Security’s Alleged Disappearing Act

Wendy M. Grossman discusses the effects of recent acquisitions in the security market
Wendy M. Grossman discusses the effects of recent acquisitions in the security market

Security is hard. Predicting future technology is also hard. Together, the task is nearly impossible.
At Cambridge University, security engineer Ross Anderson says “we advise students ten years out because you can just see the shape of the monster”.

Fifteen years ago, privacy and security specialists were obsessed with encryption. Now, SSL certification is breaking down. Yet we don’t learn. According to the 2012 ‘Verizon Data Breach Investigations Report’, many big data breaches are still due to very basic errors like failing to change default passwords. Meanwhile, each new generation of technology punches new security holes.

“The bottom line is that we’re in serious trouble in the sense that there are no easy answers, and people are always looking for easy answers”, says Peter G Neumann, principal scientist at SRI. “The problems are inherently very complex”, he adds.

Some Things Never Change

Some trends are clearly changing the security landscape: cloud computing’s large, centralized data stores are turning security into a service; mobility; the nascent ‘internet of things’; and automation – including anything from law enforcement (speed cameras, automatic passport control gates) to free services with no technical support.

More complex trends include multiplying threat models: the Verizon report notes that while financially motivated crime is becoming stealthier and more narrowly targeted, hacktivist attacks that indiscriminately grab huge amounts of data are on the rise. Other key developments include the vastly greater collection of personal data from surveillance, automated tracking (everything from credit card trails to the log data kept by internet service providers), and widespread social media use. Finally, global shifts in economics and political power may mean a very different set of values rises to dominance, as Gill Ringland of Long Finance UK commented at the recent Digital Money Forum. The issues that today’s young information security professionals encounter mid-career will be vastly different from that of 2012.

There is, however, one unchanging element: human nature. Neumann, who edits the RISKS Forum, regularly complains about the frequent reappearances of mistakes that were solved long ago. Failing to audit code or change default passwords are just two examples.

“There are tons of stories in the RISKS Forum of things that have gone massively wrong, and nobody learns from these mistakes”, he laments. Meanwhile, the consequences keep getting bigger: in 1980, when ARPAnet was paralyzed by widespread buffer crashes, it was still possible to shut down and reboot each node. Today’s interconnections mean recovering from pervasive failure is far more difficult.

A complicating aspect of this that Anderson points out is escalating complexity. “When we were kids all mechanisms were – in principle and in practice – comprehensible by an intelligent ten-year-old”, he says. “Now you can’t do that. You need to come to [university] for three years, and at the end of it you have a vague outline of how the world works underneath.”

The Human Elements

This escalating complexity has several implications for security. In an increasingly automated world, decisions affecting millions of lives may be made by algorithms that only a handful of people really understand (as Woodrow Hartzog noted at the recent We Robot conference at the University of Miami).

“The idea of building security in seamlessly is largely a myth”, says Neumann. “When something goes wrong, we typically don’t have a clue what’s needed.”

Watch your kids’ response to uncertainty: today’s answer when anything goes wrong with a machine is to turn it off and back on again. That’s no way to fix a security hole – if you even know it’s there. The Verizon report notes that 92% of victims had no idea they had experienced a breach until being informed by law enforcement.

In a 2009 lecture he says is still current, Bruce Schneier (like Anderson and Ari Juels, the head of research at RSA Data Security) argued that security products will vanish into the infrastructure services we buy, rather than being sold directly to end users. For Schneier, that’s a sign of a maturing industry: “You don’t buy a car and pick up brakes on the way home.”

"The idea of building security in seamlessly is largely a myth"
Peter Neumann, SRI

Anderson imagines a slightly different bifurcation: “Perhaps we will end up with separation into those countries where consumer protection law works and those where it doesn’t.” The former will trust electronic services; the latter won’t.Schneier believes the industry will bifurcate – one strand paying for security, the other getting it embedded in free services where they have very little power. And possibly little confidence: at a meeting of digital payments specialists last year, it was notable that attendees were far more worried about someone hacking their webmail accounts than their bank accounts. First, because those (free) email accounts are locked to everything they do online, and second, because they do not believe they can get anyone to help them at the big webmail providers, whereas banks have established procedures.

“In infosecurity”, he adds, “there will be a separation between the kind of attacks that cost a few cents per machine, and those that cost several thousand dollars per target.” Think botnets versus Sarah Palin.

For some years, experienced infosecurity professionals have advised newcomers to learn business management. For Neira Jones, head of payment security at Barclaycard, such a change can’t come soon enough. For Bart Vansevenant, the executive director of global security solutions for Verizon, however, even this career path will shortly be superseded: “Much security decision-making will be outsourced”, he predicts, “and the CISO will become more advisory”.

Catching a Cloud

Yet what quality of advice can a CISO give when so much is unknown about the inner workings of cloud offerings? Neira Jones thinks behavioral analysis based on heuristics and artificial intelligence (AI) will be increasingly important. But she finds the disappearance of security into the infrastructure alarming.
“You’re not in charge of your own infrastructure”, she says, “and [your provider] won’t tell you what they’re doing”.

She points to stats at showing that data breaches are up 20% year on year – and all involve third parties.

“The online value chain with the cloud is really dangerous”, Jones concludes. In addition, data protection reform, when it’s complete in two or three years, will spur a cultural shift in the EU that may not be mirrored in the US.

Still, he says, using all that to detect and prevent fraud will be a much bigger technical challenge in the IT world than it has been in the financial world.One consequence of security as a service that RSA’s Juels was willing to contemplate was the demise of secure tokens such as his own company’s bread and butter, SecurID. “Even passwords will meet their demise”, he says. Juels predicts trusted paths from users to resources, a reframing of security away from authentication, behavioral detection, community sharing of malware detection, and a shift in our ideas about privacy away from data disclosure and toward data use and the algorithms controlling it.

“It’s a much richer domain”, Juels asserts. His preferred future scenario? “Turn my mobile phone into a cloud portal onto a desktop image, a cache I don’t have to worry too much about securing. That would be good.”
Wave Systems’ Brian Berger thinks the solution is hardware-based trusted computing. “Known machines”, he says, “providing data or access to data in a known way”.

Fact and Fiction

Juels’ wish for his mobile phone portal is widely shared. Mobile vendors and specialists in digital payments like Consult Hyperion’s Dave Birch want mobile payments to replace cash; even now, many people’s phones are their primary repository of personal data. Today’s kids – tomorrow’s workers – take theirs to bed at night. And yet, as Sotiris Ioannidis, a principal researcher at the Foundation for Research and Technology – Hellas (FORTH), notes, for these consumer devices, security is a design afterthought, and every bit of extra software takes its toll in lost battery life. Still, he says, “all the security technologies we are using so far will stay with us, though they may run on a different layer or place on the network. It may use the latest and greatest hardware or newer algorithms. But it’s not like we’re going to get rid of sandboxing or firewalls.”

For him, key upcoming dangers lie in the spread of internet connectivity to critical systems never designed for it – SCADA, the smart grid, power plants, the water supply network. “They’re all getting connected to the internet with access from anywhere in the world, and command-and-control decisions from across the globe”, Ioannidis observes. “There are multiple avenues of connection to the infrastructure and the potential for very, very bad results.”

One aspect of this is that the standards for telecommunications equipment mandate lawful intercept: back doors in telecommunications equipment, so that everything everywhere is surveillance-ready.

Eric King, head of research at Privacy International, who last year exposed Western companies’ global trade in surveillance technologies, thinks a vital shift in government thinking is needed. “I don’t know when – five, ten, 30 years? – people will realize that the only way to protect national security and the national infrastructure is to ensure that consumer electronics are secured to the nines, because it’s the same stuff”, he contemplates. Today’s mandated back doors must go, in his view, because “when you try to tie that down and look at access logs or exercise oversight – it’s built so you can’t”.

To pull all this together into a longer view, you need a science fiction writer with a technical background like Charles Stross (Rule 34, Accelerando). Mulling the aforementioned trends, Stross imagines the planet decades hence: “Hot, unpleasant, crowded – but it won’t have a huge imbalance in wealth.”

A key game-changer, in his view, is lifelogging; Moore’s Law will soon bring pocket-sized petabyte disks, storing full video and audio of all our waking lives, tagged with time, date, geolocation, and perhaps even health data. Text-to-speech will index it all, while making it searchable.

Even if the data is kept secure over a long period, how the meaning and context will change over time is unpredictable. Identity management will become a big issue.

“We really do need to secure mobile phones better – tracking and wiping are just the beginning”, Stross says. “They’re not just people’s wallets, but their entire identity.”

At which point, it may be that the thing most in need of protection will be the human carrying it. Be careful what future you wish for.

What’s hot on Infosecurity Magazine?