Some say making IT systems a moving target to hackers and centralizing cybersecurity policy will turn around current flawed approaches.
Current computer and network technologies were built to help process and move data quickly from one site to another. Unfortunately, until recently, efforts to protect that infrastructure played second fiddle to business needs.
Consequently, cybersecurity has been implemented in an ad hoc and often slapdash fashion, leading to the current mess of firewalls and other devices backed by inadequate identification and authentication protocols and inhibited by piecemeal policies and fragmented responsibilities.
That state of affairs has meant job security to the hackers who want to damage networks or steal data from them. As organized criminals and well-funded nation-state actors have joined their ranks, it has become clear that existing security regimes can’t stem the tide. Attacks on military and other government systems continue to grow and are increasingly successful.
Government and industry are now trying to jump-start a new era of innovation in cybersecurity, one in which security is a design and policy priority rather than an afterthought.
Such goals have been recognized as a priority for basic research in the Obama administration’s fiscal 2013 budget proposal, with millions of extra dollars requested for research and development at the departments of Defense and Homeland Security, the National Science Foundation, and the National Institute of Standards and Technology. And in December 2011, the White House published a strategic plan for the next few years of cybersecurity R&D.
There are many ideas on the table. The following are two examples of future approaches that are gaining attention, support and most importantly, funding. One is a technology plan that makes computer systems a moving target to stymie hackers, the other a policy approach that provides a more coordinated defense against attacks. Officials hope that ideas such as these can lead to game-changing solutions that tip the balance back in favor of the good guys, but like anything to do with cybersecurity, it won’t be easy.
Moving target defense
Current cyber defenses are designed to protect systems that operate in relatively static configurations for long periods of time. That is also a major weakness. Attackers can spend an equally long time looking for a single vulnerability in a key system, assessing how the system’s security would respond and planning attacks accordingly.
Defenders, on the other hand, have to try to plug the security holes in all their systems and keep them plugged, which soaks up a lot of resources and time. Given the complexity of most agency IT infrastructures, it’s an almost impossible task.
Moving target defense (MTD) strategies turn that approach on its head. Instead of presenting a security barrier for static systems, they create a dynamic, constantly changing set of system parameters that presents a much more complex scenario to would-be attackers. They would have to expend much more effort to find and exploit vulnerabilities, and they would have far less time in which to do so.
In a Small Business Innovation Research program notice published in November 2011, DHS recognized that MTD challenges the traditional belief that adding complexity to systems adds risk.
“The complexity of today’s compute platforms and analytic and control methods can now be used to frustrate our adversaries,” the notice states. “The challenge is to demonstrate that complexity is indeed a benefit and not a liability.”
The Defense Advanced Research Projects Agency included MTD as a potential component of its Mission-oriented Resilient Clouds program in an R&D solicitation released last May. MTD solutions “are sought that periodically change the allocation of tasks to hosts…making it difficult for an attacker to ‘map’ the system well enough to launch a coordinated attack,” the solicitation states.
One of the most promising areas for MTD is the software code that is used in most systems today, said Anup Ghosh, founder and CEO of Invincea and a former senior scientist and program manager in DARPA’s Strategic Technology Office.
“Most of the exploits you see today are based on specific vulnerabilities in the way code is structured,” he said. “MTD strategies are to create different instances of the same software where semantically or functionally the behavior of the software is the same, but its structure would change with each instance.”
The idea is to keep the adversary guessing about what the software actually does, he said.
The good news is that many of the technologies that will be needed to deploy MTD already exist or soon will. For example, continuous monitoring will be vital to know the status of the various servers and network systems in real time in an MTD environment. Agencies are already moving in that direction through initiatives that include DHS’ Einstein system, which monitors numerous agencies’ Internet access points for malicious activity.
Virtualization will also be central to many MTD programs, which depend on being able to change servers and other resources around quickly. Virtualization gives administrators the ability to freely move data within a virtualized environment and quickly set up and close down virtual servers. It’s also a fairly simple job to move files and data from a physical server to a virtual server in a completely different location. Agencies are already using virtualization to consolidate data centers as part of government mandates to cut costs.
In addition, new technologies such as IPv6, which agencies will graduate to in the next few years, will be essential to MTD. Unlike IPv4, for which the number of usable Internet addresses has all but run out, IPv6 offers a virtually inexhaustible supply. That guarantees the ability to move through a large number of short-lived IP addresses quickly, another central feature of MTD.
However, a good understanding of what constitutes an agile MTD environment is still some way off, said Prenston Gale, director of information security at Dynamics Research Corp. Other needs, such as the ability to virtualize the IP space or Media Access Control addresses, are ideas that people are only beginning to talk about.
“Things like this are just not that well understood yet and still need to be researched,” he said.
The trick will be bringing all the threads together in a manageable way, said Paul Kurtz, executive director of the nonprofit Software Assurance Forum for Excellence in Code, an industry-led organization. He is a former member of the White House’s National Security and Homeland Security councils under Presidents Bill Clinton and George W. Bush.
“Putting all of these pieces together so we can have a synoptic view of what’s happening on networks, and being able to translate that view into on-the-fly mitigative actions, is a big step,” he said. “It’s not impossible, but it will require a lot of folks working together.”
As far as timelines are concerned, it’s impossible to pinpoint just when agencies will have access to proven MTD solutions. Some parts of an MTD approach might be widely available in the next couple of years, observers say, and bleeding-edge users at intelligence agencies and DOD are likely already using elements of MTD.
But in cybersecurity, anything that gets started now will take four to five years to develop into something most agencies can use, Ghosh said. However, though that might seem like a long time frame, “it’s something that’s fairly aggressive compared to other kinds of R&D,” he said.
MTD is clearly traveling on an accelerated development path. It was one of four research themes highlighted in the White House’s cybersecurity R&D plan. In addition, DHS and other agencies are establishing MTD research programs, and the National Science Foundation is trying to take it to the next level by acting as a focus for those and other R&D efforts.
In March, the multi-agency National Coordination Office for Networking and Information Technology Research and Development issued a call for MTD research papers that will be published and discussed during a symposium in Annapolis, Md., in June. The central question of the symposium is whether there is “scientific evidence to show that moving target techniques are a substantial improvement in the defense of cyber systems,” the announcement states.
How MTD might work
In the moving target approach to cybersecurity, a defender’s IT systems continually shift and change, limiting the exposure of or even eliminating static vulnerabilities. That makes the attack space appear unpredictable and raises the complexity and cost for attackers. Here are some mechanisms under development that could be useful.
- Data chunking and decentralization. Data files are broken into pieces and encrypted with the pieces stored arbitrarily and redundantly across many servers, so attackers cannot penetrate any one system to obtain the data.
- Decoys. Using techniques such as virtualization, defenders deploy a large number of fake targets (servers, applications, data, etc.) that appear to attackers as indistinguishable from the real targets.
- Robust cryptographic authentication. Instead of authenticating users via static and easily stolen or intercepted credentials such as user names and passwords, authentication techniques such as the Secure Remote Password protocol rely on dynamically created random numbers that are impenetrable to hackers.
- Smart motion adaptation and management. A system continuously collects and analyzes vast amounts of sensor information (intrusions, anomalies, etc.) and computes optimal moving-target strategies based on mathematical models, the value of different targets and the evolving threats.
Another idea for advancing cybersecurity is the notion of looking at the IT infrastructure as analogous to complex natural systems and in particular seeing whether an immunological approach to security would work as well as it does in humans and others animals.
Artificial immune systems have been a defined research area since the 1990s. An offshoot that has recently gained traction, at least as a concept, is development of a cyber CDC, a government organization that would have the same goals in the IT universe that the Centers for Disease Control and Prevention have for human health.
The job of the health-based CDC is to gather information about disease outbreaks, research how to prevent them, develop public health policies and provide the tools that communities need to protect their health. It also offers leadership training and the education the public needs to adopt healthier behaviors.
Preventing communicable diseases is one of the most direct examples of how the health CDC correlates to a cyber CDC because the unchecked spread of a cyber infection is one of the greatest dangers the IT world faces. DHS pointed to the potential advantages of a cyber CDC in its March 2011 white paper titled “Enabling Distributed Security in Cyberspace.”
“I think it would be exceptionally valuable to have a cyber CDC,” Kurtz said. “The central piece here, however, is the willingness of all the various parties to share information, whether that’s government with the private sector or the private sector with government.”
In terms of technology, a cyber CDC is quite feasible, said Steven Hofmeyr, a computer scientist in the Computational Research Division at Lawrence Berkeley National Laboratory. The bigger and much trickier question is whether it’s politically and organizationally possible, and he believes those issues make the idea of a cyber CDC more problematic than a health-based agency.
“Private industry organizations such as Symantec already collect data [about cyber incidents] and share them with their clients, so there’s an incentive for the company to retain the data,” he said. “It’s a competitive field, unlike the health arena.”
Organizations already exist that perform some of the roles proposed for a cyber CDC. For example, the U.S. Computer Emergency Readiness Team (US-CERT), part of DHS’ National Cyber Security Division, is responsible for gathering information about actual and potential cyberattacks and collaborating with state and local government, industry and international organizations to provide defenses against them.
However, the collaboration and information sharing US-CERT requires are voluntary, unlike with the health-based CDC for which the reporting of incidents by both industry and government is required by law. And crucially, US-CERT has no power to assert itself with regard to any remedies for cyberattacks. CDC, on the other hand, can act to prevent health threats through forced quarantines and vaccine distribution.
Giving a cyber CDC those same powers to insert itself into cyber situations, however, creates problems the health system doesn’t have. Who, for example, should have the responsibility for protecting systems from a verified risk such as a virus? Would that lie with the individual or company that owns an infected system? Should it be the responsibility of the Internet service provider? Or should the government come in and enforce a particular remedy?
“The biggest issues [in the cyber world] now are around online privacy and online protection for freedom of speech,” said Steve Vinsik, vice president of global security solutions at Unisys. “Those are roadblocks you quickly run into when you talk about a cyber CDC.”
Because of those and other problems, although a cyber CDC is an attractive proposition for many people, it will probably be some time yet before we see anything substantive enough to make it a practical solution.
“Grand schemes such as a cyber CDC I hope we can get to some day, but we have real, hard problems that need to be solved right now,” Kurtz said. “We need to be focused on the practical, and unfortunately, we just don’t have the time it would take to build a cyber CDC because I don’t think it would be effective [for] a very long time.”
NEXT STORY: FISMA noncompliance leaves VA vulnerable