CyberSecurity a Serving Society Badly
Anita K. Jones
University of Virginia
About the Lecture
During the latter half of the 20th century, society has come to depend upon a new infrastructure – the cyber, or information, infrastructure. It underpins many processes and activities that are essential to civilized society. The security of today’s cyber infrastructure is weak. Not only are there concerns about privacy and identity theft, but it is not typically possible to “attribute” a cyber attack of one nation state on another, that is to determine the identity of the attacker with assurance. This talk will characterize the weaknesses in the security of our cyber infrastructure, and consider options for improvement.
About the Speaker
ANITA K. JONES is a University Professor in the University of Virginia and a Professor of Computer Science in the School of Engineering and Applied Science. She previously served as chair of the Department of Computer Science. She had served as the Director of Defense Research and Engineering of the Department of Defense, with responsibility for management of the science and technology program. This included responsibility for the Defense Advanced Research Projects Agency, oversight of the DoD laboratories, as well as being the principal advisor to the Secretary of Defense for scientific and technical matters. She also served as vice-chair of the National Science Board, which advises the President on science, engineering, and education and oversees the National Science Foundation. She is a member of the Defense Science Board, the Charles Stark Draper Laboratory Corporation, and the MIT Corporation Executive Committee. She has co-chaired the Commonwealth of Virginia Research and Technology Advisory Commission. She has served on government advisory boards and scientific panels for NASA, the National Academies, the Department of Energy, and the National Science Foundation. She is a member of the National Academy of Engineering. She is a Fellow of the Association for Computing Machinery, the Institute of Electrical and Electronics Engineers, the American Academy of Arts and Sciences, and the American Association for the Advancement of Science. She has received the Computing Research Association’s Service Award, the Air Force Meritorious Civilian Service Award, the Department of Defense Award for Distinguished Public Service, and the IEEE Founders Award. The U.S. Navy named a seamount in the North Pacific Ocean for her. She has published more than 45 technical articles and two books in the area of computer software and systems, cyber-security, and science and technology policy. She is currently a member of the Board of Directors of Science Applications International Corporation, BBN Technologies, and In-Q-Tel. Other private sector experience includes serving as a founder and Vice President of Tartan Laboratories, trustee of the MITRE Corporation, and a member of various academic and industrial advisory boards, including the MIT Lincoln Laboratories Advisory Board. She holds an A.B. from Rice University in mathematics, an M.A. from the University of Texas at Austin in literature, and a Ph.D. in computer science from Carnegie Mellon University. Duke University, Carnegie Mellon, and the University of Southern California have awarded her Honorary Doctorates.
President Larry Millstein called the 2,256th meeting to order at 8:17 pm September 11, 2009 in the Powell Auditorium of the Cosmos Club. The minutes of the 2,254th meeting were approved with one correction.
Mr. Millstein introduced the speaker of the evening, Ms. Anita K. Jones of the University of Virginia. Ms. Jones spoke on “CyberSecurity – Serving Society Badly.”
The context, Ms. Jones said, is that in the latter half of the 20th century, we developed the internet. It has come to support many processes important to our society and we depend on it heavily.
The security of the internet is quite weak. There are many reports of abuse and identity theft.
Ms. Jones said she is very concerned about national security because an attack cannot be attributed, that is the source of an attack cannot be identified. Russia apparently attacked Estonia and it is believed that Russia attacked Georgia, but the system does not leave evidence of who did what.
The intelligence community believes, she said, that people offshore are vacuuming up private industry information to use for commercial purposes. Much of this information is held only as trade secrets. The information is only good as long as the secret is kept.
Perimeter defense is the main model of cybersecurity, and the security structure is fundamentally skewed toward perimeter defense. Even the language reflects this, with terms such as wall, firewall, gate, and so on. Ms. Jones believes the emphasis on perimeter defense is too great. She pointed out that more damage is done by insiders than intruders. The immune system is another analogous structure that might be useful.
There are actually quite different security needs. One is confidentiality, where it is okay for some to know but not others. Another is integrity, where it matters only that the information not be changed, such as medical information. There are many security policies, she said, one cannot serve all needs.
There is a common argument that if we could get software correct, security would not be a concern. However, software has been under development since the 1950's, and there has been little progress toward getting it right. There are proofs that snippets of software are correct, but no such proof has ever been accomplished for substantial amounts of code. Specifications can also be faulty.
She also drew examples from history to illustrate the weakness of perimeter defense. At one time, most cities had walls. The French built the Maginot Line, which was claimed to be impregnable, but was breached with ease. If perimeter defense does not work very well in physical security, why should it work in cybersecurity
The internet is a great thing. It has scaled six orders of magnitude, which is very unusual. What the internet is, she said, is a very simple means of moving messages in little packets. Simplicity is the reason for its great success; it does not do very much. The transmission control protocol, TCP/IP, promises only best effort. It does not guarantee a message will arrive at a destination, that it will arrive in order, or that it won’t arrive twice. (When the minutes were read, it was noted by an alert reviewer that it actually is the Universal Datagram Protocol (UDP), not the TCP/IP protocol, that works that way.)
To design security into the fundamental operation of the internet would be a mistake because it would alter the stark simplicity with which the internet operates. This would counter its design advantages and degrade its functioning.
There is not much research going on in cybersecurity. About seven to ten new PhD’s graduate each year in the field, so there are precious few graduate students to do research. The volume of research is down 50% since 2003.
Another problem of the internet is that it is a monoculture. That’s why viruses spread so fast, there are multiple repetitive parts. That is also why a security policy would probably work best if it were implemented many times.
We can't predict what policies we will need in the future. That's another reason not to have something locked down in the middle of the internet. If intercessions are at the end, it will be easier to adapt to new challenges.
Then there is the lack of motivation. There is no proof that something can be done. If you could only show theoretically it is possible to do something about it, that would be an impetus for research.
She discussed the digital encryption standard, which uses public keys and private keys. It enables parties to publish something with a public key with confidence that only a person who holds the private key can decrypt it.
Cybersecurity is a research challenge, she concluded, and she invited our contributions and questions. She believes a better security system would enable the internet to serve society much better.
The first questioner asked about problems with the digital encryption system, specifically people sending keys pretending to be someone they are not. The defense against this is usually a digital signature, which involves a third party who verifies the identity. The system is not perfect. Ms. Jones recommended checking with the third party about the identity. The system also requires a unique internet address, not one that is assigned when you log on.
Another questioner asked how much confidence he should have in claims of secure web sites. Ms. Jones was not encouraging. She said she avoids putting personnel information, on the University of Virginia system, where she works. She would not put her social security number on a bank web site.
Another questioner asked if it isn’t difficult to convince people that cybersecurity is a problem when organizations like banks keep secret the extent to which they have been attacked. Yes, Ms. Jones said. Banks, especially, and other organizations that depend on public trust, are reluctant to make known the problems they have experienced. She gave an example of a military force being shut down in response to a cyber attack.
To a question about the sanctity of voting machines, she said, “They are not safe.” She would not base a voting system on a paperless design, and has so told Virginia officials.
Another questioner accused Ms. Jones of a bureaucratic approach, and said that with no inventory of who might want to do damage and what they might do, her argument amounts to a request for an unlimited budget. Ms. Jones said there are enough examples of damage to indicate that something needs to be done. She gave no credence to the idea of an unlimited budget.
In response to a question about quantum computing, she offered that it is an exciting possibility. It might disrupt the current encryption system, for example. She said it is not known how or when the possibilities might develop, but the approach is being pursued, for its possibilities, although it is not ready for prime time.
After the talk, Mr. Millstein presented a plaque commemorating the occasion. He announced the next meeting. He made the usual housekeeping announcements, about parking, payments, and so on. He encouraged support of the Society to enable continuation of our tradition of more than 2,200 meetings. He invited guests to join and encouraged members to join in active participation in matters such as choosing future speakers. Finally, at 9:37 pm, he adjourned the 2,256th meeting to the social hour.
The weather: Cloudy, but clearing
The temperature: 18°C
Ronald O. Hietala,