The Report

Over the last few months, CERIAS faculty members Jackie Rees and Karthik Kannan have been busy analyzing data collected from IT executives around the world, and have been interviewing a variety of experts in cybercrime and corporate strategy. The results of their labors were published yesterday by the McAfee Corporation (a CERIAS Tier II partner) as the report Unsecured Economies: Protecting Vital Information.

The conclusions of the report are somewhat pessimistic about prospects for cyber security in the coming few years. The combination of economic pressures, weak efforts at law enforcement, international differences in perceptions of privacy and security, and the continuing challenges of providing secured computing are combining to place vast amounts of valuable intellectual property (IP) at risk. The report presents estimates that IP worth billions of dollars (US) was stolen or damaged last year, and we can only expect the losses to increase.

Additionally, the report details five general conclusions derived from the data:

• The recession will put intellectual property at risk
• There is considerable international variation in the commitment (management and resources) to protect cyber
• Intellectual property is now an "international currency" that is as much a target as actual currency
• Employees steal intellectual property for financial gain and competitive advantage
• Geopolitical aspects present differing risk profiles for information stored "offshore" from "home" countries.

None of these should be a big surprise to anyone who has been watching the field or listening to those of us who are working in it. What is interesting about the report is the presented magnitude and distribution of the issues. This is the first truely global study of these issues, and thus provides an important step forward in understanding the scope of these issues.

I will repeat here some of what I wrote for the conclusion of the report; I have been saying these same things for many years, and the report simply underscores the importance of this advice:

“Information security has transformed from simply ’preventing bad things from happening ’into a fundamental business component.' C-level executives must recognize this change. This includes viewing cybersecurity as a critical business enabler rather than as a simple cost center that can be trimmed without obvious impact on the corporate bottom line; not all of the impact will be immediately and directly noticeable. In some cases, the only impact of degraded cybersecurity will be going from ‘Doing okay’ to ‘Completely ruined’ with no warning before the change.

Cybersecurity fills multiple roles in a company, and all are important for organizational health.

• First, cybersecurity provides positive control over resources that provide the company a competitive advantage: intellectual property, customer information, trends and projections,financial and personnel records and so on. Poor security puts these resources at risk.
• Second, good security provides executives with confidence that the data they are seeing is accurate and true, thus leading to sound decisions and appropriate compliance with regulation and policy
• Third, strong cybersecurity supports businesses taking new risks and entering new markets with confidence in their ability to respond appropriately to change
• And fourth, good cybersecurity is necessary to build and maintain a reputation for reliability and sound behavior, which in turn are necessary to attract and retain customers and partners.

• This study clearly shows that some customers are unwilling to do business with entities they consider poorly secured. Given massive market failures, significant fraud and increasing threats of government oversight and regulation, companies with strong controls, transparent recordkeeping, agile infrastructures and sterling reputations are clearly at an advantage -- and strong cybersecurity is a fundamental component of all four. Executives who understand this will be able to employ cybersecurity as an organic element of company (and government) survival -- and growth.“

We are grateful to McAfee, Inc. for their support and assistance in putting this report together.

Getting the Report

Update: You can now download the report sans-registration from CERIAS.

The report is available at no charge and the PDF can be downloaded (click on the image of the report cover to the left, or here). Note that to download the report requires registration.

Some of you may be opposed to providing your contact information to obtain the report, especially as that information may be used in marketing. Personally, I believe that the registration should be optional. However, the McAfee corporation paid for the report, and they control the distribution.

As such, those of us at CERIAS will honor their decision.

However, I will observe that many other people object to these kinds of registration requirements (the NY Times is another notable example of a registration-required site). As a result, they have developed WWW applications, such as BugMeNot, which are freely available for others to use to bypass these requirements. Others respond to these requests by identifying company personnel from information on corporate sites and then using that information to register -- both to avoid giving out their own information and to add some noise to the data being collected.

None of us here at CERIAS are suggesting that you use one of the above-described methods. We do, however, encourage you to get the report, and to do so in an appropriate manner. We hope you will find it informative.

Yesterday and today I was reading repeated news stories about the pending bailout—much of it intended to prop up companies with failed business models and incompetent management. Also distressing are the stories of extravagant bonuses for financial managers who are likely responsible for creating some of the same economic mess that is causing so much turmoil in world markets.

Running through my mind was also a re-reading of the recent statement by Norman Augustine before the U.S. House Democratic Steering and Policy Committee (it’s short and a great read—check it out). I definitely resonate with his comments about how we should invest in our technology and research to ensure that our country has a future.

And I was thinking about how can we reward a spirit of honest hard work rather than a sense of entitlement, and avoid putting money into industries where greed and incompetence have led to huge disasters, where those same miscreants are using the full weight of political pressure to try to get huge chunks of bailout money to continue their reign of error.

And all this came together when I saw a story about the lack of medical treatment and high rate of suicides for returning military after extended tours in the battlefield. And then I read this story and this story about the homeless—just two out of many recent stories.   

Why can’t we direct a little of our national wealth into a new GI Bill, similar to the original in 1944? Provide money so that our men and women who are returning from honorable service to the country can get the counseling and medical care they need. And then, ship them off to colleges for a degree. If they show real promise and/or have a degree already, then cover a graduate degree.   

These are people who volunteered years out of their lives to serve the interests of the rest of us. They were willing to put their lives on the line for us. And some died. And others have suffered severe physical and psychological trauma. They have shown they are able to focus, sacrifice, and work hard. My experience over the last two decades has shown me that most veterans and active-duty military personnel make good students for those reasons.

Service doesn’t provide intellectual ability, certainly, and not all can excel, but I am certain that many (if not most) can do well given the chance. And if regular college isn’t the right fit, then a vocational education program or appropriate apprenticeship should be covered.

Money should be allocated for additional counseling and tutoring for these students, too. They are likely to have a great range of physical and psychological needs than the usual student population, and we should address that. And money will need to be allocated to help provide the facilities to house and teach these students.

While we’re at it, maybe the same should be offered to those who have provided other service, such as in the AmeriCorps or Peace Corps? And perhaps those who take new jobs helping rebuild the nation’s infrastructure. I’m not a politician or economist, so I’m not sure what we should do for details, but the basic idea would be that someone who gives 4 years of service to the country should get 2-4 years of college tuition, fees, room and board.   

We might also want structure it so that degrees in the STEM (Science, Technology, Engineering and Math) disciplines have some form of extra preference or encouragement, although we should not discourage any valid course of study—except we should definitely not fund any degrees in finance!

Then maybe give a tax credit to any companies that hire these people after they graduate.

And make this good for anyone who served since, oh, 2001, and for anyone who signs up for one of the covered services before, say, 2015. If those dates don’t make sense, then pick others. But extend it forward to help encourage people to join some of the covered services—they could certainly use more people—and start far enough back.

Yes, I know there are currently educational benefits and health benefits for our veterans, but I am suggesting something more comprehensive for both, and for possibly a larger group. I’m suggesting that we invest in our future by making sure we do our utmost to patch up the injuries suffered in duty to our fellows, give them a shot at a better future. And that better shot is not to turn them out into our cities where there are no jobs, where the homeless live, where drugs and street crime may be rampant.

The whole process would give a huge boost of education to the workforce we want to have for the future. We don’t need more assembly line workers. We need engineers, technologists, scientists and more. Not only will we be educating them, but the endorsement we would be making about the importance of education, and the care for those who serve, will pay back indirectly for decades to come. It worked in the 40s and 50s, and led to huge innovations and a surge in the economy.

Will it all be expensive? Undoubtedly. But I’m guessing it is far less than what is in the budget bills for bank bailouts and propping up failed industrial concerns.

And when it is done, we will have something to show for our investment—far more than simply some rebuilt roads and a re-emergence of predatory lending.

But as I said, I’m not a politician, so what do I know?

Update: I have learned that there is a new GI bill, passed last year, which addresses some of the items I suggested above. Great! It doesn’t cover quite the breadth of what I suggested, and only covers the military. Somehow, I missed this when I did my web search….

As our technology becomes more complex, it is often shipped with flaws and missing features. The evolution of the Internet coupled with a “must ship” attitude has led to a number of interesting business practices. One in particular, remote updates/patching, presents some interesting reliability issues.

One of the best known versions of remote patching is the software update function, currently found in many computer applications, and in most common operating systems. In its usual form, this is a system that can download patches or whole new software artifacts to address a newly-discovered security vulnerability. Some systems are automated, but most require manual intervention. The current systems generally only involve security fixes and no functionality improvements—the functionality improvements may or may not be bundled in less frequent updates (service packs), or they may be deferred into a major revision that requires additional payment.

Many of us working in security and reliability have expressed concern about these updates, because if the update mechanism is somehow hijacked by an attacker, it can be used to quickly distribute malware to large numbers of systems at once. There have also been examples where updates accidentally deleted critical files or provided faulty configurations, thus disabling or degrading many, many machines at once (for example this one and this one). Most vendors have elaborate systems in place to test and verify such patches, and they have plans in place to quickly respond if something goes wrong.

Now, we’re seeing the same concerns begin to occur with consumer goods that aren’t primarily intended as interactive computers. I can speak from personal (unfortunate) experience that at least one major vendor appears clueless and not customer-friendly.

I recently purchased 2 Samsung Blu-Ray DVD players: a BD-P2500, and a BD-P1500. Both have Internet connections for firmware updates and Blu-Ray Live. The BD-P2500 also supports live streaming of Netflix content.

A couple of days after Christmas, the 2500 froze up. I could not get it to respond to anything, including the factory reset code. I contacted Samsung and was given information to send the player in for service—it was still within warranty. They’ve had it for nearly 2 weeks with a status of “waiting for parts.” It has now been broken longer than it was working, with still no prognosis about when it might be returned.

No problem—I still have the other player I can use, right?

The 1500 came up with an on-screen message early in the week that a firmware update was available. Having had experience with downloads and upgrades of OS components, I waited a couple of days before doing anything. When I initiated the download, it completed without error, according to the display. However, after completion, it too was dead—no response to anything, including reset codes. So, I called Samsung again. The problem was escalated in customer service. This is what I was told:

 
1. There was a bad update put on the servers, and many players that got the download have frozen up
 
2. They do not have a fix for it at the current time and have no idea when one will be available
 
3. I should check their WWW site once a week to see when an update is available. “It should almost certainly be within a month.”
 
4. Even though it is their fault for putting up a bad firmware update, if I am required to send in the player, it is now out of warranty for service so it is my own expense.

It seems fairly clear that Samsung has a major problem in testing and assurance, and a surprising lack of concern for customer support. It also sounds like they don’t have much of a handle on what it will take to fix a locked-up player.

I wonder how many other people around the world are stuck with non-functional players and a vague answer about the fix? It could well be in the thousands. And the best they can offer us is to check the WWW site once a week to see when they are ready for us to pay to install a fix to a problem they caused in the first place!

As someone who works in security and reliability, I can see all sorts of interesting problems here involving updates to consumer appliances. They problems are magnified with incomplete or incompetent responses from the vendors. It certainly suggests that consumers should press vendors to issue things that work correctly and don’t require updates—or at least have a fail safe state that allows recovery! Imagine losing use of your TV, phone, refrigerator or car indefinitely because of a faulty update caused by the vendor, with an indefinite fix. For those with malice in mind, this would be a great thing to do to harm a company—and maybe to extort some money as “protection.”

As a consumer, I’m rather angry. I don’t expect to buy anything else made by Samsung, and I certainly won’t recommend them to anyone else. You may choose to use this as a cautionary tale in your own pursuit of consumer items and choose another vendor that is more careful with their updates, and more considerate of customers who have paid for their products. And if you have one of the frozen players with some idea how to recover it to working condition, I’d be interested in hearing about it.

Sadly, caveat emptor.

Update 01/19/09: Samsung is shipping me a replacement for my bricked P2500. It left their plant on Friday, surface UPS. So, that will be a 3-week turnaround.

Meanwhile, I called the service number again about the P1500 and pressed until they escalated me to “executive response.” (Third or fourth level customer service, I guess.) I kept reminding them that it was their firmware update that caused the problem. After 30 minutes on the phone, I must have worn them down sufficiently: they extended the warranty through this week, and are providing me the shipping information to send it in for service under warranty. Hooray!

Unlike last week, the personnel I talked with today were uniformly helpful and informative. I wonder if they have had enough complaints that there has been a change in policy? Or did I just get two really bad service reps in a row last week?

Nonetheless, the bad updates and the lack of a failsafe are really poor design.

Over the last few years, I have been involved in issues related to the use of computerization in voting. This has come about because of my concerns about computer security, privacy and reliability, and from my role as chair of the ACM U.S. Public Policy Committee (USACM). USACM has taken a strong position as regards use of computers as voting stations and voting over the internet.

Two recent items address the issue of voting over the Internet.

The first is a study released by NIST about the threats posed by internet voting. This is a well-written document describing problems that would be encountered with any online voting system. Their conclusion is that, for public elections, distribution of blank ballots (on paper) is the only reasonable improvement that we can make with current technology.

The second is a note from my colleague, Yvo Desmedt, one of the senior leaders in information security He has asked that I circulate this to a wider audience:

  IACR (the International Association for Cryptologic Research) has changed its bylaws to allow e-voting over the internet to elect its board members and other purposes. IACR will likely move towards internet e-voting. The IACR Board of Directors subcommittee on internet e-voting has published a list of requirements for such a system at: http://www.iacr.org/elections/eVoting/requirements.html This is evidently a first step and the question remains whether the system the International Association for Cryptologic Research will choose will be easy to hack or not. So, security experts should follow this development.

The problems that need to be addressed by any voting technology are mostly obvious: impersonation of the voter, impersonation of the voting system, disclosure of the ballot, multiple voting, loss of votes, denial of access, and a number of other issues. The problems are complicated by the requirements of a fair voting system, one of which is that of vote deniability—that the voter is able to deny (or claim) that her/his vote was cast a particular way. This is important to prevent vote buying, or more importantly, retribution against voters who do not cast ballots in a particular way. It isn’t difficult to find stories where voters have been beaten or killed because of how they voted (or were presumed to have intended to vote). Thus, the tried-and-true concept of providing a receipt (ala ATM machines) is not a workable solution.

My intent in making this post isn’t to discuss all the issues behind e-voting—that is well beyond the scope of a single posting, and is covered well many other places. My main goal is to give some wider circulation to Yvo’s statement. However, in light of the recent problem with certificate issuance, it is also worth noting that schemes requiring encryption to secure voting may have hidden vulnerabilities that could lead to compromise and/or failures in the future.   

In the end, it comes down to a tradeoff of risk/reward (as do all security choices): can we accurately quantify the risks with a particular approach, and are we willing to assume them? Do we have appropriate mechanisms to eliminate, mitigate or shift the risks? Are we willing to accept the risks associated with adopting a particular form of e-voting in return for the potential benefit of better access for remote voters? Or are accurate (fair) results all the time more important than complete results?

Note that one objection often raised to USACM as we argue these points is “There is no evidence there has ever been a failure or tampering with a vote.” In addition to being incorrect (there are numerous cases of computer-based voting failures), this misses two key issues:

 
• How do you tell if there is tampering if there are no safeguards that definitively disclose such tampering? That you have not detected something does not mean it has not occurred.
 
• The past does not predict the future in such a case. That no failure (accidental or otherwise) has occurred does not mean it will not occur in the future. Worse, a string of occurrences without a failure may help cloud a future discovered discrepancy!

In the case of IACR, it is obvious why this group of cryptography professionals would wish to adopt techniques that show confidence in cryptography. However, the example they set could be very damaging for other groups—and populations—if their confidence is misplaced. Given the long history of spectacular failures in cryptography—often going unannounced while being exploited—it is somewhat surprising that the IACR is not more explicit in their statement about the risks of technological failures.