Once More Undo the Breach

After the online breach of JPMorgan Chase, cybersecurity awareness is growing in the financial world. But what exactly is cybersecurity (and cybervulnerability)? What can or cannot be done to make sensitive information more secure?

A leading computer security and privacy expert, Bruce Schneier is one of the world's most recognizable voices on cybersecurity, author of the popular security blog Schneier on Security, board member of the Electronic Frontier Foundation, and CTO of Co3 Systems. His new book, Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World, will be published in Feb­ruary. In a straight-shooting interview with CFA Institute Magazine, Schneier discusses detecting and dealing with breaches of client data, the possibility of an attack on financial markets themselves, and why there are no easy answers when questions of security arise.

Are organizations taking the threat to cybersecurity too lightly?

Many are. Some of it is not understanding the contours of the threat, but a lot of it is a fundamental psychological bias. We tend to be risk seeking when it comes to losses, which means that we are likely to take the chance that we won't be attacked — rather than spend to prevent an attack in the first place. Think of it from the point of view of the person in charge of network security at an organization. If he underspends, he saves the company 10% of his budget and he's a hero. If he's unlucky and his company gets whacked, he can always get another job elsewhere.

Recently, we've seen the phrase "too big to secure." What do you make of it?

It's less the size and more the complexity. Complexity is the worst enemy of security, and complex systems are much harder to secure. Specifically, nonlinear and tightly coupled complex systems are much harder to secure, and that describes computers, networks, and pretty much all technological systems.

Are larger firms naturally more complex?

Not really. They can be more complex, but they don't have to be. What matters is how they're organized, how different parts of them can affect each other and society as a whole, and so on. They might be more fragile because of what they do and the role they play in our economy, but that's a different question.

How can organizations move toward simplicity?

Think resilience. If nonlinear, tightly coupled complex systems are more dangerous and insecure, then the solution is to move toward more linear and loosely coupled systems. This might mean simplifying procedures or reducing dependencies or adding ways for a subsystem to fail gracefully without taking the rest of the system down with it.

A good example of a loosely coupled system is the air traffic control system. It's very complex, but individual failures don't cause catastrophic failures elsewhere. Even when a malicious insider deliberately took out an air traffic control tower in Chicago, all the planes landed safely. Yes, there were traffic disruptions, but they were isolated in both time and space.

A counterexample might be the national power grid a decade ago. In 2004, a single failure resulted in the entire Northeast of the United States and southeastern Canada losing power. That's because the system was so tightly coupled. In the decade since then, the power grid was redesigned to be more resilient to failure. Companies need to learn from these examples and make their computer networks more resilient.

The US Treasury Department has spoken of bolstering fortifications around outside vendors to financial institutions, including law firms and marketing firms. Are those really the weak points? Will this be effective?

Those are certainly some of the weak points, and perhaps the Treasury Department has some detailed information to indicate that those points need shoring up. As to whether it will be effective or not, that requires a lot more detailed information about the systems than I have.

You've written that a motivated, funded, and skilled hacker will always get in. So, what can be done?

Again, think resilience. Security is a combination of prevention, detection, and response. All three are required, and none of them are perfect. As long as we recognize that — and build our systems with that in mind — we'll be OK.

This is no different from security in any other realm. A motivated, funded, and skilled burglar will always be able to get into your house. A motivated, funded, and skilled murderer will always be able to kill you. These are realities that we've lived with for thousands of years, and they're not going to change soon.

What is changing in IT security is response. The 1990s were the decade of prevention, with things like firewalls and antivirus systems. The early 2000s were the decade of detection, with intrusion detection systems and managed security monitoring. This is the decade of response. We're all going to have to get better about IT incident response because there will always be successful intrusions.

What about smaller financial firms that lack the resources to secure their systems?

Lots of companies won't have the resources to secure their own networks, and they're going to have to get used to outsourcing. This isn't anything new. We're already outsourcing our data to the cloud, and a lot of our applications to network providers. We're already outsourcing mission-critical corporate responsibilities, like HR, payroll, and legal. IT security is going to look more like that.

The trick here is to know what can be outsourced and what can't be. A company might be able to outsource the more technical aspects, but it'll always need to have an incident-response team in house because so many aspects of incident response are nontechnical.

My own company, Co3 Systems, builds coordination software for incident response. It's built for a technical IR team, but it's flexible enough to allow nontechnical users from legal, PR, corporate, and so on to be part of any incident response. And the system is scalable, so both large companies, like JPMorgan, and much smaller companies can benefit from the system.

Are there security best practices that can be used?

Yes, definitely. IT security is decades old, and we've developed some pretty robust best practices. The problem is that IT security is a constantly moving target, and what were best practices two years ago might not be the best things to do any longer. Too often, "best practices" are little more than a liability dodge, allowing companies to basically say, "We didn't know what to do, but we're doing what everyone else is doing, so please don't sue us."

What about security risk assessments or checklists?

There are lots of security risk assessments and checklists out there. While they're valuable and have their place in any defensive system, they're naturally limited. So many of the most successful attackers out there do things that aren't on the checklist.

One of my worries is the tendency of the media to simplify IT security. It's not a matter of "six things you must do today to secure your network" or "the seven habits of highly effective network security professionals." In security, the devil is in the details, and those details matter a lot.

What is your book Data and Goliath about?

Fundamentally, it's a book about surveillance and what to do about it. I tackle both government and corporate surveillance — the NSA and the FBI as well as Google and Facebook. I describe the types of surveillance that's going on, mostly on the internet but off it as well. I talk about the harms of this surveillance, on a variety of different levels. And I give solutions — for governments, for corporations, for us as individuals. This is really my first public policy book, and I wrote it for a general audience. I'm hoping it goes mainstream.

What could someone working in security at a financial services organization learn from your book?

On the surface, the book isn't aimed at security professionals. So, my first answer to your question is, "Nothing different from someone with a different job." But when you think about it, people who work in IT security spend their time defending their employers' data from attackers of all kinds. Understanding how those attacks work — who is after your data, what they do with it once they get it, and the policy debate that will underpin how we protect it — is vital to crafting good defenses. So, I hope that people who work in IT security will come away with a better understanding of how their jobs fit into the broader technological society we all live in.

For example, we're seeing a lot of government espionage against nongovernment targets. The Chinese government spends a lot of time attacking US corporate networks. Stuxnet, a US and Israeli cyberweapon fired at Iran, affected other networks around the world. And so on. Increasingly often, innocent corporate networks are collateral damage of these continual nation-state offensive actions in cyberspace.

Financial services firms getting caught in the crossfire — is that the dominant theme?

It's not the dominant theme, but it's an important theme. Decades ago, government and corporate networks were separate. Foreign and domestic networks were separate. Military and civilian networks were separate. Today, they're all one thing.

How do organizations know whether they have been breached?

Sometimes, it's obvious — the attackers did something to make themselves visible, or the organization mysteriously had $100,000 transferred to a bank account in Eastern Europe. Other times, the organization never knows. In many cases, the organization figures it out weeks or months later during an audit of some sort.

This is part of what makes incident response interesting. The response begins after the incident occurs, but it could be immediately after or it could be months after. If the organization is good, response happens while the incident is going on and the attackers are kicked out of the network in real time.

Have you thought about the possibility of a breach of the financial markets themselves?

There's always the possibility of a breach of any network. I'm not sure what you mean by a breach of the financial markets themselves, though. That system is complex enough that the breach will be a particular piece of the system that runs the market.

Regarding the JPMorgan breach, have you speculated on the motivation?

I haven't seen the details, so I don't know. Motivations range from the obvious financial ones to more complex ones. Some attacks are random — the attackers want a big pile of credit card numbers and they don't care where they get them. Others are targeted — the attackers want some particular data that is stored in a specific network. It's not unusual to have no idea what the motivations of a particular attacker are.

What's your advice on passwords?

I wrote an article on passwords on my blog that summarizes my advice. Basically, choosing a password that is (1) easy to remember and (2) hard for a computer to break is very, very hard.

Do we need a certain mindset for good security?

Definitely. There is a security mindset that is essential. It's a certain way of thinking about the world in terms of how to subvert systems. It's thinking like an attacker. I find that some people naturally think this way. They can't walk into a store without trying to figure out how to successfully shoplift. They can't use an online service without noticing all the ways they could cheat. They might not do any of those things, but they're continually thinking about them. I wrote an article on this topic in 2008.

I can always train people in the technical aspects of this security system or that security system, but it's much harder to train the security mindset.

What's your insight on the future of security and vulnerabilities?

I expect the future to look a lot like the past. While the details of IT security and vulnerabilities change all the time, at a macro level nothing has changed in a long time. The attacks and defenses we're seeing today are just extensions of what we've been seeing for years.

The main thing I see changing in the near term is how we approach response. I do believe that this decade will see qualitative changes in how organizations deal with incident response.

Is there room for ephemeral data in organizations?

It's an odd question. Ephemeral data — data that is erased and not stored — has been the norm for most of human history. Keeping data was the exception, and sometimes it was very difficult to do long term. Just because it's easy to save everything doesn't mean that we should. The best way to secure data is to erase it. If Target Corporation or Home Depot didn't save all that customer data, they wouldn't have been the victims of such massive data thefts.

Could financial firms begin to implement policies for ephemeral data?

Again, it's the "begin" that's odd. Since financial firms were invented centuries ago, most of the data they've invented has been ephemeral. It's only recently, as the cost of data storage has become so cheap, that they're saving everything rather than figuring out what they need to save.

At this point, I think it is essential for organizations to look at the data they're saving and decide if they really need to save it or not. Saving data brings with it risks — costs much greater than the price of storage — and organizations need to understand those risks.

If you were building security for an organization from the ground up, how would you begin?

I would hire someone who knew how to build a security organization from the ground up and then tell him to do it. Building a security organization is hard and not something I would take lightly. It also isn't my expertise, and I understand enough about the difficulty of the task to know that I can't just pick it up as I go.

One of the most important things is to understand that a security organization isn't going to be world class from day one. There's a maturity path that any security organization needs to walk, and that takes time. It also takes money and a senior management team that understands its importance.

Do we need more open discussion of security issues?

There is a lot of open discussion already. Do we need more of it? I don't know. There is a lot of it going on. I need to be convinced that, first, it's not enough, and second, that more could solve something.

Is cybersecurity getting more attention than before?

I think so, yes. It's getting more attention in the corporate world, as major attacks are being written about more in the press. It's getting more attention nationally, as Edward Snowden's NSA documents are being published and discussed. And it's getting more attention internationally, as we learn about the cyberattacks coming from countries like Russia and China. The FBI is now complaining about good security and trying to convince companies like Apple to make their systems less secure. I think we're on the verge of some major public policy decisions about cybersecurity on a variety of different fronts.

There's a view that hacking is only going to get worse. Do you agree?

I don't think it's going to get worse, but I don't think it's going to get better either. Right now, attack is easier than defense. It's not just the complexity of modern computer and internet systems — fundamentally, it's easier to break into one of these systems than it is to prevent others from doing so. This is why I focused my company on incident response and why I talk so much about resilience. We need to be able to survive attacks, because they're not going away.

Could defense become easier again at some point?

Definitely, if you think long term enough. Look at military history — it shifts every 100 years or so. Before gunpowder, the superweapon of the day was the knight. In armor and on his horse, he was basically unstoppable. Once firearms were invented, that changed. Even the most untrained peasant infantryman could take out a knight. Gunpowder changed everything about medieval warfare — not just the people and the tactics but also the fortifications. Medieval castles were useless in the face of cannon.

Largely, firearms favored the defense. It took Napoleon to figure out how to use those weapons effectively for the offense. By the time World War I rolled around, technology again favored the defense. Trench warfare was hell on attackers. It wasn't until Germany invented blitzkrieg warfare that we figured out how to use tanks effectively to counteract trenches and give the advantage back to the attacker. This is how technology affects warfare: back and forth, weapons and tactics. And it's not going to stop; the future of warfare isn't going to look like the past.

Is there a similar history of technology, regarding attack and defense?

Of course. You can see it in policing — technologies that enable criminals to commit crimes versus technologies that enable the police to solve crimes. You can't really see it in IT yet because all the technologies are too new. These are 50- to 100-year cycles. But sometime in the future, probably not in our lifetimes, the pendulum will shift and defense on the internet will be easier than attack.

Until then, we need to improve our ability to respond to attacks and beef up our resilience in the face of attacks.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.