CIO

The Future of Security

There's no need to imagine a worst-case scenario for Internet security in the year 2010. The worst-case scenario is unfolding right now.

[SCENARIO ONE]

After the Storm, Reform

In 2010, information security will be much better than it is today. But between then and now, everything will get inconceivably worse

There's no need to imagine a worst-case scenario for Internet security in the year 2010. The worst-case scenario is unfolding right now.

Based on conservative projections, we'll discover about 100,000 new software vulnerabilities in 2010 alone, or one new bug every five minutes of every hour of every day. The number of security incidents worldwide will swell to about 400,000 a year, or 8000 per workweek.

Windows will approach 100 million lines of code, and the average PC, while it may cost $99, will contain nearly 200 million lines of code. And within that code, 2 million bugs.

By 2010, we'll have added another half-a-billion users to the Internet. A few of them will be bad guys, and they'll be able to pick and choose which of those 2 million bugs they feel like exploiting.

In other words, today's sloppiness will become tomorrow's chaos.

The good news is that we probably won't get to that point. Most experts are optimistic about the future security of the Internet and software. Between now and 2010, they say, vulnerabilities will flatten or decline, and so will security breaches. They believe software applications will get simpler and smaller, or at least they won't bloat the way they do now. And they think experience will provide a better handle on keeping the growing number of bad guys out of our collective business. Some even suggest that by 2010, a software Martin Luther will appear to nail 95 Theses - perhaps in the form of a class-action lawsuit - to a door in Redmond, kicking off a full-blown security reformation.

The bad news is that this confidence, this notion of an industrywide smartening up, is based on the assumption that there will be a security incident of such mind-boggling scope and profoundly disturbing consequence - the so-call digital Pearl Harbour - that conducting business as usual will become inconceivable.

The Digital Pearl Harbour: What It's Not

The phrase digital Pearl Harbour was first seen in print in 1991. D James Bidzos, then president of RSA, said the government's digital signature standard provided "no assurance that foreign governments cannot break the system, running the risk of a digital Pearl Harbour".

By 1998, the term's use was reasonably common, a dark, lowering cloud on the horizon of the Internet revolution. Newsweek, in an article from that year, suggested it would come in the form of a "sophisticated attack on our digital workings [which] could create widespread misery: everything from power failures to train wrecks".

Since then, the phrase has become bromidic to the point that former cybersecurity czar Richard Clarke declared that "digital Pearl Harbours are happening every day".

Whether conceived of as rare or quotidian, the digital Pearl Harbour's definition has remained constant: It's a computer outage, a big one, a physically and financially damaging one. More recently, it has become a shorthand way to say: "Terrorists will take down the Internet."

In either case, this definition is wrong. Not only is it wrong, it's not even useful.

"I hesitate to even use the term," says Jeff Schmidt, an elected member of the FBI's InfraGard national executive board. "It's come to mean any attack that's massively inconvenient. But I don't think they merit the term digital Pearl Harbour."

"We need to distinguish between the mischievous and the malicious," says Darwin John, who served recently (albeit briefly) as CIO of the FBI and is considered one of the godfathers of the CIO profession. "We've tolerated the attacks until now because they're mischievous. The malicious attack will be the one that moves the public consciousness, and it's so much harder to know what that attack will be."

Page Break

It's much easier to know what a digital Pearl Harbour won't be. Taking down the Internet or ATM networks, compromising the Social Security database, even hacking into the electric grid - Schmidt and others argue that while each event may be part of a digital Pearl Harbour, none qualifies in and of itself. None would galvanise society, spurring it to action.

And it needn't be a terrorist attack. Open networks coupled with vulnerable software make it more likely that a transformational event will arise from a more banal source, like a motivated group of computer experts, a common thief or, most fickle of all, an accident.

The coming digital Pearl Harbour doesn't even have to be a single event. Thinking about the nature of disasters, Software Engineering Institute (SEI) fellow Watts Humphrey consulted nuclear power people. "I talked to one guy who did nothing but review incidents," Humphrey says. "And typically, these kinds of disasters result from a combination of many smaller events that each seem highly unlikely. But they all happen at once to create unforeseeable consequences."

That's the "Perfect Storm" theory, and what makes an event perfect (in a negative sense) is the apparent lack of relationship between systems in a complex environment. The blackout last August in the US was a Perfect Storm. Random, seemingly unrelated factors - an ageing power grid, certain corporate decisions, a heat wave, a history of deregulation and some human errors - all came together to darken a significant chunk of the northern hemisphere.

"That's how modern systems fail," says Humphrey. "And our networks are so big and fast that things which seem damn near impossible happen every few days."

Not even loss of life necessarily means an event is a digital Pearl Harbour. Three years ago, four Marines were killed after a hydraulics failure on a V22 Osprey plane. They took all the proper measures, but because of software bugs, their plane still crashed. Few even heard of the event, never mind demanded more secure software as a result.

Those scenarios, no matter how dire, didn't rise to the level of a Pearl Harbour because they failed to inflict significant, collective psychological damage. Before Internet security changes in fundamental ways, we will have to feel as shocked and vulnerable as all Americans did reading the newspaper and listening to the radio on the morning of December 7, 1941.

In a sense, this should be obvious. If digital Pearl Harbours were happening every day, they wouldn't be Pearl Harbours. They'd have a name that conveyed their seriousness, but also their ubiquity and survivability. They'd have a name like "virus outbreaks".

Still, no matter how nebulous the name, we're hurtling toward what many experts keep referring to, darkly, as the "point".

"The more complex you get, the more vulnerable you are," says Peter Tippett, CTO of TruSecure, a security services company, and noted security expert. Tippett argues that if we simply extend the present situation into the future, the level of complexity and vulnerability we would create will make a digital Pearl Harbour inevitable - and before 2010.

"For seven years, we've had these negative events," says Howard Schmidt, vice president and CISO of eBay and former vice chairman of the President's Critical Infrastructure Protection Board, and, before that, CSO of Microsoft. "And every time there's an event, it's called a wake-up call. It's like those alarms that crescendo to wake you up. We're getting to that point, where it's so loud, you wake up."

»TIPPING POINT: On December 7, 2008, computer systems around the world go down simultaneously. They do not come back up.

Page Break

December 7, 2008: A Moment That Will Live in Cyber-Infamy

The alarm goes off in 2008. Several security experts' composite picture of a digital Pearl Harbour looks like this (although given that the event is by definition unpredictable, it will, in fact, probably not look like this):

It is global and instantaneous. It is so fast - seconds long - that no one knows about it until it's over. It does not attack PCs; it attacks the Internet infrastructure - such as domain name servers and routers - and industrial systems connected to the Internet, like utility control systems. It exploits an unknown or little-known vulnerability.

Five factors distinguish the digital Pearl Harbour from the virus attacks we've suffered to date.

  • First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.

  • Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbours pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilises the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs .

    If you don't have cash, you go hungry.

    Then the lights wink out. Everywhere.

    And it begins to get cold.

    Panic is a key part of a digital Pearl Harbour. "If you can disrupt the flow of money and resources, that's where I'd look for incidents to become bigger than what we've experienced so far," says Michael Hershman, an international security expert who has worked in military intelligence, and who was a senior staff investigator on the Senate Watergate Committee. Hershman now runs Civitas Group, a security consultancy, with Sandy Berger, the former national security adviser to President Clinton, and Richard Clarke. "Where you see panic and money, that's where I'd look for a digital Pearl Harbour."

  • Third, though the attack is instantaneous, its after-effects linger for weeks. People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.

  • Fourth, after it's over, the attack's origin is pinpointed and the vulnerability it exploited is determined. That's another element that's been missing from most recent security events, especially virus outbreaks, and most notably in the August 2003 blackout. Blame has not been assigned; no heads have rolled. No one has even called for heads to roll. No heads can be found to roll.

  • Last, and perhaps most important, once the source of the event is determined, it's revealed that the loss of property and life was completely and absolutely and tragically avoidable.

Page Break

2009: Recrimination, Reconstruction, Reformation

That moment - the exposure of negligence to the public - is when security will start to get better. The senselessness of the incident and the profound losses it leads to will generate outrage.

The first response is litigation. Lawyers will prosecute vendors, ISPs and others based on downstream liability; that is, they will follow the chain of negligence and hold people accountable all along it. Hackers, whether their intent was malicious or not, will be arrested and prosecuted. If the event's nexus is overseas, foreign governments will cooperate to bring the miscreants to justice.

After litigation comes regulation. Historically, regulation always follows catastrophe. In 1912, Marconi operators aboard the Titanic were slow to receive the iceberg warnings because relays were jammed by the crush of unregulated amateur wireless users hogging the spectrum. The Radio Act of 1912 followed and, eventually, the Federal Communications Commission was formed. The crash of 1929 begat sweeping financial regulations and gave birth to the Securities and Exchange Commission.

"In the past, IT would have argued that you can't regulate because information technology is so different," says John. He doesn't buy it. "They said the same about oil. Sure enough, regulation brought order to that developing industry, and it will do the same here."

We've seen this quite a bit recently with HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley and, most similarly, the Patriot Act, which was a sweeping reaction to an attack that freaked us out.

"What follows regulation?" asks Jeff Schmidt. "Standards."

Internet security could use a lot of those, such as standard vulnerability reporting processes, standard software patches, a single naming convention for alert levels when viruses are discovered, standard secure configurations of software.

"Take any mature discipline and there are standards," Jeff Schmidt says. "If I work in biological handling, I know what a Level 2 clean room is. It doesn't matter who I work for. Standards will demystify security."

The final phase of the corrective response to the digital Pearl Harbour will be a reformation, a cultural shift toward better, more proactive security. If the first two stages represent our pound of cure, this is the ounce of prevention.

Of course, to have a reformation, you need a Martin Luther, a leader who's not only willing to push for radical change, but who also has a plan. Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand. (Luther, it should be noted, was just such an insider who was disgusted by the pope's practice of generating revenue by selling indulgences - that is, pardons from purgatory.) Or maybe it's an outsider with a lot of passion for the issue and money to support his cause.

In the case of a security reformation, this leader would borrow from the ideas of experts who already have reformist ideas, like SEI's Humphrey. Known as the Edward Deming of software, he has implemented and proposed radical changes to the way software is made. Humphrey is unsparing in his criticism of contemporary software security. We're letting creative artists build bridges, he says, then trying to stabilise them with unlicensed labourers while they're collapsing.

Included in Humphrey's blueprint for a security reformation are new software development processes that change the governance and structure of software engineering to favour security. Called Team Software Process (TSP) and Personal Software Process (PSP), they entail a fundamental shift in software development practice from the regular army model - top-down command - to a special operations model wherein a small group is given objectives and let loose to fulfil them. "I want the technical community to become professionals," Humphrey says, "to say: 'This is how we do our job.'"

TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.

Humphrey also has conceived of even more radical changes, including a software engineering curriculum modelled on medical school, complete with professional internships.

A full-blown security reformation would mark a triumph over the "tragedy of the commons", the dilemma that bedevils Internet security today. A principle in ecology, the tragedy of the commons states that individual short-term benefit trumps collective long-term benefit. That is, I will let my sheep graze on the commons to increase my personal wealth even if it contributes to the degradation of the commons as a whole.

In security, individual companies make, buy and deploy software to gain a competitive edge, even as the networking of that software degrades security for everyone. There's no incentive for any single company to improve security for everyone, especially if doing so threatens the company's competitive position and wealth.

Page Break

"By 2010, there will be a growing general awareness, a link between what individual users do and how that affects the national interest," says Tom Longstaff, the manager of the CERT Analysis Centre, which takes in data on the Internet's swelling number of vulnerabilities and security incidents. "I think of World War II," he adds, "and rationing rubber and nylon. After a momentous event, there's often a subjugation of the tragedy of the commons."

A security reformation will not take place overnight. Longstaff believes that even with a digital Pearl Harbour in 2008, we'll be only 20 per cent reformed by 2010. Whit Diffie, Sun Microsystems' CSO, suggests a 10-year time frame before we should mandate zero tolerance for insecure software and enforce strict liability laws. Even Humphrey says, "I'm hopeful, but the issue is one of time."

This vision of security in 2010 is a rosy picture painted with cynical strokes.

"God, we've been resilient," says Patrick Gray, the director of the Internet Security Systems' X-Force National Emergency Response, "but the ugliness is lurking. We're reaching our limit with the angst. Popeye once said: 'I've had alls I can stands and I can't stands no more.' We're reaching that point."

And when we do, everything will fall apart. And then, and only then, will it begin to get better.

[SCENARIO TWO]

SIDEBAR: Welcome To The Lockdown

If innovation and privacy have to be sacrificed for the sake of security, so be it

After the digital Pearl Harbour, one simple truth will become apparent to everyone: The surest and fastest way to avoid another one, to save lives and to make the world's computer systems secure, is to lock them up, freeze them in a permanent status quo. Put functions into chips that not only won't integrate with other applications but can't. Extensibility in 2010 is a liability, not a feature.

"That [scenario] is appealing because it's one of the simplest things you can do with computers: restrict their abilities," says Peter Tippett, CTO of security vendor TruSecure and noted security expert.

Tippett can't bear to imagine such a world. But Software Engineering Institute (SEI) fellow Watts Humphrey has resigned himself to it. "If we force security restrictions, we'll dry up a lot of innovation," he says. "That's a cycle we're likely to go through."

At the same time that the integration of applications becomes unethical as well as physically impossible, there will be a human lockdown. After decades spent making access to applications universal, computer scientists and software designers will focus on preventing access. Obviously, if bad guys can't get in, they can't do damage. Even good guys will face broad strictures on what data is available to them.

So there will be a surge in the development of software that blocks access to applications such as chat rooms, the Web, databases, whatever. And even features within programs, like the ability to forward e-mail messages, will be shut off. Again, the thinking is that since openness got us into this mess, only a lockdown will get us out of it.

Authentication applications will explode. The federal government will mandate that users must authenticate their identity to access the Internet itself, a sort of digital passport system for entering cyber-country.

However, as Dan Geer, former CTO of @Stake, notes, authentication can't possibly keep up with the number of people who need it and the number of transactions we try to control with it. Authentication doesn't scale.

But surveillance does. "The costs to observe are virtually zero, so it's not a question of will it exist, but what will we do with it?" Geer asks.

Enforcement of the government's security policy will come from broad, ubiquitous surveillance, both visual monitoring and keystroke logging. The adaptation of cheap wireless gadgets like RFIDs will make the tracking of people and things simple, cheap and inevitable.

Some people, perhaps the majority, will accept this as the price that must be paid to avoid another digital Pearl Harbour. Others will rue what the lockdown has wrought: an utter lack of privacy, a digital iron curtain descending upon innovation, economic stagnation, social calcification. Big Brother will arrive fashionably late, but arrive he will. Security and privacy will become dominant themes in the elections of 2010 and 2012.

Geer is convinced we're heading toward a broadly surveilled police state. "I'm sad about this," he says, "but I'm trying to be realistic."