The Home Depot and Target breaches were examples of how our commercial infrastructure is very vulnerable to those who want to exploit it. As criminals increase their sophistication, they will pick bigger and more complex targets. That targeting won’t be for the intellectual challenge — it will be because bigger targets have more to offer. Theft of millions of credit card transactions provides a huge body of information to break up and resell to other criminals. Theft of medical data, design and marketing plans, and financial information is a growing business with little in the way to discourage it. It took months before the Home Depot and Target breaches were detected. It took more time before the companies patched their software, then assured customers that the patched systems were safe. Can we really trust that such ad hoc fixes to existing programs will protect us from credit card fraud?
The software industry has built a response mechanism around the idea that flaws in products can be patched and that somehow the “patchability” is a substitute for sound design.
Unfortunately, as we have seen with a great many incidents, it takes time to discover and analyze each flaw, and the patches take time to apply.
The Heartbleed and Shellshock (Bash) flaws took years to discover, for instance
— with the Shellshock flaw reported as being present for nearly 25 years!
Then, too, some flaws may never get fixed everywhere.
This combination of factors means sloppy design is ensuring that our overall infrastructure will be riddled with vulnerabilities for the foreseeable future.
What about the theft of passwords by Russian gangsters? It’s unlikely we’ll be able to identify
and apprehend the people who’ve stolen all those passwords because of the difficulty of investigating
and prosecuting computer crime.
But for them to get the passwords means that they somehow found weaknesses in lots of vendors that they were able to exploit. The Target breach, the collection of passwords and a number of other incidents this year all point to a significant, wellfunded, technically talented criminal element that is actively attacking and exploiting systems, from home users up to major corporations.
If you were the cybersecurity czar, what steps would you recommend?
This is an area that needs more fundamental research on how to change the way we build and deploy things, not simply on how to patch what’s there. An awful lot of the federal research funding is, how do we fix Windows, how do we fix Linux, how do we make a stronger PC. That’s
not going back and questioning fundamental assumptions.
We are currently using generalpurpose, mass-market computing platforms to do things that don’t
really require that level of generality.
It makes them vulnerable to a wider variety of attack than they would be if they were custom-built.
If we build systems that do only one or two things, they’re less likely to be attacked.4 Your microwave oven has software inside that’s used to make it run.
If that’s not connected anywhere and it doesn’t do anything else, like calculate your taxes and store your recipe files and send email, it can’t be attacked by outside mechanisms. Yes, it might be more expensive to build a new system or to remove components from an existing system. But being in business means you also have a duty to your customers and society not to endanger them unnecessarily with what your product does. We’ve also got to move the job of combating malicious cyberactivity away from the military and more into law enforcement.
A lot of what the federal government does is that it tries to mandate from a centralized, top-down
By default, most information flows to a small number of federal agencies. That’s not the right approach.
What we really need is a local view.
You’ve proposed a local extension service for small, local businesses, something akin to the agricultural extension service.
If you found an unusual proliferation of caterpillars eating everything in your garden, you wouldn’t contact somebody in Washington to come look at them.
You would find your local extension service, and you would take a sample in, and they would give you advice as to what it was and how to respond. I think we need to adopt that kind of model for cyber — have an extension service, at a local level, that people can go to for classes, advice as to what software to get and help to identify a problem.2018-02-23 3:06 AM Comentarii 0 Vizitator