Can the Web’s big-time masters of malware really be tracked down? How risky is cloud computing to network security? And what challenges await the Obama administration’s plans to lock down the nation’s electronic infrastructure — while at the same time creating a “smart grid?”
An experienced panel of computer security experts representing industry, governments and law enforcement batted around possible answers to those questions Monday during a “guru fireside” session that was a highlight of the Information Security Forum’s 20th World Congress. Some 500 ISF members are in Vancouver, British Columbia, this week for keynote speeches and sessions focusing on the latest trends in information security.
The “guru” panel included Mary Ann Davidson, chief security officer for Oracle; Bruce Schneier, an oft-quoted cryptologist and author; Greg Garcia of Garcia Strategies, who was the first U.S. Assistant Secretary for Cybersecurity and Communications under former Pres. George W. Bush; and Alexander Seger, head of the economic crime division of the 47-member Council of Europe. ISF president/CEO Howard A. Schmidt, a former Microsoft security executive and the nation’s first cybersecurity czar immediately after the Sept. 11 attacks, hosted the panel.
Schneier, chief technology officer for BT Counterpane Security, is known to speak his mind regarding issues of privacy, government regulation of networks and law enforcement techniques. He’s written extensively on those subjects for The New York Times, the Guardian, Forbes and Wired. So it probably came as no surprise to the other panelists, and the audience, when he challenged Seger’s contention that law enforcement officials need legislation and regulatory weapons to help them track down large-scale hackers and identity thieves.
“I’m sorry, but you’re not going to be able to track attacks,” Schneier said. “I would like it to be different, but you can’t do it.”
“You can, Bruce, but it’s very hard to do,” interjected Garcia.
“You cannot take a [data] bit and backtrack it to where it came from,” Schneier maintained. “You don’t know who’s in front of the keyboard sending it out there. You cannot do it, a bit does not have location specificity. It’s a bit. It’s not that you can’t have identification. Banks work great, corporate networks work great. But you cannot make a system that doesn’t have anonymity.”
Web Anonymity, ‘Smart Grid’ Risks
All the panelists were asked to give their take on present trends in cybersecurity and technology overall, and Schneier’s emphasis on anonymity with Garcia and Seger was a continuation of his thesis that anonymity is not inherently bad, but trying to punish anonymity in the search for Web safety is dangerous. “You make it harder for the naive or the innocent to do things, and no harder for criminals or the determined,” he said. “That isn’t to say you can’t have identity. You can build a network with different degrees of working well — bank accounts, Facebook accounts, you can have different levels of identity, but you’re not making anonymity go away.”
Closed platforms, Schneier added, will be the rule — which opens up a world of focusing on services rather than devices — and the government would have more clout if it cleaned up its own networks and used its buying power to demand better products from vendors. “If big government comes out with a contract for a secure laptop or a firewall or database or OS, and has a list of security requirements, then the contract will be big enough that vendors will need to meet those requirements and produce more secure products.”
Moving health and medical records online concern both Schneier and Davidson, and Davidson added that “smart grid” plans are another potential risk. “Figure out what problem you’re trying to solve before you throw technology at it,” she said. “Now we want to put everybody’s house on the grid without thinking about the neighborhood kid knocking you off the grid, or being subject to attacks. I don’t think people understand the risk they’re exposing us to by doing that. “
Medical records online could also pose threats by hackers changing those records or using them to blackmail the innocent.
“Not that I think we should stop all progress, but my concerns are that we are coming up the awareness curve to some degree that this is infrastructure that needs to be both defensive and self-defending, which is a different construct than what we have now,” Davidson said.
Cybersecurity Is Not a Red/Blue Issue
The good news in Washington, D.C., is that cybersecurity does not appear to be a partisan political issue, Garcia said. The Obama administration has basically affirmed the strategy that he and others in the Bush administration had worked on to place network/infrastructure protection on a higher level of priority. “Now it is incumbent upon this administration take that strategy, which is on pretty firm conceptual footing, and now turn it into something that is operational, executable and well-organized,” Garcia said. “That’s what’s lacking now. We were not well organized in the Bush administration because we had too much mission creep from other organizations involved,” including various aspects of the military, the intelligence community and the State Department.
Whoever ends up with the job of White House-level cybersecurity adviser — promised by President Obama — will need to lay out the roles and responsibilities for those agencies with a stake in network protection.
The picture is cloudier regarding the enterprise, Garcia said. Hackers and cybercriminals are becoming more sophisticated in their use of technology, and some companies still aren’t taking network security seriously. “They are doing risk assessments and saying they’ll consider a cyberattack as a cost of doing business. I think that’s potentially dangerous thinking,” he said.
Also potentially dangerous: relying on cloud computing for protecting personal and corporate data without first asking a lot of questions regarding security, Davidson said. “It’s not about whether somebody does a service for you, that’s a business decision. But when something is important to you and you hand it off, you still need to answer basic questions — ‘where is my data? who has access to it?’ And if you cannot answer those questions, this whole idea of the cloud, ‘just trust us,’ is silly.”
This is a huge issue as we move more and more sensitive systems to the Web. Electric grid, gas pipelines, transportation control systems, military command and control, medical records, personal information in public records, etc. all pose huge risks to the economy and security of the nation.
With current technology, we need physical security or VASTLY improved electronic security for sensitive systems and data.
For example, I would dictate that things such as the proposed ‘smart grid’, and other infrastructure system be only allowed to communicate via a physically separate network with NO connection to the WWW.
Another example would be to give every person a ‘smart card’ like used in Taiwan for their medical records and require every access point and storage location for these records to meet a very high security standard. Any facility not meeting these standards could access the records on a temporary basis, but not update anything across the net. They could update individual cards, hopefully keeping my records under my control and avoiding ‘contamination’ of my records.
Throwing these critical systems onto the WWW gives me nightmares of what the ‘black hats’ will do much less the possibility for digital warfare by governments and terrorist organizations.