President Larry Millstein called the 2,256th meeting to order at 8:17 pm September 11, 2009 in the Powell Auditorium of the Cosmos Club. The minutes of the 2,254th meeting were approved with one correction.
Mr. Millstein introduced the speaker of the evening, Ms. Anita K. Jones of the University of Virginia. Ms. Jones spoke on “CyberSecurity – Serving Society Badly.”
The context, Ms. Jones said, is that in the latter half of the 20th century, we developed the internet. It has come to support many processes important to our society and we depend on it heavily.
The security of the internet is quite weak. There are many reports of abuse and identity theft.
Ms. Jones said she is very concerned about national security because an attack cannot be attributed, that is the source of an attack cannot be identified. Russia apparently attacked Estonia and it is believed that Russia attacked Georgia, but the system does not leave evidence of who did what.
The intelligence community believes, she said, that people offshore are vacuuming up private industry information to use for commercial purposes. Much of this information is held only as trade secrets. The information is only good as long as the secret is kept.
Perimeter defense is the main model of cybersecurity, and the security structure is fundamentally skewed toward perimeter defense. Even the language reflects this, with terms such as wall, firewall, gate, and so on. Ms. Jones believes the emphasis on perimeter defense is too great. She pointed out that more damage is done by insiders than intruders. The immune system is another analogous structure that might be useful.
There are actually quite different security needs. One is confidentiality, where it is okay for some to know but not others. Another is integrity, where it matters only that the information not be changed, such as medical information. There are many security policies, she said, one cannot serve all needs.
There is a common argument that if we could get software correct, security would not be a concern. However, software has been under development since the 1950's, and there has been little progress toward getting it right. There are proofs that snippets of software are correct, but no such proof has ever been accomplished for substantial amounts of code. Specifications can also be faulty.
She also drew examples from history to illustrate the weakness of perimeter defense. At one time, most cities had walls. The French built the Maginot Line, which was claimed to be impregnable, but was breached with ease. If perimeter defense does not work very well in physical security, why should it work in cybersecurity
The internet is a great thing. It has scaled six orders of magnitude, which is very unusual. What the internet is, she said, is a very simple means of moving messages in little packets. Simplicity is the reason for its great success; it does not do very much. The transmission control protocol, TCP/IP, promises only best effort. It does not guarantee a message will arrive at a destination, that it will arrive in order, or that it won’t arrive twice. (When the minutes were read, it was noted by an alert reviewer that it actually is the Universal Datagram Protocol (UDP), not the TCP/IP protocol, that works that way.)
To design security into the fundamental operation of the internet would be a mistake because it would alter the stark simplicity with which the internet operates. This would counter its design advantages and degrade its functioning.
There is not much research going on in cybersecurity. About seven to ten new PhD’s graduate each year in the field, so there are precious few graduate students to do research. The volume of research is down 50% since 2003.
Another problem of the internet is that it is a monoculture. That’s why viruses spread so fast, there are multiple repetitive parts. That is also why a security policy would probably work best if it were implemented many times.
We can't predict what policies we will need in the future. That's another reason not to have something locked down in the middle of the internet. If intercessions are at the end, it will be easier to adapt to new challenges.
Then there is the lack of motivation. There is no proof that something can be done. If you could only show theoretically it is possible to do something about it, that would be an impetus for research.
She discussed the digital encryption standard, which uses public keys and private keys. It enables parties to publish something with a public key with confidence that only a person who holds the private key can decrypt it.
Cybersecurity is a research challenge, she concluded, and she invited our contributions and questions. She believes a better security system would enable the internet to serve society much better.
The first questioner asked about problems with the digital encryption system, specifically people sending keys pretending to be someone they are not. The defense against this is usually a digital signature, which involves a third party who verifies the identity. The system is not perfect. Ms. Jones recommended checking with the third party about the identity. The system also requires a unique internet address, not one that is assigned when you log on.
Another questioner asked how much confidence he should have in claims of secure web sites. Ms. Jones was not encouraging. She said she avoids putting personnel information, on the University of Virginia system, where she works. She would not put her social security number on a bank web site.
Another questioner asked if it isn’t difficult to convince people that cybersecurity is a problem when organizations like banks keep secret the extent to which they have been attacked. Yes, Ms. Jones said. Banks, especially, and other organizations that depend on public trust, are reluctant to make known the problems they have experienced. She gave an example of a military force being shut down in response to a cyber attack.
To a question about the sanctity of voting machines, she said, “They are not safe.” She would not base a voting system on a paperless design, and has so told Virginia officials.
Another questioner accused Ms. Jones of a bureaucratic approach, and said that with no inventory of who might want to do damage and what they might do, her argument amounts to a request for an unlimited budget. Ms. Jones said there are enough examples of damage to indicate that something needs to be done. She gave no credence to the idea of an unlimited budget.
In response to a question about quantum computing, she offered that it is an exciting possibility. It might disrupt the current encryption system, for example. She said it is not known how or when the possibilities might develop, but the approach is being pursued, for its possibilities, although it is not ready for prime time.
After the talk, Mr. Millstein presented a plaque commemorating the occasion. He announced the next meeting. He made the usual housekeeping announcements, about parking, payments, and so on. He encouraged support of the Society to enable continuation of our tradition of more than 2,200 meetings. He invited guests to join and encouraged members to join in active participation in matters such as choosing future speakers. Finally, at 9:37 pm, he adjourned the 2,256th meeting to the social hour.
|The weather:||Cloudy, but clearing|
Ronald O. Hietala,
- Abstract & Speaker Biography
- Next Minutes→
Directory of Archived Meetings - Home