Topics Cybersecurity ❚ Status regarding “traditional” vulnerabilities ❚ Some “grand challenges” ❚ IT and counterterrorism ❚ Some legal and regulatory issues Ed Lazowska ❚ Security in open vs. closed systems IT & Public Policy ❚ Does it make sense to hunt for security holes? Autumn 2004 ❚ An economic perspective ❚ President’s Information Technology Advisory Committee on Cybersecurity 2 1 Cybersecurity Today and Tomorrow – NRC CSTB 2002 ❚ General observations ❚ Management ❙ Vulnerabilities are growing faster than our ❙ We are doing far worse than best practices make ability/willingness to respond possible ❙ Achieving/maintaining security is expensive, so ❙ We must change market incentives – for example, people “use” as little as they think they can get by becoming able to quantify security, and by away with shifting liability ❙ Overall security is only as strong as the weakest link ❙ The best is the enemy of the good ❙ Constant action and reaction ❙ Commercial and face-saving concerns of victims constitute a barrier to reporting 3 4 ❚ Operational considerations ❚ Design and architectural considerations ❙ To promote accountability, frequent and ❙ “Human error” is usually scapegoating – the unannounced penetration testing (“red-teaming”) is problem usually is management, or operational, or essential design ❙ Mis-configuration is a leading cause of ❙ Current authentication methods are lame vulnerabilities; configuration tools are “miserably ❙ The “defensive perimeter” approach, while not inadequate” today totally useless, falls way short – there must be ❙ Organizations must have actionable fallback plans mutual suspicion within the perimeter for when a cyberattack occurs 5 6 1
Information Technology for Counterterrorism – NRC CSTB 2003 ❚ Observations ❙ IT is in the control loop of every other element of the nation’s critical infrastructure ❙ IT can be a target ❙ IT can also be a weapon: can be exploited to launch or exacerbate an attack, or to interfere with a response ❙ IT has an additional key role in counter-terrorism (e.g., datamining) and in response to terrorism (communication) 9 10 ❚ Recommended short-term actions ❚ Recommended research investments ❙ Enhance the communication and computing ❙ Information and network security capabilities of emergency responders ❘ Authentication, intrusion detection, containment, recovery, bug prevention/detection/repair ❙ Promote the use of current best practices in ❙ C3I (Command, Control, Communication, and information and network security Intelligence) systems ❘ Interoperability, capacity, decision support, location- aware systems, sensornets ❙ Information fusion and datamining ❙ Privacy and confidentiality ❙ Human and organizational factors 11 12 2
Critical Information Infrastructure Protection and the Law – NRC CSTB 2003 ❚ Information sharing ❚ Liability ❙ Freedom of Information Act – companies reluctant ❙ May need civil as well as criminal liability, to allow to disclose CIIP-related information with the victims to recover losses from parties guilty of government negligence or misconduct ❙ Antitrust law – companies reluctant to share CIIP- ❙ May need tort law as well as contract law – is related information with competitors there a legal duty on the part of a company to secure its CII? ❙ Standards, best practices, and audits: improve security, and provide a defense ❙ Current patchwork of regulations must be regularized 13 14 Security in Open vs. Closed Systems – Ross Anderson, 2002 ❚ The big picture ❚ It cuts both ways! ❙ Collective risks => collective actions ❙ When a researcher publishes a new abstract vulnerability, an attacker can devise a concrete ❙ “The crisis management mentality in the attack much more easily if source is available aftermath of 9/11 has pushed aside issues of privacy and civil liberties” ❙ However, time-to-market for a defense may be shorter for OSS ❙ Confused and confusing messages from government are a real problem – “a clear and ❙ But OSS makes it possible to identify new code, consistent message from the government to the which is where the bug density will be highest private sector will go a long way toward building ❙ But each individual tester has preferences, so the trust that is necessary to protect the nation’s there is something to “many eyeballs” at least in CII” terms of variation in focus 15 16 Is finding security holes a good idea? – Eric Rescorla, 2004 Eric Rescorla, “Is finding security holes a good idea?,” Workshop on 17 Economics and Information Security, May 2004 3
Why Information Security is Hard: An Economic Perspective – Ross Anderson, 2001 ❚ Asymmetry of security ❙ After a year, Paddy finds 1 bug, Brian patches 100K ❙ Suppose Windows has 1M bugs, each with MBTF of 1B ❙ But the chance Brian has patched Paddy’s bug is hrs only 10% ❙ Suppose Paddy works for the IRA, trying to hack the British Army’s Windows systems ❙ Suppose Brian is the British Army assurance guy in charge of blocking Paddy ❙ Paddy has a day job – so he can only test 1000 hrs/yr ❙ Brian has full Windows source code, dozens of Ph.D.s at his disposal, etc. – 10M hrs/yr of testing 19 20 ❚ Assignment of liability is crucial ❚ Alignment of financial incentives also is crucial ❙ Survey of fraud against automatic teller machines ❘ US: if a customer disputes a transaction, the bank ❙ Hal Varian: A consumer might pay $100 for anti- must prove the customer was mistaken virus software to keep her system clean, but is ❘ Britain, Norway, the Netherlands: burden of proof unlikely to pay even $1 to prevent her system from lies with the customer being used to attack Amazon.com! ❙ Clear differences in bank behavior in these two situations! 21 22 Pr e s i de nt ’ s I nf or m a t i on Te chnol ogy Soc i e t a l Cons eque nce s of I nf or m a t i on Advi s or y Com m i t t e e Te c hnol ogy Vul ner a bi l i t i e s ( 1) • I T i s a t t he he a r t of s oc i e t y; I T r uns c r i t i ca l Subc om m i t t e e on Cybe r Se c ur i t y i nf r a s t r uc t ur e s : e l ec t r i c powe r gr i d, Pr e s e nt a t i on of Dr a f t Fi ndi ngs and f i na nc i a l s ys t em s , a i r t r af f i c cont r ol , f ood Re c om m e nda t i ons di s t r i but i on, de f e ns e ne t wor ks , e t c . F. Thom s on Lei ght on, Cha i r • The us e of I T ( a nd t he f a i t h i n i t ) ha s ha d e nor m ous pos i t i ve i m pac t on pr oduc t i vi t y, Nove m be r 19, 2004 wi t h t r em e ndous r em a i ni ng pot e nt i a l ( e . g. , Gr a nd Hya t t W a s hi ngt on a t W a s hi ngt on Ce nt e r s e e PI TAC He a l t h Car e r e por t ) . W a s hi ngt on, D. C. 23 24 4
Recommend
More recommend
