On Tuesday, June 21, 2016, the Commission on Enhancing National Cybersecurity #WHCyberComm met in Berkeley to get input from Industry and others. The main goal of the commission is to produce a “transition” memo to the next president to implement important policy changes within the first 100 days of the new administration, which is usually a time window where dramatic moves are made. The industry witnesses highly valued their chance to bring across their views and influence policy decisions to their benefit which made it an interesting event to watch. In this blog post I try to summarize the most important points that were made during the day.
Overview
The prevailing opinion is that security is a field that needs more attention, that current practices are far from optimal and that industry and government could do better. With the IT landscape changing rapidly in short time intervals (Internet, PC, Social Networks, Mobile, Cloud, Crypto Currencies, …), new treat vectors emerge as well and hence security is also a moving field. For reasons we will get to later, government involvement is necessary and the industry welcomes and proposes more regulation. Interestingly, nobody claimed that the market will regulate itself during the meeting.
What is Security? A classic academic definition is that a system is secure if it employs security mechanisms such that no attacker, described in a threat model, can violate the security objectives of the system. Take as an example the “password reset” system that most websites use: When a user enters a valid E-Mail address, the system sends a URL with a key to this E-Mail address. By visiting the URL, the user can then specify a new password for the system. The treat model would include every attacker who has not access to the user’s email account. And the security goal would be that only the account owner can access the account. There are several problems in practice with this approach. For instance the attacker might know personal information about the email account holder (birthday, mothers maiden name, favorite ice cream, …) that allows him to reset the password for the email account. Also, most emails are sent unencrypted, hence an attacker might find it difficult to gain access to the complete email account, but intercepting one message sent to it is much easier and sufficient. Further, an attacker might find a software vulnerability in the system that allows him to bypass authentication altogether. In conclusion, threat models are hard to get right and security mechanisms are impossible to proof correct. Hence industry must take a much wider approach to “Security”. Security is a process. It includes humans. Perfect security is impossible, hence it is much more about assessing, managing, and minimizing risks while optimizing the return on investment. A powerful adversary like a Nation State Actor will always get into a system to some extend. A healthy organization hence must employ defense in depth and quick incident response.
In the following, I will touch on different topics that come up when considering Security more broadly.
Truths about Security
The Network-based security approach is dead.
Okey, this is a gross exaggeration. Network-based security will remain essential for defense-in-depth, virtual patching of vulnerable legacy services, and defending against opportunistic attackers. But the truth is that the network-perimeter gets more and more diluted. By putting critical infrastructure into the cloud, it often gets publicly accessible. Expanding BYOD (bring your own device) and home-office practices poke more and more holes into the network perimeter and growing deployment of true end-to-end encryption render classical methods of intrusion detection and information exfiltration protection useless. The concept of a single network perimeter with all devices with trusted can not be sustained. Some device inside the network is always vulnerable. Infected machines inside corporate networks can be searched for by company name and purchased inexpensively in the dark web. If this avenue is not available for an attacker, he will in the last resort always find some unpatched embedded device (e.g. NAS storages, routers, firewalls, …) or when necessary just develop a new 0-day for some device present in the network, as the recent hacking-team hack report showed. Hence, the focus and the majority of the investments in the Security industry should shift from network security to endpoint security. Furthermore, one should not trust the physical security of the own network and use encryption even for internal communications (especially Google had to painfully learn this lecture).
Privacy and security by design is much easier than adding it later
This is a no brainer. But some people still develop products and only later think about “adding security”. This usually is costly, sometimes impossible, and will add high maintenance costs for sure. Cryptography and tools like differential privacy are good ways for designing systems with much lower trust assumptions on the single components. They should be used.
Authentication. Authentication. Authentication.
Currently, authentication is always a weak spot in enterprise systems. Passwords are weak, get lost and two factor authentication is a must for many reasons. When designing authentication systems, strong actors should be considered. For authentication, one should therefore never rely on third parties. This is not the only reason why one should not rely on SMS as a second factor. SMS was not designed to be an authentication system, it is blatantly insecure and on top of that the network operator has to be trusted to not do something funky.
APTs
Attackers capabilities and dedication is often underestimated. Facebook sees actors in their network with capabilities that one would only expect from a nation state cyber warfare command at most but these are regular criminals. Companies face new threats specific to their industry and need to specifically study these. Facebook it is spam and hijacked accounts. For Uber it is drivers who fake rides to cash out stolen credit cards. For AirBnB it is fake stays to cash out stolen credit cards, for some online banks it is user who deposit cash through supermarket registers for free but then use their credit cards to do so and receive cash back or bonus miles on top of that. Every business has its specific threats.
Red teaming
Red teams are teams of security experts specialized in offensive operations. They get hired by companies to test the effectiveness of their defense mechanisms. A common misconception here is that they should be responsible for finding and reporting vulnerabilities. Finding vulnerabilities should be the job of the product security team. This can and should be done internally. The read team’s job should instead be to test the intrusion detection and incident response capabilities of an organization. This includes putting the incident response team into a stress situation and test the communication and chain of command in an organization. As a general rule, the red team always wins. Then it is important to fix the flaws. What red teams often see in practice is that they abuse and report the same flaws year after year and organizations fail to implement defenses.
Bug bounty
Some companies employ bug bounty programs that pay rewards to independent researchers who disclose vulnerabilities in the company’s products to the company instead of selling them on the black market. Some companies still threaten bug reporters with law suits which encourages them to sell the vulnerabilities on the nowadays quite easily accessible black market. Some companies reported that the accumulated payouts to bug reporters are extensive (millions of dollars) but this is orders of magnitudes cheaper than trying to find all those bugs by themselves. If all of the Fortune 500 would do bug bounty programs, that’d be a good thing.
The Ecosystem is important
Some companies like Google invest considerably into improving the state of the art of Security in the whole ecosystem, rather than only their products. Project Zero is the leading example. They also find it beneficial for them to invest into improving and publishing secure open source software.
Globalization
Big businesses are global in nature: They sell their products globally and their supply chains are global as well. This is especially true for internet companies. As Security is often about securing the weakest link in the chain, a domestic view of the problem is wrong. It can not be solved by the U.S. alone. But we need to recognize that certain companies and governments will not cooperate as we like. Nation State Adversaries take physical control over their part of the internet and we have to have this in mind.
Insights from real companies
Apparently these days this is what happens inside companies: At some point the company experiences a major breach that comes with major losses (loss of reputation, law suits, damages, loss of IP, …). On the executive level, one can then observe a shift form under-appreciation to overreaction. Security is made a top priority, funds are allocated and expensive equipment and consulting services are purchased. After a few month, when emotions flatten and some expensive purchases are regretted, the company learns to better revalue their digital assets and the cost of a public disclosure of them. Previous completely technical conversations get leveled up to a holistic conversation, because upper layers of management get interested and the interdepartmental communication improves.
Improving the State of the Art: Product Security
The truth about product security is that many software products, IOT devices in particular, but also widely used laptop models, phones, etc. are unnecessarily insecure. Too many vendors make negligent mistakes when securing their devices. Stuff that 12 year olds find and break. As a security researcher I spent a good portion of my time shaking my head. A majority of security vulnerabilities could’ve been avoided if only someone with a CS degree including a security class would have looked at the product in the QA process. But vendors apparently are miss incentivized to go this extra mile.
Concrete proposals to the commission were that the government should use its purchasing power to incentivize vendors to care about security. Specifically the government should only purchase any technology after thorough code review. (We’ll talk about standards later). But it was also noted that then in return the same standards should be applied to internally developed software.
But this also raised the concern that the concept of code audits is out-of-date. Instead we need flexible security. We need to embrace a culture to acknowledge vulnerabilities and fix them quickly. We need good risk management. Compliance and code audits just shifts the focus to less important points.
Trust issue with private sector
In the U.S. there is a prevailing trust issue between government and the private sector. Industry is not amused to see the government hacking into their systems without their knowledge (especially Google said this) and putting their user’s Security at risk. Industry would also appreciate if the government would share 0-day vulnerabilities with them so that they could fix them and improve their customer’s Security. Furthermore they are really unhappy with the growing numbers of gag orders. As for most U.S. based internet giants, only a tiny fraction of their users are based in the U.S. and the U.S. government exercises their power to get foreigners private data. The existence of gag orders without a release time destroys trust of the foreign customers. The private sector would also appreciate more transparency on the government side, e.g. regarding the number of court orders, etc.
Government Intervention and Government Agencies
The Security problem will not be solved by industry alone. Especially national security is not incentivized through money and is of course a core responsibility of the government. A concrete proposal at the meeting was to remove the US cyber command from the NSA, and create one unified command including FBI and other government entities. This unit should be run by a special “Secretary of Cyber”, reporting directly to the Secretary of Defense. Although I do not know much about how the U.S. military, security agencies and polices are organized in the U.S., I don’t think this approach is a good one. The aim is of course to bundle resources and create one punchy cyber force. This desire might arise because the many currently separated teams are lacking skills? I don’t know. But those agencies are separated for good reasons (separation of powers and stuff) and they should remain separated. Having only one central cyber command would probably also make communication with the different agencies more difficult.
The proposal went on to create one campus for defense and attack practice. I find this thought very dangerous. There is a huge conflict of interest. The attack side definitely has an interest in keeping vulnerabilities secret rather than responsibly disclosing them to vendors to strengthen defense. The economies of the issue will always favor the attackers. Successful breaches are far more easy to accumulate than successful defenses. Also when you launch an attack successfully you have something to show and justify your funding. Successful defenses are usually quiet because that’s just the absence of an attack. Hence I fear that an agency that combines attack and defense competences would lean towards the offensive side in order to secure more funding.
Another concrete proposal was to make the security clearance process easier in order to get better at talent acquisition.
Policy
In one concrete example, there was a class-action lawsuits against an enterprise that considered an attack from a nation state attacker. Industry said there should be no law suits like these. I say they’re good because the court should definitely determine if the enterprise pursued appropriate protection for their customers.
There should be more laws to improve the cooperation between the cooperate world and hackers. Back in the 90s, many Security Researches wanted to do the right thing but then faced legal threats. These responsible disclosures of security vulnerabilities should be more supported by law and companies as well as the government should consider running Bug-Bounty programs.
Another big debate is whether regulatory compliance standards are helpful. I see many problems with those. The state of the art and best practices change too fast for requirements to adapt. Resulting fast-changing requirements would impose a difficult to justify financial burden on companies. And on top of that it is difficult to make good recommendations anyways. Different strategies exist and different companies should adapt their strategy to their specific needs. Furthermore, compliance with existing standards is not sufficient and worse may lead to assumed security. In fact, all the company responsible for the big data leaks in the last years have been PCI DSS (Payment Card Industry Data Security Standard) certified.
Another talking point were international relations. How should the U.S. engage internationally with companies that are global? For instance, Google does not like the fact that the U.S. government exercises power over their foreign customer’s data. And this grows to be a seizable competitive disadvantage for Google. Regarding cooperation with other governments, of course it was said that the MLAT process should be improved. One general global problem in the debate is, that the cultural concepts as well as legal definitions of “private information” vary greatly across international borders. To improve discourse it is necessary to agree on a common language.
An important point that was raised is that whenever the U.S. would impose import restrictions to mandate product security, the same restrictions should be applied domestically.
One interesting other point that was made is that some laws actually incentivize companies to try to not find out about their security vulnerabilities (specifics were named, but I don’t remember). This is of course bad. Instead we should embrace flaws and fix them.
Improving Overall Corporate Security
One proposal was to establish a security index rating for companies (and maybe states) much similar to the existing liquidity ratings from agencies like Moody’s and Standard & Poors. I like the idea to have a rating that reflects the overall security health of an organization. Private rating agencies probably have the best flexibility to come up with rating mechanisms that are meaningful since they will compete for the best rating mechanisms on the market.
Another proposal was to put a designated security expert on the management board. I don’t know if that is the right approach. Other members of the management board could also just be better educated in Security or seek more advice from Security experts.
Yet another proposal was to make it mandatory to report the IT security health of an organization in SEC fillings. Probably a good idea.
Collaboration between Industry and Government
Industry said that they have generally great relationships with law enforcement, on the local and on the state level. But they regret that there is no continuous contact, instead the interactions are only incidence-based.
Threat and vulnerability sharing is one thing that can be greatly facilitated by the government. But the information currently shared by the government is extremely outdated. They watch an attack happen and later tell the companies about this attack. The goal of threat and vulnerability sharing is to raise the cost of an attack heavily. If an dedicated actor can use his 0-day exploit only to infiltrate one company’s network and has to develop and use a complete new tool chain and new tactics for each mission, the cost of an attack rise manyfold. But this requires very fast, in the best case real-time, sharing of threats. Machine to machine, without an human in the loop in the standard case. Because the government failed to provide a platform for this, Facebook and others have created such a platform where threat intelligence is shared automatically. This includes the standard stuff like malicious URLs, spam classifiers, IP addresses but it also goes so far that Facebook shares hijacked account’s email addresses with dropbox, who then disable the account and force the user to pick a new password. Of course, there are some challenges when it comes to this sort of cooperation. What if the threat data contains sensitive user information? Here I think that in some cases cryptography would help. For example, one can use private set intersection to help companies find out a set of users who they have in common and who’s accounts have been broken into. Another issue is the correctness of the shared information. If there is no human in the loop anymore, a malicious threat-info contributor could submit benign data instead of malicious data to cause denial of service. Also, one would need to ensure that this data about open vulnerabilities does not fall into the wrong hands. Hence the trust issue between industry and government can hamper the adoption of a platform that is provided by the government.
Consumer Protection and Consumer Education
For a long time, security experts designed their system in a way such that they are secure as long as they are used correctly. That’s the wrong approach and industry is starting to realize that. Because users are not going to use their systems correctly. They do login as admin for day to day work, they do use easy to guess passwords, they do klick OK if they don’t understand a safety warning and they think they should install a software to clean up their computer in order to watch their favorite movies. Technology providers have the role to provide safe default configurations, not overwhelm users with security popups, and make the security features intuitive to use. And the security design has to account for misbehaving users.
When it comes to consumer education, where we think that something can not be solved by a secure default and we need to rely on the user to make a educated decisions, it has to be acknowledged that there is an absolute limit on how much users behavior can be influenced. There is a tight budget that needs to be spent very carefully. For instance, instead of trying to teach users how to use virtual machines to isolate their work and gaming environments, this time might be better used to explain, why re-using passwords is bad.
When it comes to phishing, I think there will be no way to educate every user how to detect it, we can do our best, but a noticeable fraction of all users will always have problems with that.
An interesting number I got was that less than 1% of all Dropbox users use two factor authentication. Honestly, I’m not very surprised, but still a number to think about.
A very interesting fact is in my opinion the fact that the median new user for Facebook is someone who has never used a computer before and for the first time of their life has a smartphone with internet access in their hands. That challenges even more assumptions we have on users.
Specialist Education
Representatives from both government and private sector said repeatedly that they have an enormous talent shortage for skilled Security professionals. Companies like Facebook even started to build a long-term talent recruiting pipeline where they already begin targeting students in high school and then accompany them through college till they start working for Facebook. I find that remarkable for such a young company like Facebook.
It was also noted that a Computer Security course should be made a requirement for every CS degree. Maybe then less people would build crappy systems.
Research
It was said that a more coordinated and better funded national R&D agenda is needed. Philanthropy was pointed out as an additional good way to fund this research as those funders are “independed”, or at least have different incentives than other funders. Especially when it comes to research of policy framework development, the government can likely not be the funder because of conflict of interests. Funding by the private sector is often focused on gaining a competitive advantage rather than moving forward the whole ecosystem. It was complained that the NSF funding mechanisms do not promote multidisciplinary research.
Regarding actual research, we definitely need better economic models for Security investments. Nobody today is able to even remotely calculate the ROI for Security investments and it is not very well understood how effective certain Security initiatives are. In terms of quantization, researchers should focus more on trying to measure actual human harm instead of classical metrics like #intrusions, #bugs, #vulnerabilities, etc.