Information Security: Can We Win?

The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger’s prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.

Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?

First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.

Second, the “edge of the network” is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.

Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the “hacker” community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual’s data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.

So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.

EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.