How to Save the Internet

Computing on the Net is heading for a fall because security is a joke. So we summoned the best minds to see if we could put Humpty back together again.

Professor Hannu H Kari of the Helsinki University of Technology is a smart guy, but most people thought he was just being provocative when he predicted, back in 2001, that the Internet would shut down by 2006. "The reason for this will be that proper users' dissatisfaction will have reached such heights by then that some other system will be needed," Kari said, "unless the Internet is improved and made reliable."

Late last year, Kari bolstered his prophecy with statistics. Extrapolating from the growth rates of viruses, worms, spam, phishing and spyware, he concluded that these, combined with "bad people who want to create chaos", would cause the Internet to "collapse!" - and he stuck to 2006 as the likely time.

Kari holds dozens of patents. He helped invent the technology that enables mobile phones to receive data. He's a former head of Mensa Finland. Still, many observers pegged him as an irresponsible doomsayer and, seeing as how he consults for security vendors, a mercenary one at that.

And yet, in the past year, we've witnessed the most disturbingly effective and destructive worm yet, Witty, that not only carried a destructive payload but also proved nearly 100 percent effective at attacking the machines it targeted. Paul Stich, CEO of managed security provider Counterpane, reports that attempted attacks on his company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, an increase of over 400 percent. Ed Amoroso, CISO of ATT, says that among the 2.8 million e-mails sent to his company every day, 2.1 million, or 75 percent, are junk. The increasing clutter of online junk is driving people off the Internet. In a survey by the Pew Internet and American Life Project, 29 percent of respondents reported reducing their use of e-mail because of spam, and more than three-quarters, 77 percent, labelled the act of being online "unpleasant and annoying". Indeed, in December 2003, the Anti-Phishing Working Group reported that more than 90 unique phishing e-mails released in just two months.

Less than a year later, in November 2004, there were 8459 unique phishing e-mails linking to 1518 sites.

Kari may have overstepped by naming a specific date for the Internet's demise, but fundamentally, he's right. The trend is clear.

"Look, this is war," says Allan Paller, director of research for The SANS Institute. "Most of all, we need will. You lose a war when you lose will."

So far, the information security complex - vendors, researchers, developers, users, consultants, the government, you - have demonstrated remarkably little will to wage this war. Instead, we fight fires, pointing hoses at uncontrolled blazes, sometimes inventing new hoses, but never really dousing the flames and never seeking out the fire's source in order to extinguish it.

That's why we concocted this exercise, trolling the infosecurity community to find Big Ideas on how to fix, or begin to fix, this problem.

Our rules were simple: Suggest any Big Idea that you believe could, in a profound way, improve information security. We asked people to think outside the firewall. Some ideas are presented here as submitted; others we elaborated upon. Those who suggested technological tweaks or proposed generic truths ("educate users") were quickly dismissed.

What was left was an impressive, broad and, sometimes, even fun list of Big Ideas to fix information security. Let's hope some take shape before 2006.

Page Break

Get All the Smart People Together and Give Them Lots of Money

The best place to start is with a Big Idea to concentrate and organize all the other big ideas - a Manhattan Project for infosecurity.

Daniel Wolf, director of the Information Assurance (IA) Directorate at the US National Security Agency, believes that while good research is taking place in pockets, a massive undertaking to tame this problem ought to be instituted. "It's gaining legs," he says of his Big Idea. "[The Department of Defence] put together a fairly significant working group to look at this."

Such a project would require cooperation among Wolf's IA Directorate (2700 strong, by the way), the US DoD, private-sector scientists, academic researchers, foreign partners, and some of the national research labs such as Sandia and the Defence Advanced Research Projects Agency. Wolf wouldn't say how much money he'd like to see go to such a project, but The SANS Institute's Paller throws out $US100 million as a good number.

Of course, the project would encounter challenges different from those faced by the actual Manhattan Project. There, engineers started with a blank sheet of paper and built the bomb from scratch. With information security, a 40-year legacy of poor coding and bad architectures must be negotiated. But then again, the fact that it's hard is what makes it so necessary.

Hire a Czar

A surgeon general-like figure for security is not only a Big Idea; it's a popular one. Several folks suggest creating some kind of "government leader" or "public CIO for security", none more vocally than Paul Kurtz, the executive director of the Cyber Security Industry Alliance. "We need more leadership at a higher level of government," he says. At the US Department of Homeland Security, he says, cybersecurity has been buried, and he believes DHS should have an assistant secretary-level person for cybersecurity.

At press time, that proposal had been floated but didn't make it into the intelligence reform bill. Meanwhile, a succession of notable leaders for cybersecurity resigned from their DHS posts - some suggest because of frustration over the low status of the role within the agency. The US Congress even explored the possibility of moving government oversight of cybersecurity from DHS to the Office of Management and Budget.

"Somehow, the surgeon general has this special place with us," says Scott Charney, chief security strategist of Microsoft. "We don't have the focal point in security that health-care gets with the surgeon general."

One of the surgeon general's best-known successes is found on the side of cigarette packages. The smoking analogy cropped up repeatedly with big thinkers. Once upon a time, society believed that if you chose to inflict harm on yourself by smoking, you were free to do so. The concept of second-hand smoke changed that equation and now smoking is anathema in many public places.

Networks are no different than smoking in the sense that your bad security habits can adversely affect innocent bystanders. Online, in fact, it may be worse since the second-hand smoke of cyberspace doesn't dissipate with time or space. It debilitates every machine it touches equally, as if everyone was forced to take a drag.

We propose a high-profile surgeon general for information security, who reports to the secretary of DHS. Imagine labels on software like those on cigarettes - Infosecurity General's Warning: The use of software and hardware that is not certified secure can harm your system and other people's systems, and you may be held liable for those damages.

Page Break

Wield Sticks, Dangle Carrots

Recently, the US Air Force, mired in patching hell, got what it wanted from Microsoft - a more secure version of Windows, configured uniformly across the agency. Microsoft agreed to the deal, according to reports, because the Air Force had considered moving to open source software. The Air Force CIO and security champion John Gilligan was quoted as saying at the time: "We want Microsoft focused not on selling us products but [on enhancing] the Air Force in our mission." He added that he hoped his agency's demands would spill over to other organizations that could take advantage of the secure configuration.

At any rate, Gilligan has a pretty big stick to wield (or carrot to dangle, depending on whether you're an optimist or a pessimist) to get what he wants - a $US500 million contract. But incentives as a Big Idea, to motivate others into better security, can be applied by anyone. Here are some of the incentives-based programs suggested to us:

• Get a legal opinion. Christofer Hoff, CISO of WesCorp, says that users should require their vendors to have lawyers run software through

the assessment mill and churn out a legal opinion on how its security would hold up in a liability case. Watch as the vendors scramble to make sure their software can pass muster.

• Software Underwriters Laboratory (UL). Why not warehouse those legal opinions or other independent assessments with a UL-like organization. You wouldn't buy a $400 iPod if it didn't get approved by UL, but you'd buy a $4 million software system with no analogous security assessment?

• If those Big Ideas take off, then watch as the insurance industry uses the data to adjust premiums. Vendors would instantly devote more resources to building better, which would result in lower insurance rates on their products.

• File class-action lawsuits. It may come to this. Keeping with the smoking analogy, all it will take is a sufficient level of outrage and damage before enterprising lawyers - who've already tried this - successfully hold vendors accountable for poor software.

Treat End Users Like the Dummies They Are

Amoroso of ATT believes that the fundamental security problem is that during the past decade, and quite unintentionally, the network's intelligence has migrated to the edge. "We're all sys admins," he says. And millions of end users holding sway over their security settings translates to millions of potential dumb configurations, boneheaded double-clicks and unintentional security lapses. Accidents happen, and bad guys take advantage of the fact that not all end users are created equal in terms of security.

After all, Amoroso argues, do you control power distribution around your house, or do you just plug stuff in?

He thinks ATT can make a ton of money off this idea: Return control to the network providers (like his own company's phone system in the 1970s, he says, a time when Ma Bell controlled everything, including the technology's interface), and let the providers charge you for doing all of the filtering, traffic analytics, worm detection and incident response. "That's my solution," Amoroso says. "Create a service. Make money."

Becky Autry, CIO of the United States Olympic Committee, loves Amoroso's plan. "It's overwhelming; I'm overwhelmed," she sighs. Autry has a network staff of just three to handle IT for three training centres as well as events security. "Smaller organizations just can't get good or dedicated staff to handle a problem that's so large and changing so quickly."

Page Break

Eliminate All Coding Errors Within Two Years

Mary Ann Davidson, CSO of Oracle and champion of the quality coding movement, says she's tired of coders arguing that their jobs are too creative to eliminate errors such as buffer overflows - that coding's an art, not a science. She applauds ethical hacking, where developers attempt to break software before selling it. Davidson says some schools now divide developer classes in two, a green team for writing code and a red team for breaking it. The application's relative security becomes part of its final grade. "Why isn't that standard development process?" she asks.

Davidson knows that, with billions of lines of legacy code and billions more in development, eliminating all coding errors is quite a lofty goal. But, "We need goals, right?" she says. And if doing that means limiting the freedom and creativity of coders, Davidson says, so be it. "We should be marching toward a realm where it's harder for people to create vulnerabilities. We need a revolution," she says.

Pry PCs from Their Cold, Dead Hands

Guns are dangerous; therefore, we license them. We give them unique serial numbers and control their distribution. James Whittaker says programmable PCs are dangerous, so why not treat them like guns?

"Let's make all end-user devices nonprogrammable," he says. "No one can connect to the Internet on a machine that creates code. If you want a computer to do programming, you would have to be licensed. We could license software companies to purchase programmable machines, which would be completely traceable along with the code created on them."

That would blunt the information security problem - suddenly all that intelligence at the edge of the network that Amoroso wants to pull back in isn't just gone; it's physically stripped. On the other side, new levels of accountability and liability are created through licensing developers and eliminating anonymity from coding.

Catch Some Bad Guys

Time and again, security types bemoan the light sentences hackers get. If the penalties were harsher, perhaps people wouldn't be so fast to spread their malicious code.

But penalty is not a deterrent; arrest is. Right now, the bad guys know the risk equation is favourable - that it's extremely unlikely they will be caught. A higher capture rate would dissuade them.

Creating higher capture rates has a lot to do with anonymity on the network - or, more specifically, removing it. Many of the Big Ideas in this space propose less anonymity - licensure, for example. Microsoft's Charney wonders what effect automatic traceback packets - knowing quickly and reliably where data came from - would have. "It's an astounding thought," he says.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams