Tag Archives: cybersecurity

Privacy Posturing in the Great Cyber Triangle

The recent New York Times article, “Internet Giants Erect Barriers to Spy Agencies,” reflects the current political rhetoric over privacy, but it also misrepresents the reality of the situation.

http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html

The companies cited– Google, Facebook, Yahoo, and the like– are taking steps to make NSA interception of their data more difficult. But this is a basically political move. They are merely reducing levels of voluntary cooperation with the government. The simple truth is that with the cybersecurity technology currently available and deployed these companies are not capable of protecting themselves, and ultimately their customers, from cyber attacks.

In the great US-Russia-China Cyber Triangle each government has enjoyed the quasi-voluntary cooperation of its cyber-based large companies. The other two governments were simply attacking the companies at will, and with full success. Of course, the companies’ cooperation was helpful to their host government, but it should be clearly understood that this was merely a matter of convenience and efficiency, and had little bearing on the actual result.

So the only change this new US cyber company fad  is that it will take a little more effort by the US Government to get the same results. The other two sides of the great triangle aren’t affected (nor, for that matter, are several  other governments).

This might suggest that the only way to protect people’s privacy is a legislative approach that would prohibit the Government from spying on its own citizens. But then we have to clearly understand that while we can prohibit NSA collecting Americans’ personal and private data, we cannot prevent Russia or China from doing the same. This is a symmetrical situation: Russia and China, and any other country, cannot prohibit the US collecting whatever they want. The situation would be awkward indeed if only American Government cannot collect unrestricted information on Americans. Spying is the oldest profession, and it’s going to prosper for the foreseeable future.

There’s a simple conclusion to be drawn: until and unless we develop new and truly effective cybersecurity technologies all the discussions about our privacy are just exercises in political rhetoric.

 

Symantec Dead Wrong, Again

In a recent Wall Street Journal article Symantec declares the current antivirus products dead and announces their “new” approach to cyber hacking: instead of protecting computers against hacking they will offer analysis of the hacks that have already succeeded.

http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj

This is the equivalent of a pharmaceutical company failing to develop an effective vaccine, and offering instead  an advanced autopsy that hopefully will determine why the patient has died.

At its core this approach is based on two assumptions: 1) that developing effective antivirus products is impossible, and 2) that detecting damage that has already been done is easier than defending the computer.

Let’s take a quick look at both these assumptions.

It’s true, of course, that Symantec, along with a few other cyber security vendors, has failed to develop anti-hacking protection systems, because all these systems were based on the same fatally flawed firewall technology. However, that doesn’t mean such products cannot be developed if they are based on valid new cyber security principles. Cloning for one.

The second Symantec assumption, that they can detect the damage already done, doesn’t look convincing either. It’s hard to understand how one can “minimize damage” when the damage has already been done. Moreover, detecting damage, especially stolen data, is significantly more difficult than the task they have already conspicuously failed at. Modern malware is very good at morphing itself, possibly multiple times, into a variety of forms, splitting itself in several components and hiding in the depths of increasingly complex operating systems.

The bottom line is that it’s true that the currently deployed antimalware technology is dead– but this “new” approach is even more dead. The only likely benefit is that the participants will get a few billion dollars from the Government for their “advanced” research.

Conclusion:  instead of offering a cyber coroner’s facilities we’d be much better off developing fundamentally new technologies.  Essentially, new cyber vaccines.

Fake Defenses

The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.

Instead, we engaged in a series of four nontechnical solutions:

  • Defense by marketing
  • Defense by politics
  • Defense by deterrence
  • Defense by semantics

Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.

Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.

Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.

Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.

Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.