Cybersecurity reboot: Two game-changing ideas

Some say making IT systems a moving target to hackers and centralizing cybersecurity policy will turn around current flawed approaches.

Current computer and network technologies were built to help process and move data quickly from one site to another. Unfortunately, until recently, efforts to protect that infrastructure played second fiddle to business needs.

Consequently, cybersecurity has been implemented in an ad hoc and often slapdash fashion, leading to the current mess of firewalls and other devices backed by inadequate identification and authentication protocols and inhibited by piecemeal policies and fragmented responsibilities.

That state of affairs has meant job security to the hackers who want to damage networks or steal data from them. As organized criminals and well-funded nation-state actors have joined their ranks, it has become clear that existing security regimes can’t stem the tide. Attacks on military and other government systems continue to grow and are increasingly successful.

Government and industry are now trying to jump-start a new era of innovation in cybersecurity, one in which security is a design and policy priority rather than an afterthought.

Such goals have been recognized as a priority for basic research in the Obama administration’s fiscal 2013 budget proposal, with millions of extra dollars requested for research and development at the departments of Defense and Homeland Security, the National Science Foundation, and the National Institute of Standards and Technology. And in December 2011, the White House published a strategic plan for the next few years of cybersecurity R&D.

There are many ideas on the table. The following are two examples of future approaches that are gaining attention, support and most importantly, funding. One is a technology plan that makes computer systems a moving target to stymie hackers, the other a policy approach that provides a more coordinated defense against attacks. Officials hope that ideas such as these can lead to game-changing solutions that tip the balance back in favor of the good guys, but like anything to do with cybersecurity, it won’t be easy.

Moving target defense

Current cyber defenses are designed to protect systems that operate in relatively static configurations for long periods of time. That is also a major weakness. Attackers can spend an equally long time looking for a single vulnerability in a key system, assessing how the system’s security would respond and planning attacks accordingly.

Defenders, on the other hand, have to try to plug the security holes in all their systems and keep them plugged, which soaks up a lot of resources and time. Given the complexity of most agency IT infrastructures, it’s an almost impossible task.

Moving target defense (MTD) strategies turn that approach on its head. Instead of presenting a security barrier for static systems, they create a dynamic, constantly changing set of system parameters that presents a much more complex scenario to would-be attackers. They would have to expend much more effort to find and exploit vulnerabilities, and they would have far less time in which to do so.

In a Small Business Innovation Research program notice published in November 2011, DHS recognized that MTD challenges the traditional belief that adding complexity to systems adds risk.

“The complexity of today’s compute platforms and analytic and control methods can now be used to frustrate our adversaries,” the notice states. “The challenge is to demonstrate that complexity is indeed a benefit and not a liability.”

The Defense Advanced Research Projects Agency included MTD as a potential component of its Mission-oriented Resilient Clouds program in an R&D solicitation released last May. MTD solutions “are sought that periodically change the allocation of tasks to hosts…making it difficult for an attacker to ‘map’ the system well enough to launch a coordinated attack,” the solicitation states.

One of the most promising areas for MTD is the software code that is used in most systems today, said Anup Ghosh, founder and CEO of Invincea and a former senior scientist and program manager in DARPA’s Strategic Technology Office.

“Most of the exploits you see today are based on specific vulnerabilities in the way code is structured,” he said. “MTD strategies are to create different instances of the same software where semantically or functionally the behavior of the software is the same, but its structure would change with each instance.”

The idea is to keep the adversary guessing about what the software actually does, he said.

The good news is that many of the technologies that will be needed to deploy MTD already exist or soon will. For example, continuous monitoring will be vital to know the status of the various servers and network systems in real time in an MTD environment. Agencies are already moving in that direction through initiatives that include DHS’ Einstein system, which monitors numerous agencies’ Internet access points for malicious activity.

Virtualization will also be central to many MTD programs, which depend on being able to change servers and other resources around quickly. Virtualization gives administrators the ability to freely move data within a virtualized environment and quickly set up and close down virtual servers. It’s also a fairly simple job to move files and data from a physical server to a virtual server in a completely different location. Agencies are already using virtualization to consolidate data centers as part of government mandates to cut costs.

In addition, new technologies such as IPv6, which agencies will graduate to in the next few years, will be essential to MTD. Unlike IPv4, for which the number of usable Internet addresses has all but run out, IPv6 offers a virtually inexhaustible supply. That guarantees the ability to move through a large number of short-lived IP addresses quickly, another central feature of MTD.

However, a good understanding of what constitutes an agile MTD environment is still some way off, said Prenston Gale, director of information security at Dynamics Research Corp. Other needs, such as the ability to virtualize the IP space or Media Access Control addresses, are ideas that people are only beginning to talk about.

“Things like this are just not that well understood yet and still need to be researched,” he said.

The trick will be bringing all the threads together in a manageable way, said Paul Kurtz, executive director of the nonprofit Software Assurance Forum for Excellence in Code, an industry-led organization. He is a former member of the White House’s National Security and Homeland Security councils under Presidents Bill Clinton and George W. Bush.

“Putting all of these pieces together so we can have a synoptic view of what’s happening on networks, and being able to translate that view into on-the-fly mitigative actions, is a big step,” he said. “It’s not impossible, but it will require a lot of folks working together.”

As far as timelines are concerned, it’s impossible to pinpoint just when agencies will have access to proven MTD solutions. Some parts of an MTD approach might be widely available in the next couple of years, observers say, and bleeding-edge users at intelligence agencies and DOD are likely already using elements of MTD.

But in cybersecurity, anything that gets started now will take four to five years to develop into something most agencies can use, Ghosh said. However, though that might seem like a long time frame, “it’s something that’s fairly aggressive compared to other kinds of R&D,” he said.

MTD is clearly traveling on an accelerated development path. It was one of four research themes highlighted in the White House’s cybersecurity R&D plan. In addition, DHS and other agencies are establishing MTD research programs, and the National Science Foundation is trying to take it to the next level by acting as a focus for those and other R&D efforts.

In March, the multi-agency National Coordination Office for Networking and Information Technology Research and Development issued a call for MTD research papers that will be published and discussed during a symposium in Annapolis, Md., in June. The central question of the symposium is whether there is “scientific evidence to show that moving target techniques are a substantial improvement in the defense of cyber systems,” the announcement states.

How MTD might work

In the moving target approach to cybersecurity, a defender’s IT systems continually shift and change, limiting the exposure of or even eliminating static vulnerabilities. That makes the attack space appear unpredictable and raises the complexity and cost for attackers. Here are some mechanisms under development that could be useful.

  • Data chunking and decentralization. Data files are broken into pieces and encrypted with the pieces stored arbitrarily and redundantly across many servers, so attackers cannot penetrate any one system to obtain the data.
  • Decoys. Using techniques such as virtualization, defenders deploy a large number of fake targets (servers, applications, data, etc.) that appear to attackers as indistinguishable from the real targets.
  • Robust cryptographic authentication. Instead of authenticating users via static and easily stolen or intercepted credentials such as user names and passwords, authentication techniques such as the Secure Remote Password protocol rely on dynamically created random numbers that are impenetrable to hackers.
  • Smart motion adaptation and management. A system continuously collects and analyzes vast amounts of sensor information (intrusions, anomalies, etc.) and computes optimal moving-target strategies based on mathematical models, the value of different targets and the evolving threats.

Cyber CDC

Another idea for advancing cybersecurity is the notion of looking at the IT infrastructure as analogous to complex natural systems and in particular seeing whether an immunological approach to security would work as well as it does in humans and others animals.

Artificial immune systems have been a defined research area since the 1990s. An offshoot that has recently gained traction, at least as a concept, is development of a cyber CDC, a government organization that would have the same goals in the IT universe that the Centers for Disease Control and Prevention have for human health.

The job of the health-based CDC is to gather information about disease outbreaks, research how to prevent them, develop public health policies and provide the tools that communities need to protect their health. It also offers leadership training and the education the public needs to adopt healthier behaviors.

Preventing communicable diseases is one of the most direct examples of how the health CDC correlates to a cyber CDC because the unchecked spread of a cyber infection is one of the greatest dangers the IT world faces. DHS pointed to the potential advantages of a cyber CDC in its March 2011 white paper titled “Enabling Distributed Security in Cyberspace.”

“I think it would be exceptionally valuable to have a cyber CDC,” Kurtz said. “The central piece here, however, is the willingness of all the various parties to share information, whether that’s government with the private sector or the private sector with government.”

In terms of technology, a cyber CDC is quite feasible, said Steven Hofmeyr, a computer scientist in the Computational Research Division at Lawrence Berkeley National Laboratory. The bigger and much trickier question is whether it’s politically and organizationally possible, and he believes those issues make the idea of a cyber CDC more problematic than a health-based agency.

“Private industry organizations such as Symantec already collect data [about cyber incidents] and share them with their clients, so there’s an incentive for the company to retain the data,” he said. “It’s a competitive field, unlike the health arena.”

Organizations already exist that perform some of the roles proposed for a cyber CDC. For example, the U.S. Computer Emergency Readiness Team (US-CERT), part of DHS’ National Cyber Security Division, is responsible for gathering information about actual and potential cyberattacks and collaborating with state and local government, industry and international organizations to provide defenses against them.

However, the collaboration and information sharing US-CERT requires are voluntary, unlike with the health-based CDC for which the reporting of incidents by both industry and government is required by law. And crucially, US-CERT has no power to assert itself with regard to any remedies for cyberattacks. CDC, on the other hand, can act to prevent health threats through forced quarantines and vaccine distribution.

Giving a cyber CDC those same powers to insert itself into cyber situations, however, creates problems the health system doesn’t have. Who, for example, should have the responsibility for protecting systems from a verified risk such as a virus? Would that lie with the individual or company that owns an infected system? Should it be the responsibility of the Internet service provider? Or should the government come in and enforce a particular remedy?

“The biggest issues [in the cyber world] now are around online privacy and online protection for freedom of speech,” said Steve Vinsik, vice president of global security solutions at Unisys. “Those are roadblocks you quickly run into when you talk about a cyber CDC.”

Because of those and other problems, although a cyber CDC is an attractive proposition for many people, it will probably be some time yet before we see anything substantive enough to make it a practical solution.

“Grand schemes such as a cyber CDC I hope we can get to some day, but we have real, hard problems that need to be solved right now,” Kurtz said. “We need to be focused on the practical, and unfortunately, we just don’t have the time it would take to build a cyber CDC because I don’t think it would be effective [for] a very long time.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.