How Changing Technology Affects Security

Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it. What's interesting is the difference between how the two groups incorporate new technologies.

Changes in security systems can be slow. Society has to implement any new security technology as a group, which implies agreement and coordination and -- in some instances -- a lengthy bureaucratic procurement process. Meanwhile, an attacker can just use the new technology. For example, at the end of the horse-and-buggy era, it was easier for a bank robber to use his new motorcar as a getaway vehicle than it was for a town's police department to decide it needed a police car, get the budget to buy one, choose which one to buy, buy it, and then develop training and policies for it. And if only one police department did this, the bank robber could just move to another town. Defectors are more agile and adaptable, making them much better at being early adopters of new technology.

We saw it in law enforcement's initial inability to deal with Internet crime. Criminals were simply more flexible. Traditional criminal organizations like the Mafia didn't immediately move onto the Internet; instead, new Internet-savvy criminals sprung up. They set up websites like CardersMarket and DarkMarket, and established new organized crime groups within a decade or so of the Internet's commercialization. Meanwhile, law enforcement simply didn't have the organizational fluidity to adapt as quickly. Cities couldn't fire their old-school detectives and replace them with people who understood the Internet. The detectives' natural inertia and tendency to sweep problems under the rug slowed things even more. They spent the better part of a decade playing catch-up.

There's one more problem: defenders are in what military strategist Carl von Clausewitz calls "the position of the interior." They have to defend against every possible attack, while the defector only has to find one flaw that allows one way through the defenses. As systems get more complicated due to technology, more attacks become possible. This means defectors have a first-mover advantage; they get to try the new attack first. Consequently, society is constantly responding: shoe scanners in response to the shoe bomber, harder-to-counterfeit money in response to better counterfeiting technologies, better antivirus software to combat new computer viruses, and so on. The attacker's clear advantage increases the scope of defection even further.

Of course, there are exceptions. There are technologies that immediately benefit the defender and are of no use at all to the attacker -- for example, fingerprint technology allowed police to identify suspects after they left the crime scene and didn't provide any corresponding benefit to criminals. The same thing happened with immobilizing technology for cars, alarm systems for houses, and computer authentication technologies. Some technologies benefit both but still give more advantage to the defenders. The radio allowed street policemen to communicate remotely, which increased our level of safety more than the corresponding downside of criminals communicating remotely endangers us.

Still, we tend to be reactive in security, and only implement new measures in response to an increased scope of defection. We're slow about doing it and even slower about getting it right.

This essay originally appeared in IEEE Security & Privacy. It was adapted from Chapter 16 of Liars and Outliers.

Posted on March 7, 2012 at 6:14 AM • 29 Comments

Comments

anonyousMarch 7, 2012 7:28 AM

"immobilizing technology for cars"
I am not sure it cannot be abused.
See a fancy car in the right neighborhood?
Immobilize it, to get the people to leave it or to thow the car away with or without the people or strip it of anything useable, all easier if the car cannot drive anymore...

Clive RobinsonMarch 7, 2012 7:30 AM

@ Bruce,

You forgot to mention that there is also a significant difference in the way defectors use the technology they have when compared to the societal deffenders.

Societal solutions almost always tend to be static in nature be it physicaly like CCTV systems or in use such as fingerprint databases. The defectors attack systems are usually very agile both in attack point and technology.

This has the consequence that new technology implemented by society is usually "out evolved" by the attackers in very short time.

The clasic example of this is CCTV in the short term it gets good results however faily quickly sometimes just a couple of months street crime levels return to normal.

And with a little thought it can quickly be seen that societal deffence systems need to be as agile if not more so than that of the defectors. If it's not the defectors are always going to win eventually. Not that, that appears to worry the political purse string holders.

It is interesting to note that this years RSA conferance there was an acknoledgment that ICT sec is lossing the battle for various reasons but primarily because the defectors are more agile in just about everything they do.

Clive RobinsonMarch 7, 2012 7:33 AM

@ Moderator / Bruce

the above comments are coming up in italics is there a hanging tag somewhere?

Zdenek FMarch 7, 2012 9:12 AM

I believe the next such big change are going to be quantum computers.

kingsnakeMarch 7, 2012 9:42 AM

In keeping with the theme of the attackers always being ahead of the defenders, here's a hack of the TSA scanning system:

http://consumerist.com/2012/03/...

Basically, place the object along your side, so it shows up as part of the background.

NobodySpecialMarch 7, 2012 9:52 AM

In public defenders and attackers aren't necessarily symmetric.
The attackers want money, the defenders priority isn't to prevent the loss of money - it's to re-assure the public who pay them.
No police department is based around recovering stolen property.

It's the same with terrorism, the purpose of the scanners isn't to catch terrorist shoe bombers - it's to make the people that pay for them feel protected.

zoliMarch 7, 2012 10:06 AM

biometry opens up the possibility for "attackers" to use someone else fingerprint and put the suspicion on that person...

jacksonMarch 7, 2012 10:34 AM

Outstanding post that capsulizes this very well. Information security is far and away the least innovative technology. People say and do things in security that you will never hear in medicine, in aviation, or any other field of technology. I watched a web video not long ago that featured a panel discussion between "experts" in perimeter security, the big names in networking technology were all there. Toward the end of the video, one of the speakers who is a very well known CTO began to rant "companies have GOT to stop innovating!" In other words, the whole problem is that someone moved the furniture. Grandma said "we didn't have all these problems fifty years ago, we just need to go back to the way we did things fifty years ago then all these problems would go away."

Palo Alto networks is an exception, they're blazing their way through all this bucket of puss we have in security. I don't work for them and I don't sell their stuff, I don't even know anyone there. They don't fix everything, but they are a sparkling exception.

Things are going to get a lot worse. None of this will change. No matter who writes articles in magazines blowing the whistle on the millions and millions of me-too products companies have bought. Worse, there's so much noise in security right now companies have become bewildered, that's why the conversation at the RSA conference has become largely that of resignation.

I wish I had a dime for every IT person that either said the problem is that everyone is stupid, or that no one should be allowed to do anything - use a browser, copy files...No! No! No! Don't do anything on your computer, then we won't have any security problems.

Hanging TagMarch 7, 2012 10:38 AM

>> There are technologies that immediately benefit the defender and are of no use at all to the attacker.

As others are alluding, using those technologies to spoof the defender can be of great use to the attacker.

Clive RobinsonMarch 7, 2012 10:55 AM

@ Zdenek F,

I believe the next such big change are going to be quantum computers

First problem is to even get the working in a useful way.

And the second menwhile people are comming up with non quantum ways to defeat their advantages at what currently appears to be a faster way...

So in some respects quantum computers will be obsolete befor they even become usable.

syberghostMarch 7, 2012 11:43 AM

Now the big question; during the transitional phase where the bad guys are ahead and the good guys are trying to catch up, do you let your people be in a state of panic where they stop using services and collapse the economic sector you're trying to defend, or do you engage in some security theater to make them feel safer so their reaction is more proportional to the threat?

You don't want everybody taking their money out of the banks until the cops get cars, or you'll have no banks.

hgsternMarch 7, 2012 12:18 PM

Cavalcade of Risk #152, the Short & Sweet edition is up, and your post is in it:

http://www.riskmanagementmonitor.com/...

Please tell your readers.

And a friendly reminder to newbies and regulars alike that, while it's not mandatory to give a link back, it’s the way that carnivals work best. If your submitted post has been included in the Cav, please remember to post about it on your blog because it helps us all.

Thanks!

JohnstonMarch 7, 2012 12:22 PM

@NobodySpecial

"It's the same with terrorism, the purpose of the scanners isn't to catch terrorist shoe bombers - it's to make the people that pay for them feel protected."

Or to pay the people who make them (Michael Chertoff) via the revolving door. Or both.

Clive RobinsonMarch 7, 2012 1:21 PM

@ kashmarek,

Very probably the description given is quite probable.

Look at it this way in Japanese theatre you have "stage hands" who are dressed almost entirly in black (and are supposadly the motivation for Ninja's). They move slowly and carefully around the stage during the performance and few people if anybody actualy notices them.

One Ninja idea is to "hide in plain sight" by wearing the same colour etc and stand in full view in front of a wall etc of the same colour or shading.

In essence this is what is being done, the operator expects to see a black background on the screen and a black object on top of it unless framed or outlined in some way will be part of the background in the operators mind.

There are ways of solving the problem but I'm not about to tell the Terminaly Stupid Apelikes how to do it.

AlanMarch 7, 2012 2:35 PM

Speaking of cars, I hear Google and others are working on cars that drive themselves. Has anyone thought about the security aspects of that technology? I predict that as soon as we have self-driving cars, someone is going to pack one full of explosives and have it drive to some target and blow itself up.

mashiaraMarch 7, 2012 3:26 PM

@Alan and this is different from the attackers driving it there themselves how (as far as defense is concerned) ?

Defenders must protect themselves against suicide and time-delay car bombers alike if they're going to protect themselves against car bombs at all.

A much more interesting security issue is the legal (and perception) one, when something inevitably goes wrong and a car in autonomous mode causes a fatal accident, what then ? Even if it's proven that these cars are fifty times safer to have on the road than the average driver (even when not distracted or ill) there is going to be huge backlash just because people hate losing the illusion of control.

The Google self-driving cars are pretty awesome, there are still some conditions they simply cannot handle (like snow-covered roads, if they cannot see lane markings they're lost [but the team is working on this too]), I sincerely hope that I don't have to wait 10 years (or more) to have a self-driving car here in Finland (yes, there is snow, often a lot of it).

Captain ObviousMarch 7, 2012 11:44 PM

I don't know if there is a technology that can't be abused.

fingerprint technology - plant a print, lose the heat

immobilizing technology for cars - cause accidents, block traffic, diversion, revenge
http://www.wired.com/threatlevel/2010/03/...

alarm systems for houses - divert police response

computer authentication technologies - frame coworker


If it exists, someone has likely abused it, or at least made a movie exploiting the possibility.

Hiding in plain sightMarch 8, 2012 9:53 AM

@ kashmarek
Google Liu Bolin for more examples of hiding in plain sight.

herpderpMarch 8, 2012 11:54 AM

True, CardersMarket and Shadowcrew/Darkmarket and all the other crime boards were ahead of the game, but the feds used good old informant and infiltration tactics to bring all of them down.

Same goes for Sabu (@AnonymouSabu) who is now revealed to have been an informant for almost a year since the FBI picked him up. All it took was one lapse in commsec

AndrewMarch 8, 2012 3:12 PM

"All it took was one lapse in commsec"

Rumor has it it was two or three slip ups:

1. Failing to sign in via Tor (real IP is leaked)
2. Reregistering a www domain with his real
information instead of fake which, rumor has it,
he tried to remedy but it was too late
3. His information possibly being published,
or, "doxed" on pastebin and/or on other
websites which may or may not have followed
accidental rumored actions #1 and #2.

pMarch 9, 2012 9:26 AM

The interior position is also a psychological one. Defenders typically think in terms of stasis rather than continual change, because a static situation is easier to defend. So unless you have both regular defenders and white-hats who are trying to think like attackers, you're always going to be caught short.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..