*Author’s note. I dusted off this piece of writing that was 7 years old. After the RSA confab, seemed like this still has some relevance. So unedited, here it is!
“What has been will be again, what has been done will be done again; there is nothing new under the sun.”
It is old news that the Internet delivers global reach to large and small companies with a few keystokes. But there is another primary beneficiary of the Internet’s globalization effects- hackers. As the communications industry embraces packet switched networking we are witnessing the convergence between the domains of computing and communications. These once disparate realms are merging into a (seemingly) transparent, global network. Hackers are overjoyed that so much capital investment would be made in extending their reach and enabling grander exploits.
Hackers have gone upscale as well. The image of pierced and tattooed cypherpunks laboring in equipment-strewn rooms lit only by the glow of CRTs has been replaced. They are now highly recruited, highly paid, pierced and tattooed cypherpunks with well negotiated contracts from international corporations (and other organizations.) CRTs are out and flat screens are in.
Even more interesting is that, in spite of the spectacular success of the World Wide Web, the Internet continues to evolve. While capital investment has poured into the links of the Internet in the form of broadband networks using wires, optical fiber and radio waves, the Internet’s underlying protocols are not static. The anticipated emergence of the “Semantic Web” whereby computers interact with computers using “machine understandable” protocols (XML, RDF, OIL), promises to open up even more powerful services and efficiencies- for both commerce and hacking alike.
While the Internet really is a profound innovation in technology and commerce, the fundamental nature of its users remains essentially unchanged. Regardless of complex ontologies of Digital Content and Network Security (DCNSec), the fundamental goals of security remain quite simple:
keep the “bad guys” out from where they shouldn’t be
stop the “bad guys” from stealing what belongs to others
prevent “bad guys” from harming innocent people
ensure that honest people can do business
Whether we are talking about “meatspace” or “cyberspace”, security needs stem from basic human nature and our consequent behavior. This is not a technological issue but behavioral. Only now the capabilities require sophisticated skills in technology, finance and law. As long as innovation is applied to countering the threat of hacking, innovation will be applied to subverting those defenses- it is human nature. We believe it has always been so and we expect it will always be so.
The question is, “What’s not digital?”– Virtually every communications network and information system including television & radio broadcast, movie distribution, financial records, medical records and database in the world is migrating to (or likely already exists in) a digital electronic format. Additionally, our physical infrastructure (e.g. water systems, power grids, etc…) is increasingly incorporating Internetworked control systems. With “digital data” forming the fabric of commerce, communications and ingrained into the infrastructure of our society- security is no longer an option.
Digital content and networks are inherently open platforms – The transformation to digital content and networks creates the need to develop a baseline measure of security. Packet switched networking was not designed with security needs in mind. Unlike some kinds of information transmission schemes (e.g. CDMA) in which the modulation technique delivers unintended, marginal security, there is no native embedded security in most digital content. DCNSec must be tailored and engineered as an overlay to an installed Internet. The rigorous work of incorporating security as a design factor is nascent at best and we question if the Internet as we know it can ever be “secure.”
The transition to IP networks is a forgone conclusion and now forms the underlying fabric of the communications network(s) – Packet switched networking has arguably been the most rapidly adapted communications protocol in the history of modern communications. Regardless of the transmission media (glass, air, wires), IP networking means that digital bitstreams form the unifying communications protocol going forward. It is our opinion that the digitization of communications networks and content has created significant and permanent opportunities in the digital/network security sector.
Security is fundamentally an economic risk management proposition not a technology challenge – The cost of security and the friction it introduces into a system must be weighed against the risks assumed by the level of security chosen. There is no single technology that can fully satisfy an organization’s security needs. Security is ultimately, like all risk management issues, an executive level decision. Unfortunately, there are no widely employed standards, methods, and metrics used to measure exactly what “security” is and the risks associated in the systems deployed (or lack thereof.) While the financial world has developed sophisticated risk management methodologies and metrics, there are no known methods to measure a company’s “information Value at Risk” (iVAR.) We anticipate that as the digital content and network security industry matures, quantitative standards of risk management will increasingly be applied as decision-making tools.
We do not believe that there will be an “endpoint” to the security challenge – While all markets eventually reach maturity, we believe that the challenge of securing digital content and networks has only begun. As long as individuals and organizations continue applying innovation to subvert DCNSec, there will be a need to apply innovation to the security problem. There are multiple threat models to consider spanning a spectrum of resources and sophistication. Security challenges stem from relatively harmless “cyberpunks” to malicious “blackhats”, to industrial espionage, cyberterrorism, organized crime and state-sponsored cyberwarfare and espionage. These multiple threats lead us to conclude that we have only seen the initial “leg up” in DCNSec and a long growth period is now underway.
Growing network diversity, application complexity and pervasive connectivity exacerbates the security challenge – From an end-to-end perspective, network complexity is increasing. New technologies and software from the physical to the application layer are increasing the challenge of defining and implementing security. Software complexity in device OSs at the ends of the network (as measured by lines of code) has increased by nearly an order of magnitude in the last decade. Wireless networking in particular is a security challenge. The proliferation of wireless networks in the home, public, and workplace (e.g. 2G, 3G, 802.1x, homeRF, Bluetooth, UltraWideband) is moving toward a “network mesh” whereby devices move across multiple networks and technologies providing an always-on network connection. Additional technologies such as embedded operating systems, expanded address space in IPv6, cheaper processing, cheap RFID chips and multiple wireless network connections are driving a pervasive network and computing environment with an explosion of the number of internetworked devices. There is no current system or standard to authentic devices roaming from network to network.
Cheer up, it’s going to get a lot worse – The next step in the Internet’s evolution is likely to make the current security challenges look simple. Most use of the Internet today revolves around the World Wide Web. The WWW is a collection of protocols that allows for the transmission and presentation of data from computers to users through web browsers. While servers can move and display information, processing is limited. However, the Worldwide Web Consortium (W3C) is in the midst of developing standards for the rollout of the “Semantic Web.” In the semantic web, computers will be able to process data from other computers. Essentially, it will make the content on the web “understandable” to the servers that manage and control the data and endpoint computers that access the web. We believe that the Semantic Web will enable new generations of software agents and web services along with unprecedented levels of data mining. The prospect of software agents that can traverse the Internet reading and collecting and processing vast amounts of data has profound security and privacy implications. Considering that the slammer worm inflicted most of its damage within 10 minutes, imagine the extent of the problem when a significant amount of information collection and processing is built into future “semantic malicious code.”
The geopolitical outlook suggests increasing priority on security efforts – The terrorist attacks of 9/11/01 have brought security issues to the forefront. While primary concern remains on physical security, clearly, digital content and networks remain vulnerable to attack and consequently, require comprehensive security solutions. We do not foresee this risk to diminish significantly in the near future. In fact, we see emerging threat scenarios as we understand the linkage between vital infrastructure and digital content and networks.