517-5 Yhtomit

Lorem ipsum dolor sit amet consect adipiscing nunc enim mauris sed massa

j u n e 2 0 1 2 | v o l . 5 5 | n o . 6 | C o M M u n i C AT i o n s o f T h e A C M 29

V viewpoints

I l

l u

s t

r a

t I

o n

b y

y a

r e

k W

a s

z u

l

T h e r I s K o f being “hacked”— whatever that expression ac- tually means—is at the heart of our civilization’s chronic cybersecurity problem. De-

spite decades of computer security research, billions spent on secure op- erations, and growing training require- ments, we seem incapable of operating computers securely.

There are weekly reports of pen- etrations and data thefts at some of the world’s most sensitive, impor- tant, and heavily guarded computer systems. There is good evidence that global interconnectedness combined with the proliferation of hacker tools means that today’s computer systems are actually less secure than equiva- lent systems a decade ago. Numerous breakthroughs in cryptography, se- cure coding, and formal methods not- withstanding, cybersecurity is getting worse as we watch.

So why the downward spiral? One reason is that cybersecurity’s goal of re- ducing successful hacks creates a large target to defend. Attackers have the luxury of choice. They can focus their efforts on the way our computers rep- resent data, the applications that pro- cess the data, the operating systems on which those applications run, the networks by which those applications communicate, or any other area that is possibly subverted. And faced with a system that is beyond one’s techni- cal hacking skills, an attacker can go around the security perimeter and use a range of other techniques, including social engineering, supply-chain inser- tion, or even kidnapping and extortion.

It may be that cybersecurity appears to be getting worse simply because society as a whole is becoming much more dependent upon computers. Even if the vulnerability were not in- creasing, the successful hacks can have significantly more reach today than a decade ago.

Views of Cybersecurity The breadth of the domain means many different approaches are being proposed for solving the cybersecurity problem:

˲ Cybersecurity can be viewed solely as an insider problem. What is needed, say advocates, are systems that prevent

DOI:10.1145/2184319.2184330 Simson L. Garfinkel

Inside risks the Cybersecurity risk Increased attention to cybersecurity has not resulted in improved cybersecurity.

30 C o M M u n i C AT i o n s o f T h e A C M | j u n e 2 0 1 2 | v o l . 5 5 | n o . 6

viewpoints

authorized users from acting improp- erly. Such technology would simul- taneously prevent attacks from non- malicious (but improperly trained) insiders, disgruntled employees, and malware that had compromised the accounts of the loyalists. The problem with this approach is that we funda- mentally do not know how to address the insider threat.

˲ Given that operating systems have become too complicated to make any assurances about their correct or in- tended operation, many cybersecurity practitioners focus on the promise of network security as a kind of silver- bullet solution. But as Iran’s experi- ence with the Stuxnet computer worm demonstrated, even systems that are thought to be isolated can be compro- mised by outside adversaries. Even if network security were perfect—and it is not—we would still need to secure the hosts.

˲ Recently, there has been an effort to frame cybersecurity as an economic problem—convincing companies to spend resources on defense and train- ing consistent with the risk they face. This formulation assumes spending more money actually increases secu- rity, but there is no evidence to support the assumption. Indeed, one of the per- sistent problems with framing security as an economic problem is that there are no reliable techniques that can be used to examine a system and measure the size of its vulnerabilities and the likelihood of compromise. Such at- tempts to measure security inherently risk focusing attention on what can be measured, instead of what matters.

˲ Others see security as a holistic process that encompasses all elements of an organization’s IT and HR opera-

tions. Such a broad formulation seems to have some benefits—Microsoft’s Security Initiative, started in 2002, dra- matically improved the security of the company’s products. But most orga- nizations lack both the technical and financial ability to make information assurance a primary goal, and even an effort the size of Microsoft’s did not create unhackable software.

The possibility of an active, mali- cious adversary is what distinguishes security from other computer science problems. A compiler designer wor- ries that an optimizer bug might result in an incorrect calculation or unde- fined behavior. A security professional knows an adversary can analyze the compiler, the buggy output, and large amounts of code to find that single in- stance where the buggy executable and a specific input can be used to exploit a system.1

The adversary makes security more difficult than other computer sci- ence problems, because the adver- sary adapts to our best defenses and finds ways around them. Fortunately, adversaries are not all-powerful: they too are governed by economics, atten- tion spans, and other external factors. There may be limits on the adversary’s knowledge of the target systems. In many cases we can decrease the risk of a successful attack.

Making progress on cybersecurity requires that we address a myriad of both technical and nontechnical factors that work to prevent govern- ments, corporations, and even indi- viduals from securing their systems. We have real solutions to many secu- rity problems, but many are unwilling to adopt them.

Technical factors that comprise the cybersecurity problem dominate the discussion among both technolo- gists and policymakers. These factors include language and operating sys- tem choices, security architectures, usability, and training. What is frus- trating is that many of the techniques and technologies for developing se- cure systems that have been shown to reduce security-critical defects, such as Microsoft’s Security Development Lifecycle (http://microsoft.com/sdl), have not been widely adopted. There is a huge gap between general practice and best practice.

The possibility of an active, malicious adversary is what distinguishes security from other computer science problems.

viewpoints

j u n e 2 0 1 2 | v o l . 5 5 | n o . 6 | C o M M u n i C AT i o n s o f T h e A C M 31

Nontechnical factors impacting cybersecurity reflect deep political, social, and economic divisions within our society. These problems include shortened development cycles; the inability to attract and retain the best workers; and the general failure of our schools at early science, technology, engineering, and math (STEM) educa- tion. While it is certainly possible that the need to secure our computers will force us to find solution to these other problems, such Pollyannaish hopes seem unlikely to be realized.

In recent years there has been an ef- fort to liken cybersecurity to a public health problem. Just as hand washing and coughing on our sleeves can help halt the spread of influenza, advocates say, good “cyber hygiene” such as run- ning up-to-date anti-virus software and only going to clean Web sites run by reputable organizations can help stop the spread of malware and the growth of malicious botnets.

A more accurate public health met- aphor might be obesity. Just as there are companies in the U.S. that benefit from the production and consump- tion of excess calories, while others make money treating the medical con- ditions that result, there are compa- nies in the U.S. that benefit from poor security practices, while others are benefiting from mitigating the result- ing problems.

Preventing security snafus is dif- ficult and frequently thankless. It is commonly reported that chief security officers are denied resources by man- agement because they cannot quan- tify the risk their organizations face or how the requested expenditures will improve the security posture. We would like to demonstrate that

wealth, and several Turing awards. In spite of all this progress, cyberspace is not secure.

Some have argued that because today’s cyber infrastructure was de- signed without attention to security, the proper solution is redesign. Such proposals, when realized, frequently result in systems having the same kinds of problems we experience to- day. For example, some have proposed adding a kind of “authentication layer” to the Internet.3 Such a layer would increase the value of stolen credentials, proxy-based attacks, and implanted malware—problems that already bedevil today’s authentication layers.

We frequently discover that what was once regarded as a breakthrough security technology is really nothing more than an incremental advance. For example, considerable effort was expended over the past decade to de- ploy non-executable stacks and ad- dress space layout randomization on consumer operating systems. As a re- sult, Microsoft’s 64-bit Windows 7 is not vulnerable to much of the malware that can infect 32-bit Windows XP sys- tems. Yet even without an executable stack, Windows 7 applications can still fall victim to so-called “return-oriented programming”5 in which the attacker’s malicious code is created from the ex- ploited program and a series of spe- cially constructed stack frames, each frame executing a few instructions in the program before “returning” to the next sequence.

The fault is Both in our Bytes, and in our selves While it is tempting to focus on techni- cal factors impacting the cybersecurity problem, I believe nontechnical fac-

security has a significant return-on- investment, but security is frequently just a cost. Chief security officers that deploy technology are sometimes crit- icized for wasting money when new systems are purchased and no attack materializes. For senior managers, the risk to one’s career of being innovative is frequently higher than the risk of maintaining the same poor practices of one’s peers.

The isolation fallacy One of the simplest solutions proposed for the cybersecurity problem is to run systems in secure enclaves that are dis- connected from the Internet. While the idea may sound attractive, execution is impossible in practice.

Even a so-called “stand-alone com- puter” has a bidirectional connection to the Internet. All of the software on these machines is typically download- ed from the Internet (or from media created on machines that were con- nected to the Internet). The documents produced on stand-alone machines are either burned to DVD or printed—af- ter which they are often scanned and sent by email or fax to their final des- tination. A completely isolated system would have very limited utility.

Just as all computers are connected, so too are all humans connected to computers. Human activities as dispa- rate as genetic engineering and subsis- tence farming rely on computers and communications systems to manipu- late data and send it vast distances. An attacker can cause a lot of damage by modifying a message, no matter if the data is a genetic code or a coded SMS message. Millions of people live down- stream from dams with floodgates that are controlled by computers.

Over the past 30 years security re- searchers have developed a toolbox of techniques for mitigating many kinds of cyber attacks. Those tech- niques include workable public key cryptography (RSA with certificates to distribute public keys); fast symmet- ric cryptography (AES); fast public key cryptography (elliptic curves); easy- to-use cryptography (SSL/TLS); sand- boxing (Java, C#, and virtualization); firewalls; BAN logic; and fuzzing. These breakthroughs have resulted in countless papers, successful tenure cases, billions of dollars in created

Most companies see information security as a cost or a product rather than as an enabling technology.

it frequently feels like many organizations are implicitly relying on hackers for their security testing.

32 C o M M u n i C AT i o n s o f T h e A C M | j u n e 2 0 1 2 | v o l . 5 5 | n o . 6

viewpoints

U.S., they do not pay better than ca- reers in medicine, law, and business, says Lindsay Lowell, director of policy studies at Georgetown University’s Institute for the Study of Interna- tional Migration. Testifying in 2011 before the House Subcommittee on Immigration Policy and Enforce- ment, Lowell said it is the lower salary paid to science and technology pro- fessionals that is responsible for the large number of non-U.S. students enrolled in U.S. graduate science and engineering programs.6

For generations educators have rec- ognized that one of the primary pur- poses of schooling is to teach students how to write. As a result today’s high school graduates have had at least 10 year’s worth of writing instruction (and many say their writing still leaves much to be desired).

The situation is worse when it comes to technology education. Think what you want about so-called “digital natives,” but experience with Face- book and video games does not trans- late into algorithmic thinking. Com- puters are part of early education in many communities, but the courses invariably teach how to be users, and not how to understand the underlying technology. Most college graduates have essentially no ability to perform even simple office automation tasks, and the typical CS graduate has less than six years’ experience writing soft- ware. A real risk of our current educa- tional system is that most graduates simply lack the experience to write security-critical software because they did not start programming in middle school.

We may be increasingly an infor- mation society, but most companies see information technology, and es- pecially information security, as a cost or a product rather than as an enabling technology. Organizations balance their security against other compet- ing requirements. A 2011 Bloomberg Government Survey of 172 Fortune 500 companies found they were col- lectively spending $5.3 billion per year on cybersecurity and stopping just 69% of all attacks. The organizations told Bloomberg they could increase the effectiveness of their defenses over the next 12 to 18 months such that they could stop 84% of cyber at-

tacks; to do so they would need to in- crease their annual spending to $10.2 billion. Stopping 95% of cyber attacks, which Bloomberg claimed would be the “highest attainable level” of secu- rity, would increase spending to $46.6 billion per year.2

Stopping 95% of cyber attacks means one in 20 still gets through— far too many when the result of even a single successful attack can be dev- astating. The situation is similar to cancer treatment: if chemotherapy leaves a single surviving cancer cell, the patient frequently dies. With cy- bersecurity it is clear we cannot cure the patient. We must learn to live with the disease.

Live with Cyberinsecurity There is no obvious solution to the problem of cybersecurity. While we depend on our computers, we seem incapable of making or operating them in a trustworthy manner. Much is known about how to build secure systems, but few of the people build- ing and deploying systems today are versed in the literature or the tech- niques. We should be designing soci- ety so that we can survive the failure of our machines, but it is more cost- effective to create systems without re- dundancy or resiliency.

Reducing our cyber risk requires progress on both technical and politi- cal fronts. But despite the newfound at- tention that cybersecurity increasingly commands, our systems seem to be growing more vulnerable every year.

References 1. C compilers may silently discard some wraparound

checks. us-Cert Vulnerability note Vu#162289, april 4, 2008.

2. domenici, H. and bari, a. the Price of Cybersecurity: big Investments, small Improvements. a. Holmes, ed., bloomberg Government survey (Jan. 31, 2012).

3. landwehr, C. a national goal for cyberspace: Create an open, accountable Internet. IEEE Security and Privacy 7, 3 (May 2009).

4. os Platform statistics, w3schools.com; http://www. w3schools.com/browsers/browsers_os.asp.

5. roemer, r. buchanan, e., shacham, H., and savage, s. return-oriented programming: systems, languages, and applications. ACM Trans. Info. Syst. Secur. 5, 1, article 2 (Mar. 2012).

6. “steM” the tide: should america try to Prevent and exodus of Foreign Graduates of u.s. universities with advanced science degrees. Hearing before the subcommittee on Immigration Policy and enforcement of the Committee on the Judiciary of House of representatives (oct. 5, 2011), 112–164.

Simson L. Garfinkel ([email protected]) is an associate professor at the u.s. naval Postgraduate school in Monterey, Ca.

Copyright held by author.

tors dominate the variety of risks we face today. Shortened development cy- cles and increased competition mean much of the software and configura- tions that are deployed have not been adequately validated. It frequently feels like many organizations are im- plicitly relying on hackers for their se- curity testing.

At the same time, obsolete, bug-rid- den vulnerable systems never seem to get retired. In February 2012 approxi- mately 30% of the computers on the In- ternet were still running Windows XP (down from 31% the previous month), according to W3Schools.4 Yes, Win- dows 7 has vulnerabilities, but Win- dows XP is dramatically less secure: it should be banned from today’s cyber infrastructure.

Other factors increasing the cy- bersecurity risk include our difficulty attracting and retaining enough soft- ware engineers, and the failure of our schools to promote technology educa- tion from an early age.

It is important to realize that cyber- security, despite its importance, rep- resents only a tiny part of computer science research as a whole. Security professionals rightfully point out that a single flaw in practically any pro- gram can result in a devastating se- curity compromise. This is troubling, because most computer professionals receive little if any training in security, most CS professors and software engi- neers try to ignore it, and there are few security specialists. This argues for bet- ter training and the creation of a licens- ing or certification process.

Some people blame pay scales. While science and engineering jobs pay better than average jobs in the

While we depend on our computers, we seem incapable of making or operating them in a trustworthy manner.

Copyright of Communications of the ACM is the property of Association for Computing Machinery and its

content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's

express written permission. However, users may print, download, or email articles for individual use.