept.
Again, it reminds me of the current CIA problem: foreign language skills. Computer security like foreign intelligence and foreign language skills. Traffic cop system just does not work. Cultural skills are the rule. Computer skills require incentives to prosper. GRR, the democrats power plays will not help computer security or computer cultural skills to prosper.
But open source CIA is spelled: D I S A S T E R.
When it comes to official issues that affect information security, legal hindrance of security research could be an issue.
For instance, the SecurityFocus site has the writing "Time to Shield Researchers" at http://www.securityfocus.com/columnists/495
The Electronic Frontier Foundation has the paper "Unintended Consequences: Ten Years under the DMCA [Digital Millennium Copyright Act]" at http://www.eff.org/wp/...
(Among other cases, the DMCA may have delayed certain researchers from publishing details regarding the security problems with certain Sony BMG audio CDs.)
Security == Immune system.
We sure have a lot of auto-immune diseases.
Not native English
I think that Obama right in his decision to protect cyberspace. Althrough it's impossible to give absolute protection, technically, becouse internet has an fast tech changes in new popular programs and protocols. Nobody even can't create non breakable cryptography. At the other side, in the war anybody can drop bombs on'to root servers. But what their can do? May be, limit cyber technologies in power plant, automobiles, medicine, social energy, etc. Other good ways to protect is create a good integration of root infrastructure into foreighn relations, from dns and routing to search engines and cloud computing. Technicaly, they can organize low cost backups to the gorverment servers, create base to fast recovery mechanism by administrators, and so much :-)
They should be criminally sanctioned for crimes against grammer and meaning in the first paragraph of the executive summary.
Research is definitely a good thing. I hope consideration will be given to basic research on questions such as how a hypothetical new generation of hardware and operating systems could best be designed with security in mind. It seems to me this is the only thing that would really help much.
It is possible for an operating system to be designed to be naturally virus-resistant, so that (for example) running a malicious program does not automatically allow the user's account to be compromised. It is also possible to make it much less likely that a security flaw in an application would allow the user's account to be compromised, by isolating individual documents from one another. Unfortunately, it almost certainly isn't possible to retrofit this sort of resistance into an existing operating system.
The total cost of redesigning hardware and replacing/rewriting/porting all of our existing software would admittedly be huge, but in the long run I think it's worth it and the longer we wait the harder it gets.
Stories of security failures, such as the vulnerability of our power grid control system and penetrations of the Joint Strike Fighter project have recently been leaked into the headlines. This public disclosure is exactly the sort of prod needed to make bureaucrats take the issue seriously. I expect that future breaches will be treated more appropriately, with reprimands, firings and 'public hangings' until the message gets through.
Agencies and contractors who have jealously guarded their turfs in the past and insisted that they could handle security in-house will now be much more receptive to adopting methods and standards set by one central authority. Once a standard is selected, there will be no excuses or forgiveness for breaches which occur because someone insisted on using their pet system. Suddenly the ego boost of having one's own cyber-security staff may no longer outweigh the risks.
Research pays for itself. In 1900 there were 8,000 cars on the roads, using 80,000 barrels of oil a year to operate. By 1942 there were 36,000,000 cars, which 80,000 barrels of oil could operate for about an hour and a half. Research at Mellon Institute by Gulf Oil developed a better catalytic thermal cracking process which meant more gasoline could be made from a barrel of oil. It took years for companies to see the value of research. Today the Pittsburgh economy depends on research instead of manufacturing. More cars could be sold, which meant more roads which meant more cars.
GM research yielded different results.
" Ethyl leaded gasoline is the confusing brand name choice for tetra ethyl lead (TEL), which was an anti-knock (octane boosting) gasoline additive discovered by General Motors researchers on Dec. 9, 1921 and introduced commercially in Ohio on Feb. 2,1923. Ethyl is also the corporate name of the joint GM-Standard Oil of New Jersey (Exxon) venture established in 1924 to market the additive. Since GM was 38 percent owned by the E. I. Du Pont de Nemours at the time, there were initially three partners.
The general public first learned of TEL in late October,1924 when half a dozen workers went violently insane and then died, apparently from a mysterious poison they were making at a Standard oil refinery in New Jersey. When it became clear that this poison was being put into gasoline, and that other workers had died in similar refineries, a vehement public health controversy broke out. GM and Standard insisted that TEL was only dangerous in concentrated form at the refinery, not when diluted in gasoline. But public health scientists, especially Drs. Alice Hamilton of Harvard and Yandell Henderson of Yale, said it was an important public health question and insisted that safer alternatives should be used (as we will see below).
In the end. "GM Contradicts Its Own Research." Today the end is different. GM stock is lead. GM stock opened the day at $1.09 and closed the day at 75 cents. They could just distribute the stock to the dealers and save the government the trouble of fixing the company. The current czarist strategy is to close the stores to save the business. About the only thing that still works is the dealerships. Maybe they can turn them into gas stations and sell fuel below cost rather than cars below cost to stay above water. Sell boats. Good luck!
I think this is giant stride by Obama, because the issue of identity theft and internet fraud is increasing at alarming rate.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.