Gary McGraw on National Cybersecurity

Good essay, making the point that cyberattack and counterattack aren't very useful -- actual cyberdefense is what's wanted.

Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an insider, cyber-rocks may in fact be free of charge, but that is a topic for another time.

Given these price tags, it is safe to assume that some nations have already developed a collection of cyber-rocks, and that many other nations will develop a handful of specialized cyber-rocks (e.g., as an extension of many-year-old regional conflicts). If we follow the advice of Hayden and Chabinsky, we may even distribute cyber-rocks to private corporations.

Obviously, active defense is folly if all it means is unleashing the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks. Even worse, unlike very high explosives, or nuclear materials, or other easily trackable munitions (part of whose deterrence value lies in others knowing about them), no one will ever know just how many or what kind of cyber-rocks a particular group actually has.

Now that we have established that cyber-offense is relatively easy and can be accomplished on the cheap, we can see why reliance on offense alone is inadvisable. What are we going to do to stop cyberwar from starting in the first place? The good news is that war has both defensive and offensive aspects, and understanding this fundamental dynamic is central to understanding cyberwar and deterrence.

The kind of defense I advocate (called "passive defense" or "protection" above) involves security engineering -- building security in as we create our systems, knowing full well that they will be attacked in the future. One of the problems to overcome is that exploits are sexy and engineering is, well, not so sexy.

Posted on November 8, 2012 at 1:24 PM • 15 Comments

Comments

GeraldanthroNovember 8, 2012 1:57 PM

More than Cyber ROCKS, STUXNET, et al,
5 or 6 yrs in Irans infrastructure & networks suggest everything mapped,
including counterstrike plans.
OTHER: CYBER WMD strike leaves enemy with very little left for any counterstrike.

http://warintel.blogspot.com/2010/10/...

Gerald
War Anthropologist

boogNovember 8, 2012 4:45 PM

You know it's a good essay because it advocates security by design, questions the security industry and existing defenses, and mentions hobbits.

Brandioch ConnerNovember 8, 2012 8:09 PM

There are 81 instances of the word "cyber" in that article.

"Put another way, most modern control systems are so poorly designed from a security perspective that they are vulnerable to attacks devised over fifteen years ago."

Not only that but the current state of the "security" industry is such that it is still unable to reliably detect attacks "devised over fifteen years ago".

"Unfortunately, neither is getting that payload to an intended target as evidenced by the myriad reports of USB stick misuse, connecting personal devices to corporate and even classified networks, and so on."

And that is the core problem.
Security is easy.
But being insecure is even easier.
And there is always someone who thinks that their personal convenience/authority is more important than following proper security protocols.

"The NASCAR effect causes shortsighted pundits to focus on offense, which is sexy, to the detriment of defense, which is engineering."

Attacks are easy to explain and demonstrate.

Defense is difficult to explain WITHOUT a corresponding attack. And even then the focus will be on patching the smallest amount of the system to defeat that specific attack.

"A misunderstanding about different kinds of defense can lead to an incorrect approach and a false sense of security."

We really need to use a different word that means "false sense of security".

Michael LynnNovember 8, 2012 8:48 PM

A major difference between so called cyber warfare and more traditional battlefields is that offense and defense are not closely related, and they're definitely not interchangeable.

What I mean to say here is that traditional offensive technology, lets say a tank, can also be used defensively. By contrast an exploit is of pretty much no use in defending off a cyber attack. The issue of attribution is a large part of it (its hard if not impossible to know with certainty who is attacking you), but its larger than that. Even if you could know the source of an attack using exploits for a counter attack does nothing to mitigate or halt attacks already in progress by your enemies. (You can't drive the enemy back with a buffer overflow).

Rather than talking about whether we need cyber-rocks vs real defense I'd argue that we need both. But the so called cyber-rocks would probably be better used more for intelligence than for actual attack.

That said, my experience tells me that we're not going to get defense taken seriously. When you try to discuss this with policy makers you get this strange double think about cyber issues. On the one hand they are sure that hackers can launch nukes with nothing but a touchtone telephone. At the same time when you talk about adding in real defenses they speak as if you're overstating the threat and making a tempest in a tea cup. I think the root of the problem is this...everyone thinks that everyone should be spending more resources on defense...everyone except themselves.

Nick PNovember 9, 2012 12:42 AM

He thinks offense is sexy & engineering defense isn't. A guy at a recent Schmoocon said something similar. Let's substitute "fun," "cool", "mentally engaging" and other more applicable phrases for "sexy." Starting there, you see there's quite a few people enjoying coming up with better protocols, languages, libraries, software, & actual systems. So the question is how to spread the word about them & get more people making them.

I think one way is to show more people what it's about. Myself and others have accused the security defense industry of constantly reinventing the wheel: so many problems they face have been solved before & so many they create were preventable. I think it might help to have a collection of all sorts of exemplar work from the past, academic & real-world, that can inspire future security engineers.

I have a recent example. Jack Ganssle, of Embedded Muse, solicited information on dealing with stack overflows. He's been in the industry for a while and is very knowledgeable in embedded software design. I told him 1970's era MULTICS had a stack that flowed in reverse direction to make overflows impossible or hard. I also pointed out some academics did it on x86 Linux. He had never heard of it and thought it was a great idea. He also reminded me stack direction is often dictated by the hardware, yet Linux team worked around that. Here's the question: we've been able to totally defeat the easiest attack on the stack for FOUR DECADES, but why don't people know that?

We also need to gather the security engineering knowledge & structure it in such a way that it can be passed down to that generation. One possibility there is to divide it into common/cross-domain knowledge & knowledge for specific domains. The domains should be matched to the job function: applications, networking, intrusion detection, endpoints, OPSEC, COMSEC.

I'm a decent example of what needs to happen. (I don't mean that in an ego-centric way.) I grew up midway between the older & newer generations of IT guys. I experienced MS-DOS, dialup, Windows, broadband, having a PCI card for everything, etc. Yet, the wisdom of the older crowd contained in their writings, projects & products didn't elude me. I've pulled about every useful Lesson Learned I could out of it, combined it with modern stuff & repeatedly come up with stuff that others took years to figure out (or haven't yet wink). It's just that the knowledge transfer I've been talking about happened, some here on this blog. The wisdom of the ancients, err previous generation, pays off quite well.

I'll also say that anyone who thinks defense research is boring is doing it wrong. It's been an extremely interesting & challenging experience on my way to this level of knowledge/experience. I've learned what works, what doesn't, why in many case, & there's still so many challenges awaiting it's mind-boggling. Honestly, I find the typical offense scenario to be very boring in comparison: dig through a bunch of code, find a common mistake, weaponize it, publish. Wow, that's so easy all kinds of people are doing it, even learning from books at Barnes & Noble.

Try to make a heap overflow impossible (or close) with no observable performance impact & no rewriting loads of software. Create a DNS, PKI or whatever alternative that's both more secure & will work in corporate environments. Create a programming language that's very expressive & efficient, but can almost automatically prevent most implementation flaws (some close contenders there). Actually replace TCP, FTP and HTTP. ;)

Yeah, there's plenty of sexy/clever/brilliant solutions to these problems waiting to be found. There's also plenty of drudgery in engineering these solutions. If anything, you come out of it with the pride that your solution is untouchable compared to others or that you've done what seemed nearly impossible. It's quite a feeling.

AC2November 9, 2012 3:09 AM

The real problem is that the US hasn't had to consider defence (and I mean real defence against an enemy, not the go-halfway-across-the-world-to-attack-someone kind of defence) in a rational manner since the cold war ended...

Saint CrustyNovember 9, 2012 3:26 AM

@Nick P. : Glad to hear others think alike in a more and more Offensive world. Needless to say i watch MY language.

You also touch on the 'unthinkable', namely why many solutions exist but are not in place.

My guess "no one wants to live in a perfectly secure world" it would render the owner of the model invincible.

Since "absolute power absolutely corrupts" humans tend to rely on mutual trust which suppersedes any technological solution.

In the end we're all social but not all are social engineers, proven daily by non-technical people leading technical departements.

Generalised security is desirable for peace of mind, non-generalised insecurity on the other hand is diserable for peace of mind. And that was not a typo, i try to illustrate very different lines of thinking. Be it tactical or strategic that makes the difference. Or ignorance, but that too is 'unthinkable'.

Danny MoulesNovember 9, 2012 5:18 AM

"Defense is difficult to explain WITHOUT a corresponding attack. And even then the focus will be on patching the smallest amount of the system to defeat that specific attack."

This is a clincher. So often something is (needs to be) explained in terms of attack, because otherwise it won't be understood, and the audience seizes the initiative to resolve the _attack_ rather than applying an appropriate defense because it is always easier (read: cheaper, faster) to defend against a specific attack than it is against a category of attacks.

"We really need to use a different word that means "false sense of security". "

Ignorance?

renoXNovember 9, 2012 6:51 AM

@Nick P: the thing is that most of the time inertia/cost reduction prevent simple changes which would improve security..

Writing programs in Ada (or any other language which has checks against out-of-bond array access) isn't difficult, yet we are still using C instead.
The MIPS ISA has instructions to send a trap on integer overflow allowing to prevent silent integer overflow with a *near zero* CPU cost, yet new CPU ISA don't have such instructions..

onearmedspartanNovember 9, 2012 7:11 AM

A good reason building cyber defenses is not 'sexy' is two-fold: we do not know what kinds of cyber rocks the other side has (so we don't have a thorough understanding of what is vulnerable and how) and it seems more opportunistic to attack the other side since we know what they have or what (patches) they don't have.
Also, we know what would happen to the enemy that we attack. We don't know the consequences of getting attacked until it happens.
But I agree with the majority: You can't defend what you don't know.

paulNovember 9, 2012 10:19 AM

So essentially we're back in a MAD scenario, except that you can't guarantee your counterattack will actually clobber the people launching the initial salvo?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..