[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.]

I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it then or since. I know it faded from my memory! Other than CERIAS WWW sites and the AAAS itself, a Google search reveals almost no references to it.

As background, in early April of 2002, I was asked, somewhat at the last moment, to prepare a paper and some remarks on the state of information security for a forum, Technology in a Vulnerable World, held on science in the wake of 9/11. The forum was sponsored by the AAAS, and held later that month. There were interesting papers on public health, risk communication, the role of universities, and more, and all of them are available for download.

My paper in the forum wasn't one of my better ones, in that it was somewhat rushed in preparing it. Also, I couldn't find good background literature for some of what I was writing. As I reread what I wrote, many of the points I raised still don't have carefully documented sources in the open literature. However, I probably could have found some published backup for items such as the counts of computer viruses had I spent a little more time and effort on it. Mea culpa; this is something I teach my students about. Despite that, I think I did capture most of the issues that were involved at the time of the forum, and I don't believe there is anything in the paper that was incorrect at that time.

Why am I posting something here about that paper, One View of Protecting the National Information Infrastructure, written seven years ago? Well, as I reread it, I couldn't help but notice that it expressed some of the same themes later presented in the PITAC report, Cyber Security: A Crisis of Prioritization (2005), the NRC report Towards a Safer and More Secure Cyberspace (2007), and my recent Senate testimony (2009). Of course, many of the issues were known before I wrote my paper -- including coverage in the NRC studies Computers at Risk: Safe Computing in the Information Age (1991), Trust in Cyberspace (1999) and Cybersecurity Today and Tomorrow (2002) (among others I should have referenced). I can find bits and pieces of the same topics going further back in time. These issues seem to be deeply ingrained.

I wasn't involved in all of those cited efforts, so I'm not responsible for the repetition of the issues. Anyone with enough background who looks at the situation without a particular self-interest is going to come up with approximately the same conclusions -- including that market forces aren't solving the problem, there aren't enough resources devoted to long-term research, we don't have enough invested in education and training, we aren't doing enough in law enforcement and active defense, and we continue to spend massive amounts trying to defend legacy systems that were never designed to be secure.

Given these repeated warnings, it is troubling that we have not seen any meaningful action by government to date. However, that is probably preferable to government action that makes things worse: consider DHS as one notable example (or several).

Compounding the problem, too many leaders in industry are unwilling to make necessary, radical changes either, because such actions might disrupt their businesses, even if such actions are in the public good. It is one of those "tragedy of the commons" situations. Market forces have been shown to be ineffective in fixing the problems, and will actually lead to attempts to influence government against addressing urgent needs. Holding companies liable for their bad designs and mistakes, or restricting spending on items with known vulnerabilities and weaknesses would be in the public interest, but too many vendors affected would rather lobby against change than to really address the underlying problems.

Those of us who have been observing this problem for so long are therefore hoping that the administration's 60 day review provides strong impetus for meaningful changes that are actually adopted by the government. Somewhat selfishly, it would be nice to know that my efforts in this direction have not been totally in vain. But even if nothing happens, there is a certain sense of purpose in continuing to play the role of Don Quixote.

Sancho! Where did I leave my horse?

Why is it that Demotivators® seem so appropriate when talking about cyber security or government? If you are unfamiliar with Despair.com, let me encourage you to explore the site and view the wonderfully twisted items they have for sale. In the interest of full disclosure, I have no financial interest or ties to the company, other than as a satisfied and cynical customer.

On a more academic note, you can read or purchase the NRC reports cited above online via the National Academies Press website.

[tags]future technology, cyber security predictions, malware, bots, privacy, cyber crime[/tags]
Four times in the last month I have been contacted by people asking my predictions for future cyber security threats and protections.  One of those instances will be as I serve on a panel at the Information Security Decisions Conference in Chicago next week; we’ll be talking about the future of infosec. 

Another instance when I was contacted was by the people at Information Security magazine for their upcoming 10th anniversary issue.  I was interviewed back in 2002, and my comments were summarized in a “crystal ball” article.  Some of those predictions were more like trend predictions, but I think I did pretty well.  Most happened, and a couple may yet come to pass (I didn’t say they would all happen in 5 years!). I had a conversation with one of the reporters for the Nov 2007 issue, and provided some more observations looking forward.

After answering several of these requests, I thought it might be worthwhile to validate my views.  So, I wrote up a list of things I see happening in security as we go forward.  Then I polled (what I thought) was a small set of colleagues; thru an accident of mail aliases, a larger group of experts got my query.  (The mailer issue may be fodder for a future blog post.)  I got about 20 thoughtful replies from some real experts and deep thinkers in the field.

What was interesting is that while reading the replies, I found only a few minor differences from what I had already written!  Either that means I have a pretty good view of what’s coming, or else the people I asked are all suffering under the same delusions. 

Of course, none of us made predictions as are found in supermarket tabloids, along the lines of “Dick Cheney will hack into computers running unpatched Windows XP at the Vatican in February in an attempt to impress Britney Spears.”  Although we might generate some specific predictions like that, I don’t think our crystal balls have quite the necessary resolution.  Plus, I’m sure the Veep’s plans along those lines are classified, and we might end up in Gitmo for revealing them.  Nonetheless, I’d like to predict that I will win the Powerball Lottery, but will be delayed collecting the payout because Adriana Lima has become so infatuated with me, she has abducted me.  Yes, I’d like to predict that, but I think the Cheney prediction might be more likely….

But seriously, here are some of my predictions/observations of where we’re headed with cyber security.  (I’m not going to name the people who responded to my poll, because when I polled them I said nothing about attributing their views in public; I value my friends’ privacy as much or more than their insights!  However, my thanks again to those who responded.) 

If all of these seem obvious to you, then you are probably working in cyber security or have your own crystal ball.

Threats
Expect attack software to be the dominant threat in the coming few years.  As a trend, we will continue to see fewer overt viruses and worm programs as attacks, but continuing threats that hijack machines with bots, trojans, and browser subversion. Threats that self-modify to avoid detection, and threats that attack back against defenders will make the situation even more challenging.  It will eventually be too difficult to tell if a system is compromised and disinfect it—the standard protocol will be to reformat and reinstall upon any question.

Spam, pop-up ads, and further related advertising abuses will grow worse (as difficult as that is to believe), and will continue to mask more serious threats.  The ties between spam and malware will increase.  Organized crime will become more heavily involved in both because of the money to be made coupled with the low probability of prosecution.

Extortion based on threats to integrity, availability, or exposure of information will become more common as systems are invaded and controlled remotely.  Extortion of government entities may be threatened based on potential attacks against infrastructure controls.  These kinds of losses will infrequently be revealed to the public.

Theft of proprietary information will increase as a lucrative criminal activity.  Particularly targeted will be trade secret formulations and designs, customer lists, and supply chain details.  The insider threat will grow here, too.

Expect attacks against governmental systems, and especially law enforcement systems, as criminals seek to remove or damage information about themselves and their activities.

Protections
Fads will continue and will seem useful to early adopters, but as greater roll-out occurs, deficiencies will be found that will make them less effective—or possibly even worse than what they replace.  Examples include overconfident use of biometrics and over-reliance on virtualization to protect systems.  Mistaken reliance on encryption as a solution will also be a repeated theme.

We will continue to see huge expenditures on R&D to retrofit security onto fundamentally broken technologies rather than on re-engineering systems according to sound security principles.  Governments and many companies will continue to stress the search for “new” ideas without adequately applying older, proven techniques that might be somewhat inconvenient even though effective.

There will be continued development of protection technologies out of proportion to technologies that will enable us to identify and punish the criminals.  It will be a while before the majority of people catch on that passive defense alone is not enough and begin to appropriately capitalize investigation and law enforcement.  We will see more investment in scattered private actions well before we see governments stepping up.

White-listing and integrity management solutions will become widely used by informed security professionals as they become aware of how impossible it is to detect all bad software and behavior (blacklisting).  Meanwhile, because of increasing stealth and sophistication of attacks, many victims will not realize that their traditional IDS/anti-virus solutions based on blacklists have failed to protect them. 

White-listing will also obviate the competition among some vendors to buy vulnerabilities, and solve the difficulty of identifying zero-day attacks, because it is not designed to trigger on those items.  However, it may be slow to be adopted because so much has been invested in traditional blacklist technologies: firewalls, IDS/NIDS/IPS, antivirus, etc.

Greater emphasis will be placed on positive identity management, both online and in the physical world.  Coupled with access control, this will provide some solutions but further erode privacy.  Thus, it is uncertain how widely these technologies will be embraced.  TSA and too much of the general public will still believe that showing a picture ID somehow improves security, so the way ahead in authentication/identification is uncertain.

Personnel
We will continue to see more people using sensitive systems, but not enough people trained in cyber protection.  This will continue some current trends such as people with questionable qualifications calling themselves “experts,” and more pressure for certifications and qualifications to demonstrate competence (and more promotion of questionable certifications to meet that need).

Many nations will face difficulties finding appropriately educated and vetted experts who are also capable of getting national-level clearances.  Industry may also find it difficult to find enough trained individuals without criminal records, which will lead to greater reliance on outsourcing.  It will also mean that we will continue to see instances where poorly-informed individuals mistakenly think that single technologies will solve all all their problems—with firewalls and encryption being two prime examples.

Personnel for after-the-fact investigations (both law enforcement and civil) will be in high demand and short supply.

Much greater emphasis needs to be placed on educating the end-user population about security and privacy, but this will not receive sufficient support or attention. 

The insider threat will become more pronounced because systems are mostly still being designed and deployed with perimeter defenses.

Milieu
Crime, identity theft, and violations of privacy will increasingly become part of public consciousness.  This will likely result in reduction of trust in on-line services.  This may also negatively impact development of new services and products, but there will still be great adoption of new technologies despite their unknown risk models; VoIP is an example.

Some countries will become known as havens for computer criminals.  International pressure will increase on those countries to become “team players” in catching the criminals.  This will not work well in those countries where the government has financial ties to the criminals or has a political agenda in encouraging them.  Watch for the first international action (financial embargo?) on this issue within the next five years.

We will see greater connectivity, more embedded systems, and less obvious perimeters.  This will require a change in how we think about security (push it into the devices and away from network core, limit functionality), but the changes will be slow in coming.  Advertisers and vendors will resist these changes because some of their revenue models would be negatively impacted.

Compliance rules and laws will drive some significant upgrades and changes, but not all will be appropriate as the technology changes.  Some compliance requirements may actually expose organizations to attack.  Related to compliance, the enforcement of external rights (e.g., copyright using DRM) will lead to greater complexity in systems, more legal wrangling, and increased user dissatisfaction with some IT products.

More will be spent in the US on DRM enforcement and attempts to restrict access to online pictures of naked people than is likely to be spent on cybersecurity research.  More money will be spent by the US government ensuring that people don’t take toothpaste in carry-on luggage on airplanes than will be spent on investigating and prosecuting computer fraud and violation of spam laws.

Government officials will continue to turn to industry for “expert advice”—listening to the same people who have built multinational behemoths by marketing the unsafe products that got us into this mess already.  (It’s the same reason they consult the oil executives on how to solve global warming.)  Not surprisingly, the recommendations will all be for strongly worded statements and encouragement, but not real change in behavior.

We will see growing realization that massive data stores, mirroring, RAID, backups and more mean that data never really goes away.  This will be a boon to some law enforcement activities, a terrible burden for companies in civil lawsuits, and a continuing threat to individual privacy.  It will also present a growing challenge to reconcile different versions of the same data in some meaningful way.  Purposeful pollution of the data stores around the world will be conducted by some individuals to make the collected data so conflicted and ambiguous that it cannot be used.

Overall Bottom line:  things are going to get worse before they get better, and it may be a while before things get better.

[posted with ecto]