Summary by Christine Task.
The fireside chat was an open discussion among several important persons with very interesting positions in the security world. The conversation covered a broad range of topics, as each participant contributed their unique insight and perspective. The summary below will collect just the main points for easy review.
Present were (in seating order):
Dr. J.R. Rao of IBM Research Manager of the Internet Security Group at IBM Research (abbreviated below as IBM)
Howard A. Schmidt, Office of the U.S. President Cyber-Security Coordinator of the Obama Administration (abbreviated below as GOV)
Dr. Eugene Spafford, Purdue Executive Director of Purdue CERIAS (abbreviated below as SPAF)
Sam Curry, RSA Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA, The Security Division of EMC (abbreviated below as RSA)
The first question addressed was: Why do commercial products still fail to adopt basic security practices, (such as separation of privilege, limited connectivity and minimization of function) even though their importance and efficacy has been well-understood for decades?
RSA: Product designers aren’t security experts; security is usually added as an afterthought and considered an interruption to progress. Although there’s some market pressure for more secure products, there is incredible pressure to be the first to release a new product. The long term outlook gets forgotten. Possibly if contracts included penalties for developers who made obviously vulnerable products or did not properly integrate basic security measures into their products, the balance might be better.
IBM: Security is definitely an afterthought in most product design. On the other end of the scale, though, high assurance ‘ivory tower’ systems exist, but are incredibly expensive to build. One aspect of convincing commercial interests to integrate security policies into their development is finding a good balance among what is effective, efficient, and economically feasible. Currently companies with web-facing applications who are concerned about security often use off-the-shelf products to perform source-code scans. Unfortunately, these aren’t as helpful as they might be, even as after-thoughts. They often produce a flood of output, with little to indicate which faults are actually important, and as a result much of their advice may be disregarded.
SPAF: Some fixes are obvious and simple, like languages which prevent buffer overflows. Why aren’t they in use? The vast majority of people don’t make use of the explosion of features in their gadgets: why don’t product developers practice minimization of features? The problem is that there is basically no liability for security flaws. Potentially, we need to consider penalties for software companies whose security performance is extremely negligent.
GOV: Companies aren’t completely unaware of security concerns; delegation of privileges is much more widespread than it used to be. The difficulty may be that companies don’t understand which security policies are applicable to their products (“it’s secure, it has a password!”). Customers need to demand secure products, or else there’s no market pressure for companies to improve their records. A concern about government regulations, managing security from the top down, is that introducing lawyers limits innovation, and we can’t afford to have an economic disadvantage in the global economy. However, the “Power of Procurement” is a very valuable tool. The government penalizes its contractors/suppliers for obvious security flaws in the products they provide, and this forces higher standards to be adopted within those companies, which helps the standards spread out into the technology ecosystem. There has been visible progress in the past decade.
Next, Spafford asked about the possible worst-case consequences of our slow adoption of good security practices: Is a catastrophic event, a “cyber-security pearl harbor”, possible?
RSA: Every new technology brings concerns like this, and generally we prepare and the threat doesn’t come to pass. Of more concern are less glamorous, slower threats, which we are not defending against: like the involvement of organized crime in technical spheres.
GOV: We actually have been developing tools for a long time, within the DOD, to protect against catastrophic attacks, and we’re working on making those tools available for law enforcement and civilians now as well. What’s more difficult is protecting against these more long-term, subtle threats. Law enforcement has been trained to do computer forensics on localized, physical computers. How do they adapt when an intrusion investigation can easily become a global affair?
IBM: One of these subtle threats is intellectual property loss. It doesn’t take much to remove a company’s competitive edge, and that loss can eventually destroy the company. The FBI has been helpful in tracking IP threats throughout the world, but there are clearly still problems. Commercial tech developers are extremely worried about the security measures which protect their IP, and this may be a good vector for encouraging them to adopt better security practices generally.
This was followed by a slightly more personal question from Dr. Spafford, “What keeps Dr. Rao (IBM) up at night?”
IBM: Intellectual property loss; existing products aren’t sufficient protection. How quickly can an effective approach be developed and adopted?
GOV: A similar issue: The government was able to greatly reduce global issues with money-laundering, by diplomacy with other countries who were blindly enabling it for their own personal, or national benefit. We’re hoping to form a similar global coalition to reduce IP theft: an agreement such that if someone steals your product which you’ve invested deeply in developing, and pushes their version out the door before you, there will be sanctions. There won’t be a market for the pirated product. Also, note that although CEO’s of companies may be concerned about IP protection, the structure of companies often leaves no one actually in charge of managing it: auditors are concerned about financial books rather than security.
RSA: In fact, the CFO’s and audit committees have their own language, and aren’t likely to learn a separate language for security. For example, the word “risk” means very different things to the two groups. If security professionals want to be successful, they need to learn to speak business language; they can’t allow themselves to be separated into a pool of technology talent and kept away from the overall workings of the company.
This prompted the general question: How does a company or a government manage security concerns in a multi-national environment?
GOV: We work diplomatically with other countries on our common cyber-security issues, and our common desire to be able to safely support multi-national companies who have concerns IP protection.
IBM: We sell defensive products in 176 countries, never products to be used for offensive purposes. We never align with any government against any other.
RSA We’re in an interesting situation as a multi-national company: we actually work with many, many different governments and thus have personnel with security clearances in a variety of countries. We use a pools of trust system to make certain sensitive information stays segregated within the company.
The speakers then responded to three questions which had been previously submitted by audience members:
How do we deal with the fact that the critical infrastructure we need to protect is often owned by a variety of small regional businesses?
GOV: Again, the power of procurement allows the government to help encourage high standards of security for the products which these smaller companies use.
IBM: The national labs and IBM have worked together with regional utilities to roll out an extremely secure, well-designed smart grid system. This is another way in which private-public partnerships can improve security generally.
SPAF: However, the government can’t cover every small utility. Really effective new security is often prohibitively expensive for these small businesses. We need to find ways for them to break needed improvements into a sequence of small, gradual changes and amortize the costs over time.
RSA: Even large utilities have very small IT departments, and often a large age and cultural gap between the old staff and the new tech experts. The two groups don’t communicate well, and incredibly valuable knowledge is being lost as people retire. This endangers the security of the entire system. Is there any way we can change the model/organization of these institutions to prevent this?
Will users, rather than the corporations they deal with, ever have direct control over their own privacy?
GOV: This is very important, and it needs to happen sooner rather than later. Unfortunately, we’ve already gone a long way down the wrong path, and it may be very difficult to get back.
Nine years ago, Dr. Spafford collaborated on a list of the [Grand Challenges for Cyber-security] (https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/01264859.pdf). What progress has been made?
SPAF: Progress has been made against epidemic attacks, such as flash worms. Now we’re dealing with slower penetration by bot-nets, and we’re getting better at fighting those as well. There is considerable work left to be done, in general, though.
IBM: There is industry inertia, but active work is being done on these.
RSA: These are very useful rallying points, things we should continue to work on. He once got a question from a German reporter at an RSA conference, “When will we solve this security thing?” This was his favorite question ever. It’s all, always, a work in progress. Right now, it’s very important that existing security is made effortless for users, so it’s commonly adopted.
GOV: We actually have a hard time comparing the costs and prosecution rates of these cyber-attacks to the costs of physical attacks, such as burglaries. Only 3% of cyber-attacks were prosecuted (in a recent year), but what percentage of burglaries are prosecuted? What’s the relative cost? In general, we need to educate people about simple ways of defending themselves.
SPAF: To achieve widespread adoption, security needs to be made effortless and economic. We can’t hope to succeed by telling people what “not” to do. We need to build security into products, so there’s no choice necessary: so users aren’t even aware it’s there.