When it comes to cybersecurity, less is more. That is, less in the way of fancy features that give hackers more ways to breach your computer system, according to Eugene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security.
“Too few of our systems are designed around known, basic security principles,” Spafford told a Senate committee in March 2009. “Instead, the components we do have are optimized for cost and speed rather than resilience and security, and those components are often needlessly complex.
“Better security is often obtained by deploying systems that do less than current systems — extra features not necessary for the task at hand too often provide additional avenues of attack, error and failure. However, too few people understand cybersecurity, so the very concept of designing, building or obtaining less-capable systems, even if they are more protected, is viewed as unthinkable.”
A secure facility, for example, might do better with computers that didn't have USB ports that could be employed to download sensitive data. And if the computers were designed only to perform the specific tasks required at a facility rather than to also play videos and support Internet chats, there would likely be fewer vulnerabilities that could be exploited by hackers.
Spafford urges that “a better approach would be to determine exactly what we want supported in each Internet environment, build systems to those more minimal specifications only and then ensure they are not used for anything beyond those limitations. By having a defined, crafted set of applications we want to run, it will be easier to deny execution to anything we don't want,” he said.
Here are areas where Spafford and other analysts say cybersecurity can be heightened:
Software design — Hackers and virus writers typically gain access to computers through vulnerabilities in software. “On average, the worldwide programming community produces about 100 billion lines of code per year throughout the world,” notes Kevin Coleman, a consultant with The Technolytics Institute, a think tank in Canonsburg, Pa. “If you look at the benchmarks for errors per 1,000 lines of code, it's between 15 and 50 per 1,000 lines of code. If only 1 percent of those are exploitable from a security standpoint, that means we interject about 15 million errors every year that can be exploited.”
Coleman recommends developing more secure standards for writing software and mandatory continuing education for cybersecurity professionals. “Everybody in cybersecurity who's going to be developing code has to be trained,” he says.
Secure processors — Vulnerabilities as well as malicious code (malcode) can also be built into the central processing unit (CPU) that powers computers. And some security analysts point out that many processors used by U.S. computer companies are manufactured in other countries where security cannot be ensured. It's not unlike a bug planted in an embassy by a foreign government, but it's a bug that may do more than just listen — it might take actions. In fact, in 2005 the Defense Science Advisory Board warned of the problem and called on the Defense Department to create a policy intended to stem the erosion of American semiconductor manufacturing capacity.
What's more, says Coleman, “We currently do not have the capabilities to assess computer chips for malicious circuitry.”
In response, the Defense Department launched its “Trusted Foundry” program in the mid-2000s. The program, initiated with a 10-year contract with IBM, allows processors to be made for military use under controlled conditions at facilities in the United States. Since the initial contract with IBM, 28 additional American chipmakers have been included in the program.
However, Trusted Foundry reportedly delivers only about 2 percent of the approximately $3.5 billion of integrated circuits purchased for use in military equipment each year.
Hackers can use extra features to breach computer systems. Reducing the number of USB ports, for example, can improve cybersecurity, experts say. (CQ Press/Olu B. Davis)
Redesigning the Internet — It's not just software and hardware that have vulnerabilities. The Internet itself was not designed with security in mind.
Rather than having security as a priority, says Rod Beckstrom, president and CEO of the Internet Corporation for Assigned Names and Numbers (ICANN), “the original Arpanet [created by the Defense Advanced Research Projects Agency (DARPA) in conjunction with academic researchers] was originally designed with a focus on resiliency, which in itself is an important attribute. At the same time, he adds, “in terms of re-architecting, the modern Internet is constantly undergoing re-architecture with newer protocols tending to be more secure but taking time to deploy widely.”
“It is a continuous evolution,” agrees Amit Yoran, CEO of NetWitness, a network management and security company. “But I don't think we're going to flip a switch and all of a sudden be working on a more secure, new Internet. I don't know that a secure Internet is possible using today's technology.”
However, DARPA apparently thinks that a secure Internet — or at least a more secure Internet — is possible. DARPA awarded a $31 million contract last October to Lockheed Martin Corp. and Microsoft Corp. to develop a secure Internet protocol for the military.
Despite the DARPA contract, analysts say that research and development dollars continue to be relatively scarce for cybersecurity technologies.
“Unfortunately, it seems that government R&D dollars aren't focused enough on fundamental research,” says Yoran. “As in the private sector, they are too frequently focused on tactical development, enhancing or developing additional tools and less focused on long-term fundamentals that are required if we are going to break out of this cat-and-mouse game of detect-prevent-modification of technique.”
— Patrick Marshall