#266 – REVENGE OF THE NERDS – DAN SHOEMAKER

Something is brewing out there in nerd-land that is potentially dangerous to you and me. The concern centers on the Gerrymandering of the field that is presently going on in DC. Whether it is intentional or not, the logic goes like this.

  1. The functions in our critical infrastructure are enabled by computers.
  2. So, if the computer is secure then the infrastructure is secure.
  3. Computers are electronic devices.
  4. Electronic devices obey physical laws.
  5. Therefore the discipline that underlies the security of our infrastructure is science.

In simple terms, this implies that the actions to mitigate attacks on systems and information will be packaged into a tight linear discipline that assumes that all threats to our electronic infrastructure are identifiable and all outcomes can be predicted based on discrete mathematical modeling of physical phenomena.

The benefit of such an approach is that you are much less likely to fail. That is because you are limiting your responsibility to just those problems you might be able to solve. In some respects, that represents a marvelous exercise in candor. Since they are admitting that the phenomena that aren’t explicable by algorithmic applications are somebody else’s problem.

Except, the fact is that things don’t work that way.

A decade’s worth of loss statistics make it clear that the majority of the incidents involving attacks, or data loss, fall under the category of human behavior, stuff like social engineering or bent insiders, or simple physical loss or theft. And human behavior is not addressable by physical “science”. It is too idiosyncratic for that.

So, my original contention still stands.

What?!! Gasp!!! You are saying that physical science isn’t the answer? But those are the people who put men on the moon!

Of course in the case of the Apollo Program we could SEE the moon, measure the distance to it, and we had a pretty good idea what it would take to get us there.

Those missions would have been infinitely more difficult if the moon’s primary aim was to remain clandestine, surreptitious and untrodden.

So YES! That is exactly what I am saying.

The fact is that we are putting our infrastructure protection eggs in a basket that revolves around the discrete linear representation of phenomena and the modeling of physical behavior. The threats that originate from human actions are neither rectilinear, nor are they predictable. So they are not part of our basket. Which is dangerously unrealistic.

The whole point of attacking an electronic target is to exploit weakness, not ram your head on fixed defenses. Thus, successful attackers flow around the target looking for the place where there is no effective defense.

That kind of attack entails big picture vision and creative thinking, not profound understanding of the inner workings of the machine. So the guy we should be listening to is Sun Tzu, not Isaac Newton.

The real question is, what caused us to go down this path?

I am doing a chapter for IEEE on the history of the field. As a side result of that research I have come to believe that the problem stems back to a turf war between NIST and NSA.

It took place during the latter days of the “Gipper’s administration. Essentially it was over who got to control the emerging agenda for computer security.

The threat environment that we have right now was a non-starter back then, mainly because the global information grid was still a decade in the future. And because most of the government business was done on mainframes the issue of national security took precedence over the general information security concerns that would impact the country at-large.

Consequently DoD/NSA, instead of Commerce/NIST, was the group that got the mandate and the money to secure cyberspace. And as a result, the culture that continues to be vested with the protection of that grid is the nice little hothouse collection of nerds at the Agency. And the focus is still on the national security challenge.

Therefore, it is perfectly understandable that protection of information would be embedded in the national consciousness as a strictly electronic, physical science problem. After all, that is what the people at the Fort do.

Times change. Government never does. It still grinds on protecting its little patches of turf. So NSA, which is currently about as far removed from the needs of “Joe-the-Plumber” as you can be and still be in the same species, continues to hold the information protection agenda. And the practical outcome of putting DoD/NSA in charge has been that we are mostly trying to solve the problems of the proverbial one-percenters in the intelligence community and the military industrial complex.

The interesting thing to speculate is where Joe-the-Plumber would be if the Department of Commerce had been carrying the ball over the past 25 years. Of course NIST is still a running dog of the Federal Government. But it DOES have a mission outside the world of spy-versus-spy. Better yet, NIST is nominally a head-up organization, versus wherever NSA keeps its head.

NIST focuses on the development and application of standard well-defined processes, instead of the application of the scientific method. That big picture orientation lets it promulgate generally applicable, common best practice approaches as comprehensive solutions. This as opposed to trying to make all the bad guys go away through the mathematical application of universal physical principles.

I have been accused of pointing out problems without providing answers so let me be clear. Our collective quest to find the definitive silver bullet has to stop. Technological solutions solve explicit problems. Consequently, we have been very successful in situations involving well-defined and established physical challenges.

What we have not dealt with at all is the creative ambiguity that characterizes the behavioral exploits of the hacker fringe. That is because those incidents are by definition non-linear and thus unpredictable in any hard science sense. And our failure to factor capriciousness into the solution creates too many easily exploitable gaps in our defense.

Cynically, it makes sense for our governmental and academic leaders to keep the focus away from something as hard to predict and control as human behavior. Since those folks all want to keep their careers on track. But the simple and obvious fact is that, until the solution incorporates actions that recognize and address every reasonable form of attack we will never be secure.

Therefore I propose that we wake up and address the reality. We do that through a single coherent, multi-disciplinary approach to security.

That approach has to provide the wherewithal to recognize and counter every conceivable attack vector, from electronic phenomena to human behavior. And it should exclude nothing.

The process has to be coordinated at the top as a single unified approach.

And it will only be considered effective if it embodies all of the elements necessary to provide a trusted long term assurance solution. Put in simple terms, correctness cannot be gerrymandered and we have to stop thinking that if we do that it is acceptable.

Bio:

In addition to my own teaching, research and publication program, I am accountable for developing innovative research programs in cybersecurity. I am also responsible for leadership in all aspects of curriculum design and development for a National Center of Excellence in Information Assurance Education (CAE/IAE). Courses taught include:

 Graduate Secure Software Management
 Graduate Software Assurance
 Graduate Information Assurance Principles

Leave a Reply

Your email address will not be published. Required fields are marked *