Difference between revisions of "Talk:Lecture 7"

Revision as of 22:34, 14 October 2005

SCADA Systems, Al Qaeda & Cyberterrorism

--Jeff Bilger - Dr. Lazowska briefly mentioned SCADA systems during tonight's lecture. Back in April of 2003, the PBS documentary program Frontline aired a program titled Cyber War! that highlighted the vulnerability of our power grid due to SCADA systems. It's a bit theatrical, but worth a watch since it touches on all the topics we have discussed in class so far.

Also, it would be interesting to know if anything has been done since 2003 to further secure these SCADA systems from attack.

PITAC to PCAST, but where's the action on reports?

Avichal 23:25, 12 October 2005 (PDT) PITAC's charter was allowed to expire on June 1, 2005. On Sep 30,2005 it was revived in a way by extending the charter of PCAST to also cover network and information technology.[1].

In my opinion that dilutes the focus that could and was achieved on the role of Information Technology by the PITAC commitee which was solely focussing on IT. The opposing argument is that PCAST will be able to address IT in a more holistic fashion. Regardless, the basic problem is the lack of action on the reports that are generated by these committees.

Be it the 9/11 report or various PITAC reports, administration owes it to the public to implement suggested measures as is practical,and update the public routinely of it's progress. It's high time the administration followed it's rhetoric with some action and did more about homeland & cybersecurity than ratcheting up and down the threat level on a colored scale.

It's also interesting to note that Kvamme (Co-Chair PCAST) notes his first priority would be to examine the progress of IT R&D at the federal level [2] - an area for which the PITAC reports have shown the goverment to be performing egregiously.

CyberSecurity Progress

Chris Fleizach It was interesting to note that Dr. Lazowska and his committee came to the conclusion the federal government needed to lead research in security measures because private industry couldn't provide the funding or the vision. Yet, Phil Venables followed immediately after and presented a holistic approach to Goldman Sachs security system that would certainly rival any governmental agency, with multiple layers of protection, constant network scanning, mock attacks on a regular basis and a slew of contigency strategies that would certainly make PITAC proud. He even mentioned that they did spend some time thinking about issues five to ten years down the road. The main difference from what Dr. Lazowska was trying aim for is that this research from Goldman Sachs is probably protected and not available to the general public, so what happens is a re-inventing of the wheel at each organization. But then Kirk Bailey and Ernie Hayden mentioned that their most useful system was the "Agora" team, circumventing public and formal discussion for quick, informal aid. I think we can safely assume that the government will not change its stance on science and basic research for the next three years, so perhaps we have seen the past, present and future of cyber security research - security implementation and research driven by companies motivated by economic realities and diffused through informal channels. Was it ever any different?

Jameel Alsalam To be fair, I think that Dr. Lazowska's point was addressing not so much the implementation of security measures in the corporate world, but basic R&D in the production of new security products, or more secure IT products. From Phil Venables's talk, it sounds like Goldman-Sachs is doing a magnificent job in implementing the best technologies that it can as well as putting in a number of structures that support its security - this implementation is a major factor in actually acheiving security, and that task is so complex that a 5-year plan is actually needed just to manage the implementation! This is seperate however from long-term research on the products themselves.

Keunwoo Lee 00:41, 14 October 2005 (PDT): Just to give an example of the kind of fundamental innovation that industry on its own usually isn't very good at developing: consider things like public-key cryptography, or multi-user operating systems, or TCP/IP. Places like Goldman-Sachs don't invent stuff on that scale, though they seem to be at the forefront of pushing available technical innovation, and developing holistic security practices (including social practices) that complement technical innovation.

Now, historically, places like IBM Research, Intel Research, Bell Labs, Xerox PARC, and DEC SRC have done fundamental research in IT, but usually major innovations have involved essential cross-pollination from academia and government; see Ed's lecture from last year, 10/07/04. Furthermore, of the places I just mentioned, only IBM and Intel are still going strong; Bell Labs, PARC, and SRC are all, to greater or lesser degree, shadows of their former selves. (Counterbalancing that to some extent, MSR, which is huge, didn't even exist a couple of decades ago.)

--Chris DuPuis 10:48, 14 October 2005 (PDT) I agree with Jameel's point. The fact that Goldman-Sachs NEEDS such an elaborate and authoritarian security policy can be seen as evidence that the current state-of-the-art of computer security is woefully inadequate. Not only is such a security policy difficult to implement and expensive to maintain, but the number of human agents involved adds the possibility for human error at every step. Also, what of sites that have a smaller IT budget than Goldman-Sachs? Should they just be written off? (The existence of huge botnets suggests that they HAVE been written off.)

Another problem with the Goldman-Sachs example is that, even if they are taking steps to automate their security, they are not sharing their tools and processes with the rest of the world. This means that everyone that requires security needs to reinvent the wheel.

A much better solution would be to build our networks using secure pieces, which requires research into better protocols, better operating systems, better programming methods, and better network infrastructure.

SMM: Prof. Scotchmer's point deserves careful thought. The fact that the US has chosen to rely on government for long-term R&D since World War II does not prove that this is the only, let alone the best way to do things. Indeed, Goldman Sachs seems to be an important counter-example: You may not like what they do, but it seems pretty competent.

I'm not qualified to say whether Goldman Sachs could have built a technologically better system. My guess is that the only way to know is if somebody actually builds one. In the meanwhile, everybody says that security is mostly about humans. The language of humans is incentives. My reaction is that Goldman Sachs is quite close to the frontier of what is physically possible, but you should notice that they got there by getting employees to submit to random searches, apply memes, etc. You and I might not want to live there, but we might if they offered us the same level of incentives either.

On reinventing the wheel, that's possible but not obvious. This is precisely the sort of thing that companies like to do in-house and then open source. Also, Goldman Sachs is not averse to making a profit. The fact that it keeps spinning off security to outside companies suggests that the wheel can be rented by anyone.

Is Secrecy Really That Important?

--Gmusick 08:47, 13 October 2005 (PDT) As noted by one of my classmates during the lecture, there is a paradox in the security community where they want highly-trained security experts yet they don't really discuss security in public in a substantial way so people can learn about it. This points to an even deeper problem where our public officials continually classify reports about the state of security at public facilities.

I can't remember if it was Kirk or Ernie that made a dismissive comment about there being no FOIAs (short for Freedom of Information Act requests) at the Agora meetings, but as a former journalist and a current security student, this really bugged me. Public officials always complain about underfunding of security initiatives but they rarely tell you exactly why they need the money...they just say "trust me". How are we, the public, supposed to know what is truly important and what is not when highly political decisions are made in near total secrecy based on "classified" information that could say anything from we will suffer a nuclear attack in our harbor next week to the moon is made of cheese?

And an irony of the situation is that I've heard over and over again, at least in computer science, that hiding and obfuscation are some of the least effective ways to secure your systems. Sounds like a topic for a paper, no?

Jameel Alsalam But hiding and obfuscation are the cheapest form of security, also... I agree with you that it makes no sense for government agencies to rely on cyber-criminals not realizing the weaknesses that exist - but given that I do not really trust the numerous government agencies to be able to quickly respond to exposed weaknesses, I am a bit leary of publicizing them to broadly (which I think that some people see as a way to spur a reaction to those threats).

On the Agora meetings, and FOIA not applying to them - it wasn't the nicest way for it to be put since we like our governments to not have to hide too much from us, but from the little that I have had a chance to observe beaurocratic systems - when they have a lot of scrutiny, I do not think that those systems become more effective - if anything the beaurocracy springs into action spending all its time defending itself from scrutiny. Which is certainly not how we want security professionals in our governments spending their time.

Yi-Kai - I think the intention of the Agora isn't so much to hide security issues from the public, but to allow experts to share information more freely with each other. For instance, it lets people like Kirk and Ernie talk candidly with other experts, without worrying about public relations or politics (which would be concerns in a public meeting). Ultimately, I think we need both things: open public discussions through official government channels, and private informal relationships like the Agora.

Keunwoo Lee 01:01, 14 October 2005 (PDT): I'm the one who asked the question that Gmusick refers to. I agree with Yi that there's certainly a place for Agora, and I think perhaps I phrased my question in an overly negative way. The participants in Agora, and more broadly the list of people in Kirk and Ernie's cell phone address book, form a tightly knit social network based on trust relationships built up over time. Within this network, confidential information can circulate very freely, both through formal channels like white papers and through informal channels like talking over beer. This practice probably works very well to solve the problem it was designed to solve (information dissemination among existing professionals).

What I'm concerned about is that, as a society, we also have another problem to solve: how to produce a new generation of security professionals that's significantly larger than the existing generation, probably by a couple orders of magnitude. Somehow, we need to finesse the tradeoff between keeping necessary secrets secret, and opening information access to educate the next generation. My question was not rhetorical: How do we get 60,000-70,000 security professionals when the only way to learn "the real deal" is over beer? I really have no clue (though I suspect we should reconsider exactly how much of that information needs to be kept secret). It seems like a hard problem.

I do think, however, that it's not necessarily the job of people like Kirk and Ernie to figure out the answer. They have their own full-time-and-a-half jobs to do. If we had a DHS with some kind of coherent vision for the future, it would presumably be looking at this problem, and addressing it by funding education programs on a massive scale or something.

Altin Dastmalchi, UCB I agree with the DHS claim. I think that that department is not doing all it can. I dont think that a name change and color coded warning systems are insuring full safety to our lives. The thing that gets me is that there objectives are biased towards certain races, and this effect is not in our favor. For example, if your screening for a certain suspect you are limiting your search to specifics, and letting others slip throught the search. This is true for DHS, they need to implement an equal method of national safety, because anyone can be a terrorist.

SMM: The problem with classifying data is that it protects bureaucrats as well as infrastructure. I was very struck by the idea that someone had paid the Seattle government to write an expensive analysis of 60 worldwide terrorist groups. My first guess would have been that Seattle's government knows something about about local targets, but almost nothing about international politics. The thing that keeps university scholarship is openness (less politely, the prospect of being criticized). Since I'm not allowed to read the report, how do I know that the grant money was well spent? Maybe they really do spend the money on beer...

Would a Balkanized Internet give US better cybersecurity?

--Gmusick 13:08, 13 October 2005 (PDT) I was reading an article about the conflict between the US and the rest of the world about control of the DNS servers hereand it got me wondering if breaking up the internet would be a good thing to do in terms of cybersecurity.

From the presentations last night it looks like most organized crime comes from overseas locations where they have less restrictive laws and/or no means to enforce them. So if we balkanized the internet, my theory goes, we could simply cut off entire countries from the very lucrative US market until they started cracking down on their criminals and/or terrorists.

One downside is we would lose easy access to intelligence because we would presumably not be allowed on their networks if they weren't allowed on ours. But then we could always send remote teams to these locations to hook onto their networks and do the intel gathering.

But on the plus side, remote attacks from locations beyond our jurisdiction would be eliminated (in theory). The criminals and terrorists would have to set up shop in our country or in other countries friendly to us. And this would give us a chance to nab them and interrogate them.

Chris Fleizach Although an interesting point, the resulting uproar would surely quash any attempt. China, among many other countries, has attempted to restrict access out of the country to places where they can learn about democracy. Of course they have failed, although largely due to the help of outsiders in other countries acting as routers for people on the inside (even the US government is in on the act NYTimes). How soon before routers would be set up in countries that are able to access America? Then we're left with the same problem. We could go after the routers, but what if the routers are made out of botnets?

Keunwoo Lee 01:18, 14 October 2005 (PDT): A technical clarification: DNS is only a name resolution system. DNS is what allows your computer to figure out, for example, that the string "cubist.cs.washington.edu" corresponds to the numeric IP address 128.208.1.51. But communication on the Internet doesn't require DNS; you can connect to hosts based on IP address alone, without ever consulting DNS, and indeed I believe that is what most worms do. Even if DNS split, everyone on the Internet would still share the IP address space. So, splitting DNS could make life inconvenient for users --- who want e.g. google.com to point to Google Inc.'s servers no matter where in the world they are --- but virus/worm writers wouldn't be affected at all.

(And even an exploit that depended somehow on hostnames could be written to consult the US DNS servers, the UN DNS servers, or both, as needed.)

As for the larger issue of Balkanizing the Internet (not just DNS): as Geoff said in one of his lectures, it's technically feasible to cut the wires between nations, but nobody wants to do it because the economic impacts would be huge.

--Chris DuPuis 10:19, 14 October 2005 (PDT) Cutting the U.S. off from the global Internet would be a great way to ensure that we become a technological backwater. While the rest of the world enjoys free international communication, we would be cut off from everyone else. We would be unable to participate in an increasingly networked research community, which might drive researchers to leave the country in pursuit of more amenable conditions elsewhere. And we would still be vulnerable to domestic attacks.

Chris Fleizach - Although the EU and China would like the US to give up control of ICANN (the organization responsible for giving out IPs and running the Root servers) to the UN, the US has resisted pressure. There has been some talk that China might set up it's own system if demands are not met, which would essentially fragment the internet into smaller entities. It's not a serious concern yet, but as the importance of the internet grows in other countries to the point it has in the US, many countries may no longer want a non-profit, US based group (ICANN) in a position to disrupt their cyber-infrastructure, should they so wish. Or rather, they may not want just one US organization responsible for so much.

--Gmusick 12:24, 14 October 2005 (PDT) It doesn't have to be absolute. I only said we would cut ourselves off from countries/geographic regions that did not/would not enforce appropriately stringent laws (from our perspective) regarding cybercrime/terrorism. Given the current geo-political climate that would still probably leave us fully connected with most of Europe, Canada, India, Australia, China (maybe), Taiwan, Japan and a few others.

And, yes, we would still be vulnerable to internal attacks. But at least they would be within our jurisdiction so we could go after the perps using police instead of sending several hundred thousand troops after them in a hostile land to little or no effect.

This shouldn't seem like a terribly radical idea. PGP is built upon the idea of allowing access through a trust-based system built up by reputation. Balkanizing the internet (if that could even be done as noted above since DNS names and IP addresses are indeed different creatures) would just be a logical extension of that to the level of a national political unit.

Anyway, I'm not actually advocating it. But it would make for an interesting "what if" study to see what all the far-reaching affects would be.