My topic for today is the future. In a sense, "the future" is once and always the topic for any security talk unless one likes to sit around one-upping each other with war stories.
Let me begin with some biases. First, security is a means and not an end. Therefore, a talk about the future must necessarily be about affecting the future -- which is why security is about risk management and why the purpose of risk management is to improve the future, not to explain the past.
Yes, I am acutely aware that the further back you look, the further forward you can see, but that is both different and precisely what I will now try to do. Let me be clear, however, that the only way to judge whether a prediction has any value is to wait until it is no longer a prediction.
It is likely that some of you will agree and likelier still that some of you will disagree that only God could have made a world like the one we inhabit, that its spectacular combination of complexity and durability, the balance and the terrible beauty, can only have come from a Designer. At the same time, if I can get us to a common truth, it will matter not what you or I believe.
Let us put aside, for a moment, how we came to be here. As I said before, risk managers do not care to explain the past, only to affect the future, yet by looking back perhaps we see ahead. Let us try to split that hair, to look back so as to see ahead, but without having to settle amongst ourselves the question of causality.
Paleobiologists see evolution as "punctuated equilibria"[EG] which is to say long periods of stability interrupted by short periods of rapid change. Evolution, as they describe it, is not some steady upslope at 8% grade, but rather the unexpected when least expected, and a flurry of change that will eventually damp itself out enough to be called progress, as if anything that brought us to where we are must have been progress since this is the best world that we have yet made.
Given that we are not explaining the past, only observing it, we don't have to agree on whether the world was made, but we can surely agree that the world going forward is made, by us, and we can agree that we are only too eager to make the world the world we want. In other words, we had better hope that we are intelligent designers ourselves. Put differently, sentient intervention in evolution's progress is just more evolution, but at a faster clock rate. Changes that depend on the favorable alignment of random perturbations take geologic time. Changes that are designed may have just as many unforeseen consequences, but the equilibria they punctuate are of much shorter duration, often a duration short enough that there is little real stability between episodes of punctuating rapid change. Those who argue that capitalism is simply a transfer of Darwinian survival to the synthetic life form known as the corporation living in a synthetic ecosystem known as the market would agree, though they would call the interval between one punctuating event to the next a business cycle.
The risk management we need is therefore the ability to maximize the damping effects of stable periods of risk and to be prepared to handle the punctuating events of the definitively unpredictable, the latter being what Taleb called "the black swan."[BS]
In my career, I have seen enough of these cycles of stability and surprise to find the description apt even if its cadence is arrythmic. The most challenging security RFP I ever received was all of three bullets long:
Can we look back and see a few of these sorts of episodic catharses? Of course we can. Every transformation of the computing world has been a surprise, one that removed the reason for existence its predecessor depended upon and which was itself later itself removed in like manner. The first computers were rare, expensive, and they made redundant legions of folks who once worked out tables of logarithms to nine digits by hand. Time share destroyed the market for stand-alone behemoths, and desktop PCs destroyed the market for time share. Today, "Software as a Service" looks poised to destroy the desktop PC. At each stage, the best X ever produced was also the last X ever produced as it was itself rendered irrelevant by the leading edge of the next phase. My father, who today is for the first time not present on his birthday, had the finest Frieden mechanical desk calculator made, it was even mechanically programmable, and yet the lousy Bowmar Brain made mechanical desk calculators irrelevant. I am sure you can name example after example of the same phenomenon -- that of a kind of equilibrium punctuated by the end of the environment on which the most evolved members of that environment depended.
This being a talk about the future of security means that we must examine how this pattern in Nature plays itself out in the digital sphere. Note that I said "pattern in Nature" as that is precisely the mindset I want you to have -- that regardless of whether you think of the world as the triumphant creation of an omnipotent God or, like calculus, the infinite sum of infinitesimal bits from random time-series, that the very nature of Nature has examples of processes that cannot be other than the kinds of processes we should expect in our digital world. Unless we have become as Gods, some mix of the unexpected and our adaptations to it will be that of which the future is made. Every invention we make proves either non-viable, which is to say a non-functional mutation within the human ecosystem, or viable, which is to say it seizes an hitherto unoccupied niche either by creating that niche or by stealing it from whatever occupies it now. Whether creating or stealing niches matters not since over time, the number of niches increases, at least until one of those equilibrium punctuations.
The rain forests are the oldest biome on earth which is to say they have enjoyed to longest run of stability, unlike, say, the boreal forests of Canada which were under a mile of ice a mere 10,000 years ago. As such, rain forests have also the greatest number of species, which is to say the greatest number of niches and the most complex inter-dependencies. Twenty-five acres of Malaysian rain forest will have more species of trees than the U.S. and Canada combined.[NM] Forty-three species of ants were found in a single tree in Peru -- the same number as in all of the British Isles.[EOW] The oldest biome in North America, the temperate rain forest of the southern Appalachians, has are more species of lungless salamanders than anywhere else on earth. Yet, the equilibrium of the rain forests is being punctuated by a much more recent invention, Homo sapiens with power machinery. Some estimate species diversity in these rain forests as now draining away at the rate of five species per hour.
The important thing to realize here is that to the biome, to the occupier of a niche that was here yesterday and will be gone tomorrow, this change is a surprise. No tree can say "Time to move" and no salamander can think "I need to evolve." Evolutionary change depends on this unpredictability; otherwise yesterday's winners are tomorrow's winners, yesterday's dominant species only get more dominant tomorrow.
Note that "change" is not a synonym for "disaster." Some pines have cones that only open after they've been burned in a forest fire. This kind of opportunism for disaster is something we can see in our world -- today and every day -- in that for every backdoor some worm or virus installs, you can bet your paycheck that there is some other bit of malware that is searching for the self-same backdoor for its own purposes. A backdoor unused is like a biological niche unoccupied; Nature, both biologic and digital, abhors a vacuum. That backdoor will get used, the only question is by whom or what.
Let's illustrate this specifically. Everyone but everyone classifies the 9/11 attack as out-of-nowhere -- a black swan to again use Taleb's terminology. That attack changed everything because it was not foreseen. It was a physical attack, but we, here, deal in digital attacks. Many of us have heard the phrase "Digital Pearl Harbor" and many of us here have wished we hadn't. If we talk with a member of the general public, we are likely to hear something like "Look, you paranoid worry-warts keep predicting a big problem and if it was all that likely it would have happened by now. In fact, every day that goes by without something like that happening makes it more likely that it never will. Would you just stop bothering me?"
Now, a statement like "That we have gone this long without anything big happening" is precisely the kind of statement that expects stability to continue, and which is necessary but not sufficient for a punctuation of that stability. If we look at 9/11 as digital security people, we might remember that the NIMDA virus appeared the evening of September 18, 2001, i.e., a week later. Until that point, we'd never seen a virus that had carried more than one method of attack, and NIMDA had five. So, to begin with, even if we had known everything about each of those five methods including population statistics for the numbers and connectivity of vulnerable machines, we would not have predicted the ability of NIMDA to spread as it did as we had not yet thought to model the union of multiple vulnerabilities.
That, however, is not all. For writers of classic virus attacks, the measure of their success is the energy differential between the first entry into a given target and the second, i.e., the bigger the difference in how hard it is to break in the first time and how easy it is to break in the second time, the bigger the win. The lowest energy way to maximize this energy differential is to install a new backdoor. NIMDA followed this pattern and installed such a backdoor.
Because NIMDA had five methods for propagation and because it was evidently written with speed in mind, NIMDA was also the fastest spreading virus we had yet seen. That rate of spread is known amongst infectious disease people as virulence, and we'll return to that in a moment.
As you know, nearly all malware in the wild persists there. An older virus called E911 was such an example. E911 would cause your modem to dial 911 repeatedly; that is all it did. Now when I call you on the phone, the circuit stays up until the calling party disconnects. When I call 911, however, the circuit stays up until the called party disconnects, a difference that is done at the switch for the obvious reason that you do not want the intruder to cut the phone line and the Police Dispatcher to have to say "Now whom was I talking to?" For the Police to hang up on a 911 call when the calling party has gone away requires a human decision, made under uncertainty, done at human time scales. Because of this, it is possible to saturate a 911 console and that is precisely what the E911 virus was crafted to do -- saturate a 911 console.
The E911 virus was old and forgotten on September 18, 2001, but it was still available on the net and, of course, the Internet in the fall of 2001 was still dominated by dial-up connections. We got lucky in the simplest, stupidest, dumb luck kind of way. No jackass[SR] had the imagination to grab the E911 virus and re-target it at the backdoor NIMDA was busy installing at warp speed everywhere while we all were pre-occupied with watching CNN 24x7. If someone had done that, then everyone in America would have gotten up the morning of September 19 only to find that there was no emergency service available nationwide; it would have been turned off everywhere and all at once, like a light switch. While that would not have been a disaster of a physical sort, I submit that it would have been a grand mal seizure of the public confidence. Clinically that defines terror, it would have required no planning just opportunistic reaction, and it would have been an unpredictable event whose downstream influence was out of all proportion to is concrete effects. It would parallel the Treasury's position that money lost or banks folded is a private tragedy of no importance, but that public loss of confidence in the financial system must be avoided.
On September 18, 2001, we escaped a public loss of confidence by luck and luck alone. As such, the next time someone tells you that the absence of a major Internet attack to date makes the absence of one tomorrow more assured, you can remind them that this proof (that we escaped such an attack by dumb luck) puts to bed any implication that every day without such an attack makes such an attack less likely. It does not make it less likely, but what it does most assuredly do is make it more surprising when it does come.
Note that I am not conjuring up nation state actors or divine intervention, though I personally believe that both are at work and at all times. What I am suggesting is that change is what evolution is about, that change is rarely steady but rather tends to be abrupt, that change is event driven, that the amount of change an event engenders is proportional to the surprise with which that event arrives, and that we cannot make this otherwise. Our preaching on this topic wastes airtime and, which is worse, the more we say "It is coming" the more those who live in the moment will have reason to ignore us.
Speaking as a person with some training in probability, perhaps the point is that probabilistic events occur eventually. Speaking as a person whose faith is real but irrelevant (at least to you), perhaps the point is that everything that has a beginning has an end.
For some time now, I have been promoting the idea of measurement in security, arguing that security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. If you have heard me speak on the topic of security metrics, you will know that, consistent with the view that risk management is about changing the future rather than explaining the past, I see no need for metrics beyond their role in decision support. At our present skill in measurement of security, we generally have an ordinal scale at best, not an interval scale and certainly not a ratio scale. In plain terms, this means we can say whether X is better than Y but how much better and compared to what is not so easy. Having an ordinal scale is nevertheless well and good as knowing which is the better of two alternatives is what decision making is about.
At the same time, Churchill's admonition, that the further back one looks, the further forward one can see, implores us to at least test our predictive ability by imagining that we could use the past to test a mechanism of prediction since in using the past we can actually calibrate a prediction method by actually knowing what eventually happened.
A moment ago I spoke of the word "virulence." To a physician, virulence is how badly some bacterium makes you cough, sneeze, and worse, but to a bacteriologist, virulence is a innate measure of how good your immune systems is at killing that bacterium since if you can kill it with assurance, to survive that bacterium must cause you to pass it on to the next victim and to do so quickly enough that your immune system does not cut the skein of its life. Better immune response means greater virulence.
We can thus test a little hypothesis of prediction. Working with bacteriologist Trudy Wassenaar, I plotted the date of appearance and the speed of transmission for the big name computer virus attacks from 1995 on. What we found was just what an evolutionary model would predict -- virus appearances became progressively rarer, likely due to progressively competent computer immune systems, but when they did appear each was much, much more virulent than the one before. In other words, the malware called a virus, while perhaps no longer of much interest, showed the pattern of evolution that you would expect in the natural world, only evolving faster in time than random mutation would predict and thus confirming the view that sentient opponents only make the clock run faster.
Virus attacks have, of course, become rarer over time, which is to say that where infectious agents once ruled, today it is parasites. Parasites have no reason to kill their hosts -- on the contrary they want their hosts to survive well enough to feed the parasite. A parasite will generally not care to be all that visible, either. The difference between parasitism and symbiosis can be a close call in some settings, and of the folks who famously bragged of being able to take the Internet down in twenty minutes, one has said that a computer may be better managed once it is in a botnet than before since the bot-master will be serious about closing the machine up tight against further penetration and similarly serious about patch management. Therefore, since one can then say that both the machine's nominal owner and the bot master are mutually helped, what we see is evolution from parasite to symbiont in action. According to Margulis and Sagan, "Life did not take over the globe by combat, but by networking."[MS] On this basis and others, bot-nets are a life form.
As most of you know, I have argued for some species diversity in those parts of the computing infrastructure that we care to call essential. Stating the obvious, no one calls their part of the computing infrastructure inessential, so we might as well look at it all. The word you are waiting for me to say is "monoculture" and, there, I've said it. The diversity of the natural world is something we agree on far more than we disagree, preserving it as an end is a near universal desire and, like computer security, all the contention is around the means, not the end.
But we, laughably unintelligent designers, prefer monocultures whether it is of dry land wheat or corporate desktops. John Evans, of the University of the South, observes that when a natural hardwood forest is replaced with a pulp-wood monoculture "The crop fails in the first rotation, because the beetles go from being a native disturbance to a native epidemic. It only gets worse when you increase their food supply." Remember, if you will, that a patch is an advertisement of where the opponent's next meal is coming from since, as Eschelbeck showed , patching behavior is precisely like radioactive decay -- in each succeeding interval, half of the then unpatched machines are patched and, in any case, 80% of exploits appear within the first half-life of patch-announced vulnerability and wreak 85% of their damage in their first fortnight.
As there is not a person in this or any room who will argue for explicitly reducing the species diversity of the natural world as a national goal, we have to ask why we do it in the synthetic biomes of enterprise computing. Despite what you might think, I am sympathetic to the actual reason we do it -- making everything almost entirely alike is, and remains, our only hope for being able to manage it in a consistent manner. Put differently, when you deploy a computing monoculture you are making a risk management decision: That the downside risk of a black swan event is more tolerable than the downside risk of perpetual inconsistency.
This is rational, to a point. In the physical world, the attacker must commit a perfect crime and the police have all the time in the world to unravel the mystery. In the digital world, the police must craft the perfect defense and the attacker has all the time in the world to find a single flaw in that defense. This realization leads to and underpins the demand to have consistent, airtight security. That phrase, "consistent and airtight," just about has to mean "all alike," and all alike is the perfect setting for attacks to come without warning, though, if you are lucky, they don't come on your watch.
I got into this monoculture versus diversity kick when I was asked to categorically state what sorts of attacks were of a level that legitimately could be called a national security concern. My answer then and now was that only two kinds of attacks were that important, and, like the Treasury department's view on bank failure, that everything else amounted to nothing more than some private tragedy. The first kind is any mechanism that, to operate correctly, must be a single point of function and therefore a single point of failure. The red telephone on the President's desk is just such a mechanism; having twenty-three red telephones would be far worse than having one red telephone. As such, that single red telephone deserves defense in depth and defense in depth is simply a referendum on your willingness to spend money for layers; it is rarely, if at all, a research-grade problem.
The other national security scale concern is cascade failure, and cascade failure is so very much easier when the attacker has only to write one bit of malware, not ten million. The idea is obvious; believing in it is easy; acting on it is, evidently, hard. I note, in passing, that the population statistics for platforms, operating systems, and tools present amongst the people in this room bear no resemblance to the public at large and, as such, you here are collectively acting on the diversity belief even if you cannot sell the idea elsewhere beyond such baby steps as Address Space Location Randomization, the existence of which I view as total vindication of my monoculture thesis.
What I am driving at is that the natural world has lessons for us and that we are pretty miserable at intelligent design; provably poorer at it than whatever process brought Nature to us in the state it was in before we began to demolish it.
In the natural world, a high presence of attack pressure must and does result in a high rate of mutation. What part of your body suffers the most daily insults and thus mutates all day, every day? The E. coli in your gut. Their mutation rate rises and falls in relation to stress since if things are going well a mutation is likely to be deleterious whereas if things are going badly it may well be a last chance and, in any case, reproductive fidelity is more metabolically expensive than producing mutations. I suggest that some doctoral student might take a close look at whether a withering digital attack ought to provoke some adaptive mutations in the target. Put differently, if you are losing a game you cannot afford to lose, try changing the rules.
Social insects are the great success story of the natural world; there are 2^50 ants on the planet, the biomass of ants plus termites is 1/3 of the biomass of all terrestrial animals, and honeybees alone confer more economic benefit to humanity than all other insects combined collectively withdraw. I simply do not have time today to go into all the ways that social insects and armies of computers on networks are alike, so I'll just refer you to my paper in ACM Queue from last April. One hint, researchers were able to show with honeybees precisely what I said was true for computer monocultures -- that a hive all genetically alike either wins decisively or fails catastrophically, while a hive genetically diverse neither wins nor loses in any spectacular fashion at all.
In the natural world, a plant that is being eaten alive by, say, aphids will manufacture a come-hither scent that draws ladybugs. If you are a ladybug and you smell that "The Aphid Diner is now open" aroma, what would you do? Bank tellers may well cooperate with the robber, but you can bet they've pressed the button on the floor that calls the gendarmes. We do this with our honeypots -- they allow themselves to be taken down by some thug, all the while snapping pictures for the Network Police. In a sense, our intrusion detection systems do the same -- they call the police while they are going down.
Honeypots are, if nothing else, a kind of mimicry. Nature has many kinds of mimicry. To mention just two, there is Batesian mimicry which is where some prey species tries to look like some non-prey species, a sheep in wolf's clothing as it were, and there is Muellerian mimicry where all the ones that, say, taste bad look alike to make up for slow learners amongst the predators. To my knowledge, we don't much have this kind of protective mimicry in the computer field, at least yet. We have the reverse -- honeypots try to look tasty and vulnerable when they are not. As such, honeypots are more like angler fish, and, as with everything else today, we may have something to learn from Nature here. Perhaps every network segment needs a honeypot, a model that the common field cricket uses when the male who is singing is targeted by predators but that male will be surrounded by other males who do not sing, only mate.
Maybe the answer is just co-existence, what OASIS in the U.S. or MAFTIA in Europe called "intrusion tolerance." It isn't as if there is any new news in saying that by now we shouldn't have buffer overflows in applications yet, of course, we still do. Perhaps the answer is to just learn to tolerate those overflows and/or the intrusions they tend to enable. Medical science hasn't solved the common cold, either; we've just learned to tolerate it after effectively giving up on immunization as a public health strategy.
There are at least 350,000 species of beetles, which led to the biologist Haldane's remark that "The Creator, if He exists, has an inordinate fondness for beetles." This degree of speciation means beetles have an authentication problem, viz., "With whom can I mate?" We do authentication using cryptographic locks and keys where neither keys nor locks are interchangeable. Beetles have the analog equivalent; the mechanics of the male's penis will only match the mechanics of a female of the same species, enough so that properly curated specimens in museum collections will exhibit the penis adjacent to, but detached from, the rest of the specimen. One can stretch and say that the various mating dances of beetles and higher forms are just so much pre-authentication.
While some people like to say "Specialization is for insects," tell me that the security field itself is not specializing. We have people who are expert in forensics on specific operating system localizations, expert in setting up intrusion response, expert in analyzing large sets of firewall rules using non-trivial set theory, expert in designing egress filters for universities that have no ingress filters (like MIT next door), expert in steganographically watermarking binaries, and so forth. Generalists are becoming rare, and they are being replaced by specialists. This is speciation in action, and the narrowing of niches. In rough numbers, there are somewhere close to 5,000 various technical certifications you can get in the computer field, and the number of them is growing thus proving the conjecture of specialization and speciation is not just for insects and it will not stop.
Lest you think that it is too far fetched to consider a computer a life form, subject to evolution just like any other life form, consider embedded systems. They are already two orders of magnitude more numerous than keyboards and displays hence the future threat space, which we must lead in the same way one leads the deer when hunting, is a threat space where a computer is not identifiable as such, but is instead inside some nondescript appliance.
So should or should not an embedded system have a remote management interface? If it does not, then a late discovered flaw cannot be fixed without visiting all the embedded systems which is likely to be infeasible both because some will be where you cannot go and there will be too many of them anyway. If it does have a remote management interface, the opponent of skill focuses on that and, once a break is achieved, will use those self-same management functions to ensure that not only does he retain control over the long interval but, as well, you will be unlikely to know that he is there.
This leads to a proposal on what to do about the future: Embedded systems, if having no remote management interface and thus out of reach, are a life form and as the purpose of life is to end, an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time. Conversely, an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command.
I define complexity as the density of feedback loops. A lot of people say that complexity is the enemy of security -- I'm one of them -- but at the same time I am here to argue that we have to learn from Nature precisely because Nature is the most complex thing we will ever see. Nature is an existence proof that complexity is not the enemy of life, but complexity is the enemy of stasis. Our problem is that we've pretty much equated security with stasis, and it is slowly getting us into trouble. Take forest fires -- if you always quench them, such as to protect vacation homes and tourist dollars, then you necessarily build up the supply of unburned fuel wood in the ecosystem and someday you get a much bigger fire. If you let any and every fire burn, someone who can vote will lose. If you prevent any and every fire, you look smart and life goes on, and predictably so... until it doesn't.
Part of our inability to cope with complexity is that we are treating security as an end when it is not. Maybe we get to a game we can win by changing the rules so that it is not security that is the goal state but reliability, which leads me to recall Lamport's bon mot: "A distributed system is one on which I cannot get any work done because some machine I have never heard of has crashed." I'll go one step further; security, for a mature industry, is almost surely a subset of reliability in that an insecure system won't be reliable but that just being secure doesn't assure reliability.
As most of you here know, Availability is formally measured as Mean Time Between Failures divided by the sum of Mean Time Between Failures plus Mean Time To Repair. As such, there are two games you can play to get 100% Availability; in one game, you do everything you can to force Mean Time Between Failures to infinity. In the other game, you do everything you can to force Mean Time To Repair to zero. Infinite time between failures or zero time to recover -- both yield 100% availability. The former, infinite MTBF, is a fine goal in and of itself but at this point in history we have put so many security products into our systems that the complexity of the sum of those security products has become itself part of the problem.
If we look at Nature in the form of the equations of ecology, we also see two alternative games for survival, r-selection and K-selection.[PER] R-selected species produce many offspring, each of whom has a relatively low probability of surviving to adulthood. By contrast, K-selected species are strong competitors in crowded niches, and invest more heavily in much fewer offspring, each of whom has a relatively high probability of surviving to adulthood. If we change the term from "produce many offspring" to "re-image frequently" you now have precisely the advice Microsoft's D'Anseglio gave when he said, "dealing with rootkits and advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit."[MD] This brilliant remark is a direct, if inadvertent, suggestion that desktop machines need to be r-selected, i.e., they need to die and be re-born often. If you are of a mind to invest in virtual machines, you may get r-selection as a side effect to whatever it is that you are trying to do with VMs.
My bacteriologist mentor taught me a further thing. The higher up the evolutionary ladder you go, the greater the percentage of the organism's total metabolic investment goes to self protection, topping out with humankind's investment of twenty years to raise its children. Her thought, and now mine, is that since it is abundantly obvious that except for people in this room, there are few computer users who are doubling their work output every eighteen months, hence the dividend of Moore's Law should be spent, in increasing fractions, on protecting the computer and the data it holds. My own company's product effectively suggests that you spend some of the 82,000X dividend Moore's Law has provided since the 1983 publication of The Orange Book on implementing the Reference Monitor, to take an example close to (my) home.
If we do somehow decide to do the kind of security metrics that are available to us at this early stage, they are likely to be trend metrics since, as a point of practice, a poor quality measurement will still give useful trend data absent pathologic details that, for the purpose of this talk, I will ignore. Trend data, however, will never predict the black swan, the equilibrium punctuator, and so we have to mix our day to day efforts at prevention, which is to say lengthening out Mean Time Between Failures, with preparation for fast recovery when all of our efforts at prevention are shown to have been a fool's errand, which is to say shortening Mean Time To Repair. Both in your consideration of security and in your consideration of God, remember that no one can estimate the infinite on finite evidence.
I trace the security industry as we know it today to one of these black swan events, but one in comparative slow motion compared to, say, the Witty worm. Specifically, I trace the birth of the industry in which most of you earn your keep to Microsoft's introduction of a TCP/IP stack as a freebie in the Windows platform. Besides putting FTP Software out of business, a tactic followed so many times that I have literally lost count, the TCP/IP stack took an OS designed for a single owner/operator on a private net, if net at all, and connected it to the world. Once that stack was installed, every sociopath became your next door neighbor and, as such, we can point to that event as the birth of our industry. Had I chosen to do visual aids today, I would show you the sudden, one-time-only, wholly dramatic spike in the second derivative of the rate of attacks reported to the CERT that immediately followed the appearance of a TCP/IP stack on Windows. Note that I said a spike in the second derivative; nothing much else happened for a bit but, similarly, lighting the solid fuel on the Space Shuttle doesn't have any instantaneously visible effect either.
The second of these moments occurred, as far as I can tell, some time around 24 months ago. Like the first, it was no thunderbolt, more like a glacier finishing its slide across a river bed and thus "suddenly" damming the waters. This moment was when our principal opponents changed over from adventurers and braggarts to professionals. In a sense, professionalization of the attack class is akin to virulence in that the increasing immunity of computer systems forced an upgrade in the ability of the attacker to attack, i.e., finding vulnerabilities and exploiting them is now hard enough that it has moved out of the realm of being a hobby and into the realm of being a job. This changes several things, notably that hobbyists share their findings and are paid in bragging rights whereas professionals do not share and are paid in something more substantial than fame. Speaking biologically, a mutation (toward strength) on the part of the prey was matched by a mutation (also toward strength) on the part of the predator. As a side effect, the percentage of all vulnerabilities that are unknown has risen and will continue to rise. We have yet to reach the post-punctuation equilibrium.
This mutation toward strength represented by professionalization of the attack class was not a simple, compensating match for the increasing self-protection in merchant operating systems. It went further and it did so because, at least for the first world, the digital arena is now clearly where the opportunities are, such as that when robbing banks it is the amateur who uses a hand gun and the professional who uses a bot.
In the fall of 2006, I did some back of the envelope calculations that resulted in a guess that 15-30% of all desktops had some degree of external control present. I got a bit of hate mail over that, but in the intervening months Cerf said 20-40%, Microsoft said 2/3rds, and IDG said 3/4ths. It doesn't matter which is right; what matters is that this changes a core feature of the ecosystem -- and changing a core feature is the very definition of a punctuating event. In this case, it actually was not standing up a professional class of attackers any more than in the first go 'round it was a spike in the second derivative of the reported attack rate. What it was that a fundamental assumption of network security has now been breached and there is no putting it back together again.
Ever since we did Kerberos, the idea has been "I'm OK and you're OK, but the big bad network in between us cannot be trusted for a second." Authentication, authorization, and accountability all begin with authentication and that, in turn, begins by asking the Operating System the name of the user. What has really changed is that it is not true that "I'm OK and you're OK" since it is entirely likely that the counterparty to whom you are connecting is already compromised. A secure network connection? Who cares if the other end is hosed. Spafford was right but early when he likened network security as hiring an armored car to deliver gold bars from someone living in a cardboard box to someone living on a park bench.
That is the new security situation you and we are facing -- what to do about 0wned counterparties. This is a today issue, not a tomorrow issue; the November 2006 10-Q filing for E-Trade included a material loss due to exactly this problem, the first SEC filing of this sort to my knowledge. 0wned machines mean key loggers and key loggers mean opponents who can get you to help them in the pump phase of a pump & dump stock fraud, whether you like it or not. If and when you ever bother to call your discount broker to complain that this or that purchase was not one you did, the broker has two choices: "You are an idiot." or "We'll make it up to you." Such a situation is untenable.
The most likely option, and it is under discussion in several places today, is for some kinds of transactions to be based on the merchant side 0wning the customer side for the duration of the transaction. Whether this comes as an Active-X control, some sort of use-once browser, or what remains to be seen. In clinical trials, pharmaceutical companies long ago found it was safer and easier to manage if they just shipped a laptop to the participating doctor. Brokerages probably won't do that and random e-commerce merchants absolutely will not, so we are back to whether it is a good idea for the merchant side of the transaction to assume that the client side is already compromised and to compromise it for a moment on its own account. This is no easy decision for either side, but if the average customer's choice is a no-loss guarantee in exchange for a moment of remote control, then it is my bet that they will take the offer. Whether this is how it goes or not is, however, irrelevant -- I am just using this as an example of an adaptive reaction to our opponents becoming good enough that the original "I'm OK; You're OK" starting point for network security no longer applies, and some mutation will have to replace it.
By the way, if you think the professionals aren't winning, just consider that they now value stealth over persistence, i.e., they find it so easy to 0wn machines that they make no effort to survive reboot, preferring instead to hide in-core only. Consider this the equivalent of gene therapy as prescribed by Dr. Faustus.
At the end of the day, however, we are facing a much bigger, more metaphysical question than the ones I have so far posed. That I can pose many others is of no consequence; either you are sick of them by now or you are scribbling down your own as I speak. The bigger question is this -- how much security do we want?
How much security do we want is the real question, and while Nature can give us more clues than we can ever use to improving what we puny humans can do, we are fast closing on a point where the question we must ask is whether we wish to turn over our security to sentient machines. Kurzweil is beyond all doubt correct;[SN] within the career lifetime of nearly everyone in this room, computers will be smarter than we are. Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists, serial specialization is the only broad option available to them. Computers will soon be called upon to do what we cannot, and that is to protect us from other computers, and to ask no permission in so doing. Every practitioner in this room can tell some story where an insane affection for convenience caused people for whom you were nominally responsible to create, or at least tolerate, insecurity and to be offended if you endeavored to make them see that light.
That fraction grows as the stakes grow. They outnumber us now, and they will demand protection and convenience. They see no problem in surveillance if it keeps them safe. They, and especially the younger of them, have never considered whether they had or did not have privacy and thus do not and will not miss what they never had. Being eternally on-line and available has reached the point where one is thought exceeding odd to be otherwise when, in point of fact, the most heated debate at the first workshop on mobile computing, held a mile from here just fifteen years ago, was on precisely the offense that an expectation of being always on-line represented. The percentage of corporate assets that are digital rather than physical is growing and deploying protections against threats to those assets will make the SONY rootkit or DRM seem quaintly innocent by comparison. The next punctuation of the equilibrium will be the effective end of the general purpose computer as a consumer durable -- as presaged by Apple dropping the word "Computer" from its name or leading Wall Street trading firms already going back to displays only on the desktop and no PCs at all. If you do not have a general purpose computer, with which, to paraphrase Felten,[EF] you have the freedom to tinker, I ask you what kind of security will that be?
I will tell you what kind it is, but first I will say that what brought us all here, to this field of endeavor, is a love of knowing how things work and by satisfying that love by knowing how they fail. We, all of us, hunt the unknown unknowns. The smartest thing a US Cabinet Secretary has said in my lifetime was Rumsfeld's remarks on how it is the unknown unknowns that interest him. Every person who made fun of that proved, if nothing else, that they were innumerate. The unknown unknowns are why we are here. The unknown unknowns are a predictor of various kinds of failure. The urge to stamp them out is understandable, but God help us if we take a bargain that promises no more unknown unknowns. Kurzweil's "singularity" includes the idea that all knowledge will be available to everyone at all times and because this is one hell of a lot of knowledge you will be only too grateful to have your memory uploaded from your brain to your real personal digital assistant.
A world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have. At some point, real soon now, some of us security geeks will have to say that there comes a point at which safety is not safe.
I know full well that my views are neither pleasant nor fashionable, but I am staring into the fog of the future as hard as I can stare.
...
There is never enough time. Thank you for yours.
References: