Andra Zaharia invited me to share my thoughts in her recent Heimdal Security blog, Is Internet Security A Losing Battle? Please read the other 30+ experts thoughts at Andra's blog. Here, I've complemented what I shared with Andra with some additional thoughts.
To answer Andra's question directly, any battle that you engage on your enemy’s terms, with indefensible assets or limited offensive capabilities, and where your enemy’s risk and cost of attack is small is arguably a losing battle. However, I’m not certain that warfare remains the right analog for Internet security today.
I'm convinced that it's wrong.
I say this because many of the military analogs that we have used - firewalls, bastion hosts, secure perimeters, trip wires, challenge-response authentication, countermeasures - haven't been as successful when applied to security computing or networking as medical analogs have. Virology, for example, remains one of the most easily understood analogs: most people are familiar with terms like virus, infection, inoculation, and quarantine and appreciate how they apply to Internet connected devices. Gradually, terms like resiliency, patching, and triage are becoming useful analogs. Healing and maintaining human beings and the ecosystem in which they reside are more familiar and comforting than military concepts. They are often more proactive analogs than the "bubble boy" approach that military analogs suggest.
With this suggestion in mind, let's look at the Internet ecosystem health today:
- The devices and software that comprise the Internet are organisms that are not perfectly healthy from the moment they’re installed. Not only are the devices or software individual organisms but they are easily or adversely affected by other organisms they interact with in a larger organism, the Internet itself.
- Device or software immune systems are weak (e.g., poorly designed, lacking secure code review or not present at all), or non-existent (shipped with no holistic security consideration whatsoever). These immune systems are further weakened by poor hygiene (e.g., lax administration, default configuration, lax or ignored patch management).
- The devices or software are often prematurely delivered, i.e., shipped before "maturity" testing or secure code review. We acknowledge this year after year yet we persist in imagining that persistent incubation or health monitoring and triage (secure perimeters, firewalls, IDS/IPS) would suffice. Moreover, these systems are themselves fragile: the same hardware, software, or administrative fragility exists among these systems. An uncomfortable truth follows from this observation:
- The incentives to provide healthy systems compete or conflict with the current Internet market economy. Device manufacturers and software developers are largely business entities in pursuit of financial rewards. They are not regulated. They are not obliged to consider health or safety in the manufacture of their devices or software. They generally do not warranty or assume liability for their product. Perhaps equally importantly, they weigh the costs to provide safe or resilient products against the benefits such investments might offer and conclude that these investments would not increase market share or that they would lose market share to competitors with cheaper albeit less safe or resilient products.
- The people who use devices and software are not care providers nor did they expect to be when they acquired devices. They are in large part ignorant or in denial of this fragility and the very real threat these pose to their own health (financial harm, loss of privacy, etc.). They are also addicted to the extent that they would not sacrifice the advantages the Internet offers, perhaps irrespective of the degree of risk.
- The people who use devices and software are as neglectful of their Internet health as they are neglectful of their personal health. I trust this is obvious.
The biggest challenge with Internet health is that the organisms change at a faster rate than the human body. New Internet organisms appear hourly (apps, networks, IoT devices). There are common DNA or genomes among these, but that is in fact part of the problem! We re-use or adapt what is problematically unhealthy in each generation of new organisms. We are effectively nurturing an unhealthy ecosystem and in tandem, nurturing an Internet that is very negatively affected by infectious disease.
We need to build systems that collect and analyze Internet health data. We are in the process of defining health indicators for Internet Identifiers (domain names and addresses) at ICANN. Our goal is to first identify diseases, then define metrics, and only after, to collect, measure and analyze data that are needed to derive health metrics. In a second stage, we can examine the metrics to see what we can learn from this study. We believe that other Internet subsystems (operating systems, clouds, provider networks) could implement similar projects. The cumulative findings might help us identify "diseases", flaws in system hygiene, or ways to improve health.
If you are interested, you can join the ITHI (Identifier Technology Health Indicators) initiative at ICANN (http://www,icann.org/ithi). There is also an open public comment period on the definition of identifier diseases that will end on January 9th 2017. You can submit you comments at https://www.icann.org/public-comments/ithi-definition-2016-11-29-en.
We need to pause, thoughtfully design “healthy” devices or software. We need to identify diseases or other illnesses that adversely affect these if we expect to develop the means to immunize and establish appropriate hygiene. This is hard work. Expensive work. It flies in the face of conventional Internet drivers. It’s more likely that we’ll continue along the conventional path until some apocalyptic event forces change.