The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Solving some of the Wrong Problems

Share:

[tags]cybersecurity research[/tags]
As I write this, I’m sitting in a review of some university research in cybersecurity.  I’m hearing about some wonderful work (and no, I’m not going to identify it further).  I also recently received a solicitation for an upcoming workshop to develop “game changing” cyber security research ideas.  What strikes me about these efforts—representative of efforts by hundreds of people over decades, and the expenditure of perhaps hundreds of millions of dollars—is that the vast majority of these efforts have been applied to problems we already know how to solve.

Let me recast this as an analogy in medicine.  We have a crisis of cancer in the population.  As a result, we are investing huge amounts of personnel effort and money into how to remove diseased portions of lungs, and administer radiation therapy.  We are developing terribly expensive cocktails of drugs to treat the cancer…drugs that sometimes work, but make everyone who takes them really ill.  We are also investing in all sorts of research to develop new filters for cigarettes.  And some funding agencies are sponsoring workshops to generate new ideas on how to develop radical new therapies such as lung transplants.  Meanwhile, nothing is being spent to reduce tobacco use; if anything, the government is one of the largest purchasers of tobacco products!  Insane, isn’t it?  Yes, some of the work is great science, and it might lead to some serendipitous discoveries to treat liver cancer or maybe even heart disease, but it still isn’t solving the underlying problems.  It is palliative, with an intent to be curative—but we aren’t appropriately engaging prevention!

Oh, and second-hand smoke endangers many of us, too.

We know how to prevent many of our security problems—least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.

Instead of building trustworthy systems (note—I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.

We spend huge amounts on detecting botnets and worms, and deploying firewalls to stop them, rather than constructing network-based systems with architectures that don’t support such malware.

Instead of switching to languages with intrinsic features that promote safe programming and execution, we spend our efforts on tools to look for buffer overflows and type mismatches in existing code, and merrily continue to produce more questionable quality software.

And we develop almost mindless loyalty to artifacts (operating systems, browsers, languages, tools) without really understanding where they are best used—and not used.  Then we pound on our selections as the “one, true solution” and justify them based on cost or training or “open vs. closed” arguments that really don’t speak to fitness for purpose.  As a result, we develop fragile monocultures that have a particular set of vulnerabilities, and then we need to spend a huge amount to protect them.  If you are thinking about how to secure Linux or Windows or Apache or C++ (et al), then you aren’t thinking in terms of fundamental solutions.

I’m not trying to claim there aren’t worthwhile topics for open research—there are.  I’m simply disheartened that we are not using so much of what we already know how to do, and continue to strive for patches and add-ons to make up for it.

In many parts of India, cows are sacred and cannot be harmed.  They wander everywhere in villages, with their waste products fouling the streets and creating a public health problem.  However, the only solution that local people are able to visualize is to hire more people to shovel effluent.  Meanwhile, the cows multiply, the people feed them, and the problem gets worse.  People from outside are able to visualize solutions, but the locals don’t want to employ them.

Metaphorically speaking, we need to put down our shovels and get rid of our sacred cows—maybe even get some recipes for meatloaf. grin

Let’s start using what we know instead of continuing to patch the broken, unsecure, and dangerous infrastructure that we currently have.  Will it be easy?  No, but neither is quitting smoking!  But the results are ultimately going to provide us some real benefit, if we can exert the requisite willpower.

[Don’t forget to check out my tumble log!]

Comments

Posted by Pick your poison. : everburning
on Thursday, October 11, 2007 at 06:29 PM

[...] Stumbled across, well, it showed up in my blogroll, an interesting article on the Cerias blog about problem solving and our tendency to try to cure the symptoms instead of solving underlying issues. Mostly computer stuff but nothing technical and maps to pretty much any culture. As a result, we develop fragile monocultures that have a particular set of vulnerabilities, and then we need to spend a huge amount to protect them. ~ Solving Some of the Wrong Problems. [...]

Posted by Andrew Patrick » Solving the wrong security
on Friday, October 12, 2007 at 05:17 AM

[...] Solving some of the Wrong Problems   We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it. Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.  Share This   Close [...]

Posted by Sicurezza, ICT ed altro » Blog Archive &raqu
on Sunday, October 14, 2007 at 11:50 PM

[...] Fra i vari feed che leggo, ovviamente che ne sono alcuni che riguardano le nuove vulnerabilità. Dato che al momento non sono impegnato in attività da sistemista, leggere questi interminabili elenchi di vulnerabilità mi fa l’effetto di ascoltare isoradio stando a casa: una serie di notizie sostanzialmente uguali tutti i giorni, cambiano i posti e i chilometri delle code, ma le cause sono sempre le stesse e in alcuni tratti a certe ore c’è sempre coda. Ha ragione (come sempre) Spafford, quando dice che passiamo il tempo a risolvere i problemi sbagliati. [...]

Posted by Blog Tips #2
on Wednesday, October 17, 2007 at 08:49 AM

[...] ótimo post de Eugene Spafford a respeito dos investimentos financeiros e de tempo realizados em soluções de segurança do tipo [...]

Posted by An Optimistically Fatalistic View On The Futility
on Wednesday, October 17, 2007 at 10:39 AM

[...] one I support completely. Dr. Eugene Spafford, a seminal figure in information security, is also dedicating effort to the cause. I’m firmly in their camp and believe that while we don’t need an entirely new model [...]

Posted by Joseph Crawford
on Thursday, October 18, 2007 at 06:35 AM

As the old General Contractor says, “We offer solutions that are fast, high quality, and inexpensive.  But you may have only two of the three.”

Unfortunately, to provide truly secure (high quality) solutions it takes significant time and/or expense.  Fast and cheap rules the day, especially in information technology.  Band-aids for security are cheap and readily available; transplant surgery is expensive and painful.

The basics of market economics declare that while highly secure systems are the best option, the speed of evolution in the industry (mandating quick responses by developers) drives up the cost to the point where the customer will ultimately buy a less expensive solution - and normally the first-to-market offering at that (due to market share and percieved maturity factors).

Posted by 1 Raindrop
on Thursday, October 18, 2007 at 10:03 AM

<strong>Sacred Cow Gored? Check….</strong>

As only a certified security high priest can do, Gene Spafford has started a linkfest o’ love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senit…

Posted by An Information Security Place » Blog Archive
on Thursday, October 18, 2007 at 06:26 PM

[...] then I see this one from Rich which is referencing this post (which came before mine, so there you go) and it is followed up by Hoff’s declaration [...]

Posted by R. Austin
on Saturday, December 22, 2007 at 01:38 AM

Dr. Spafford,

Your comments on research priorites and the general “ho hum” nature of much academic security research is right on but with all due respect, I have to take issue with you on the subject of cancer research.

I lost my wife to breast cancer and that had absolutely nothing to do with the tobacco lobby, second hand smoke,etc.  So, I for one, am quite happy to see significant funding going into cancer research and could wish that we spent more.

Yeah, chemo sucks but on the other hand, it’s a welcome alternative to the rest “cures”, morphine, etc, that were breast cancer “treatment” not so very many years ago.  And, unpleasant as it is, it has contributed to the survival of many women who would otherwise have had their lives cut short.

Posted by Spaf
on Saturday, December 22, 2007 at 01:17 PM

Point noted (about cancer).  However, I wasn’t arguing about research against cancer in general.  My own mother died of lung cancer from smoking, and an uncle from bladder cancer, and so on.  My point was more that we spend all way too much of our money trying to get around (some) things we know how to address or eliminate, but we don’t put any real effort into that elimination!

Breast cancer is terrible, and I’ve already had several friends and relatives affected by it.  We need to find causes and treatments.  My only hope is that if we find causes we can address we don’t simply ignore them and focus on treatments because people are unwilling to address those causes!

Leave a comment

Commenting is not available in this section entry.