15 November 2009

The Counter Intuitiveness of Cyber Security

I found Wesley Clark's and Peter Levin's article, "Securing the Information Highway" in this months issue of Foreign Affairs very intriguing. The article highlights security vulnerabilities in both Software and Hardware. I found their recommendations to improve our security counter intuitive to my common sense. I want to pose a security scenario that I believe is rooted in common sense and show how the authors' recommendations challenge my beliefs.

The year is 2019 and Iraq's main internal security threat is criminal in nature. I have a billion dollars in cash and I don't trust any banks to secure my assets. I can only find three good security guards that are willing to put their life in jeopardy because crime is rampant. The local lock manufacturer's morals are compromised and has created security flaws into his designs as well as leaving his design schematics unsecured. From my perspective, I need to design and build my own locks as well as build a site that is small enough for three security guards. I need to limit the points of access to only one doorway. This seems common sense to me but according to the authors we need to take an opposite approach to achieve network security.

If we are concerned with monitoring all access points to prevent cyber attacks, my intuition says limit the number of access points. My doorway analogy is flawed because limiting the amount of access points to the network creates a "Stiff" system. The authors sum up this point by saying, "...bundling the channels in order to better inspect them limits the range of possible responses to future crises and therefore increases the likelihood of a catastrophic breakdown."

The authors point out our weakness to malicious hardware defects because we largely use foreign made components. To me, simple solution is control the production of mission critical components. The authors again defy my logic by stating its not a feasible solution to produce 100% American made components. The safe guard for us is found in building systems that can detect deficiencies and by configuring anti-tamper safeguards.

The final counter intuitive aspect of their article advocates for a paradigm shift from classified cyber security initiatives to an "Open Source" approach. The reasoning is simple, if we keep our security initiatives classified we effectively exclude the majority of skilled, creative, and innovative experts who are paid handsomely in the private sector. I understand we need to seek out talent, but how do we achieve security through transparency?

I look forward to learning more on this topic since I realized my basic security knowledge doesn't hold water in the Cyber Security field.


1 comment:

  1. I suggest you start with Schneier on Security by Bruce Schneier, a noted cryptographer and computer security expert. I make it regular reading as his thoughtful analysis often goes beyond the field of computer security to the realm of security in general.