Cybersecurity Today and Tomorrow: Pay Now or Pay Later - PowerPoint PPT Presentation


PPT – Cybersecurity Today and Tomorrow: Pay Now or Pay Later PowerPoint presentation | free to view - id: 4e933-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Cybersecurity Today and Tomorrow: Pay Now or Pay Later


The National Academy of Sciences National Academy of Engineering, and Institute ... They consist of the nation's top scientists, engineers, and medical experts. ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:5.0/5.0
Slides: 28
Provided by: herb5


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Cybersecurity Today and Tomorrow: Pay Now or Pay Later

Cybersecurity Today and Tomorrow Pay Now or Pay
  • Herb Lin
  • National Research Council
  •, 202-334-3191

The National Academies
  • The National Academy of Sciences National Academy
    of Engineering, and Institute of Medicine are
    honorific organizations operating under a
    Congressional charter granted in 1863. They
    consist of the nations top scientists,
    engineers, and medical experts.
  • The National Research Council is the operating
    arm of the National Academies to associate the
    broad community of science and technology with
    the Academys purpose of advising the government,
    the public, and the scientific and engineering
  • The Computer Science and Telecommunications Board
    has responsibility within the NRC for matters of
    public policy involving information technology.

The CSTB Board
  • DAVID D. CLARK, Massachusetts Institute of
    Technology, Chair
  • DAVID BORTH, Motorola Labs
  • JAMES CHIDDIX, AOL Time Warner
  • JOHN M. CIOFFI, Stanford University
  • ELAINE COHEN, University of Utah
  • W. BRUCE CROFT, University of Massachusetts at
  • THOMAS E. DARCIE, ATT Labs Research
  • JOSEPH FARRELL, University of California at
  • JEFFREY M. JAFFE, Bell Laboratories, Lucent
  • ANNA KARLIN, University of Washington
  • BUTLER W. LAMPSON, Microsoft Corporation
  • EDWARD D. LAZOWSKA, University of Washington
  • DAVID LIDDLE, U.S. Venture Partners
  • TOM M. MITCHELL, WhizBang! Labs, Inc.
  • DONALD NORMAN, Nielsen Norman Group
  • DAVID A. PATTERSON, University of California at
  • HENRY (HANK) PERRITT, Chicago-Kent College of Law
  • BURTON SMITH, Cray, Inc.
  • TERRY SMITH, University of California at Santa
  • LEE SPROULL, New York University
  • JEANNETTE M. WING, Carnegie Mellon University

Why Now?
  • September 11, 2001 was the impetus.
  • Lessons from September 11
  • Some terrorists are patient
  • Some terrorists plan their operations very well
  • Some terrorists are smart and technically
  • Some terrorists know about the Internet
  • Note Cybersecurity more narrow than

This report
  • Compiles understanding, knowledge, findings, and
    recommendations from a decade of CSTB reports on
  • 1991. Computers at Risk Safe Computing in the
    Information Age.
  • 1996. Cryptography's Role in Securing the
    Information Society.
  • 1997. For the Record Protecting Electronic
    Health Information.
  • 1999. Trust in Cyberspace.
  • 1996. Continued Review of the Tax Systems
    Modernization of the Internal Revenue Service.
  • 1999. Realizing the Potential of C4I
    Fundamental Challenges.
  • 2001. Embedded, Everywhere

The Main Message
  • Whats the new news now?
  • Information technology has changed dramatically
    in the last decade Internet, e-commerce, PCs
  • What was news 10 years ago in cybersecurity is
    STILL relevant today!
  • Speaks to a very sorry state of progress in the

What can go wrong with a computer system or
  • It can become unavailable or very slow (e.g.,
    denial of service)
  • It can become corrupted (e.g., bad data)
  • It can become leaky (e.g., sensitive information

Causes of Deliberate Cyber-problems
  • Cyber-only attack
  • virus
  • denial of service
  • originate from anywhere
  • damage may be invisible
  • Compromise of trusted insider
  • recruited, tricked, or planted
  • Physical destruction of IT facility

Possible Harm from Cyber-attack
  • In general, NOT comparable to 9/11
  • massive loss of life, damage to physical
    infrastructure over a very short amount of time.
  • Cyber-only attack could result in economic and
    associated social harm
  • compromise of electric power distribution
    transportation and shipping, financial
  • Many opportunity costs interruption of business,
    forgoing of various activities and associated
  • Major effect of large-scale cyberattack
    coordinated with attack on physical
  • ATC airliner hijackings
  • 911/phone bombing

What do we know about Cyber-Security?
  • General Observations
  • Information system vulnerabilities are growing
    faster than our ability (and willingness) to
  • Management
  • Operational Considerations
  • Design and Architectural Considerations

General Observations
  • Security costs, not only in dollars but
    especially in interference with daily work.
  • No widely accepted metrics for characterizing
    security, so hard to know how much security a
    certain investment buys or is enough.
  • System security is a holistic problem, in which
    technological, managerial, organizational,
    regulatory, economic, and social aspects
  • The best is the enemy of the good.
  • Security is a game of action and reaction.
  • Cyberattacks can be easily covered up.
  • Reporting is essential for forensics, attack
    characterization, and prevention.

  • Cybersecurity today is far worse than what known
    best practices can provide.
  • The payoff from security investments is
    uncertain society often captures the benefit of
    improved security. Hence, underinvestment in
    security customers buy features rather than
  • A central aspect of security must be
  • Many security problems exist not because a fix is
    unknown but because some responsible party has
    not implemented a known fix.
  • Resolve the conflict between holding people
    responsible and full reporting of problems, which
    tends to be easier in an environment in which
    individuals are not fearful of reporting problems.

Operational Considerations
  • Independent red-teaming for understand actual
  • Target must not know about the test
  • Testers must not be constrained
  • Problems must be fixed!
  • Many compromises result from improper
  • Unauthorized but legitimate modem
  • Bug fixes missing because system was restored
    from a backup tape
  • Improperly configured firewall
  • Overly broad access privileges
  • Need for automated configuration management tools
    and automatic security update (very challenging
  • Fallback action plans needed do less in order to
    lower vulnerability

Design and Architectural Considerations
  • Tensions between security and other good things,
    such as features, ease of use, and
    interoperability (similar to insurance)
  • Human error is usually not a useful explanation
    for security problems.
  • operational practice that requires people to get
    too many details right too little red-team
  • management practice that allows too little time
    for security procedures or fails to ensure that
    problems uncovered are fixed.
  • User authentication is essential for access
    control and for auditing.
  • Passwords are 40-yr old security technology
  • (Biometrically-enabled) hardware token
  • Defense in depth vs/and perimeter-only defense

What can be done?
  • Individual organizations
  • Vendors
  • Public policy makers

Individual organizations
  • Resource an internal entity that provides direct
    defensive operational support to system
    administrators throughout the organization
  • Ensure that adequate information security tools
    are available and used hold people accountable
    for use
  • Conduct frequent, unannounced red-team
    penetration testing and report the results to
    responsible management.
  • Promptly fix problems and vulnerabilities that
    are found.
  • Mandate the organization-wide use of available
    network/configuration management tools, use of
    strong authentication mechanisms
  • Design systems under the assumption that they
    could be connected to a compromised network or a
    network that is under attack, and practice
    operating these systems under this assumption.

  • Improve the user interface to security, which is
    totally incomprehensible in nearly all of today's
  • Develop tools to monitor systems automatically
    for consistency with defined secure
    configurations and enforce these configurations.
  • Provide schemes for user authentication based on
    hardware tokens.
  • Ship systems with security features turned on and
    default identifications and passwords turned off
  • Conduct more rigorous testing of software and
    systems for security flaws, and do so before
    releasing products rather than use customers as
    implicit beta testers to shake out security

Policy Makers
  • Consider legislative responses to the failure of
    existing incentives to cause the market to
    respond adequately to the security challenge.
  • Position the federal government as a leader in
  • Provide adequate support for research and
    development on information systems security.

  • Reports from
  • The organization that did this report
  • The National Academies
  • Me
  • Herb Lin, Senior Scientist
  •, 202-334-3191

Thoughts on Liability
  • CSTB/NRC report did NOT endorse liability for
    software vendors.
  • Policy makers should consider legislative
    responses to the failure of existing incentives
    to cause the market to respond adequately to the
    security challenge. Possible options include
    steps that would increase the exposure of
    software and system vendors and system operators
    to liability for system breaches and mandated
    reporting of security breaches that could
    threaten critical societal functions.

The broad outline
  • Market forces have failed to provide an
    environment in which vendors and users have
    sufficient incentives to provide for security.
  • Inadequate information about consequences of
  • Society often captures benefits of security
    investments (social needs greater than corporate
  • Deregulation forces more competitive pressures

Responding to Market Failures
  • Mandate behavioral changes
  • Shift the economic calculus
  • carrots
  • yearly award for cybersecurity from Ofc of
    Homeland Security and the President
  • Malcom Baldridge Quality Award
  • ISO XXXXX certification?
  • Immunity for early reporting? (like FAA)
  • sticks
  • Liability
  • red team results into public documents
  • accounting standards to include cybersecurity

Issues raised by liability
  • differentiating between infrastructure and end
    user for liability purposes (e.g., my program
    works on your operating system - how to allocate
  • holding infrastructure providers liable for
    economic damage is hard under current case law
  • uncorrelated damages mean that insurance model
    wont work

Issues (continued)
  • reducing incentives to disseminate information or
    to allow forensics or to provide fixes
  • holding vendors responsible for something they
    don't know how to do (e.g., how do deal with loss
    of functionality from security patch, which
    doesn't always work properly)

Issues (continued)
  • establishing standards of care (best practices?
  • hard for lay people to understand security
    breaches - how to decide on liability
  • good methodology to establish extent of liability

Fire vs Cyberhack Prevention
  • Losses due to deliberate action (hence no
    actuarial basis) (terrorists are not a
    probability distribution)
  • No metrics for security
  • Fundamental science of cybersecurity is not known
  • Damage is often invisible
  • Technical standardization can be similar to
    monoculture weak in face of correlated threat
  • Impact of fix often impossible to be localized
  • Losses largely due to accident (harder to insure
    against arson than lightening)
  • Fire resistance can be quantified (sort of)
  • Fundamental science of fireproofing and
    structural engineering is known
  • Damage is visible
  • Standardization is advantageous when failures can
    be uncorrelated
  • Impact of fixes can be localized

On standards for security
  • Distinguish between technical standards and
    behavioral standards
  • Tech standard 56 bit encryption, no buffer
    overflows, Windows XP everywhere (or an Orange
    Book C2 system)
  • Behavioral standard red-team test once a month