Thoughts on Security and the NII
Statement of the Problem
The rapid introduction of the Internet into U.S. (and global) society has challenged the knowledge, ethics, and resources of the culture. Educational activities, both traditional and in many new forms, are rapidly making information about the Internet and personal computing and communication widely available. The ethical considerations are being addressed by organizations such as the Electronic Frontier Foundation (EFF) and the Computer Professionals for Social Responsibility (CPSR). There is also a renewed emphasis on ethics in the technical communities, as well as a growing understanding of technical issues in legislation and law, as these areas struggle to adapt to and codify new issues raised by emerging technologies.
The Internet has many of the characteristics of a frontier, including a dearth of security and law-enforcement services. This discussion focuses on the security mechanisms that must be developed over the next 5 to 10 years to make the Internet (and its successors) a safe computing and communications environment for individuals and to protect the commercial interests of the businesses beginning to establish themselves on the Internet.
The Internet is becoming an increasingly popular medium for delivering products, services, and personal communications. Unfortunately, none of these commercial or personal activities were anticipated by the original design of the Internet protocols or by the architecture of the new class of common carriers, the Internet service providers (ISPs).
The Internet has become a new frontier for many Americans. Like any frontier, most of the inhabitants are peaceful, interested only in exploration and settlement. But, like any frontier, a minority of inhabitants are more interested in exploiting the more peaceful inhabitants. Another inevitable consequence of a frontier is the (initial) inability of law enforcement to keep pace with the rapid expansion in the number of inhabitants. If all of this sounds like the American Old West, it is not a coincidence.
Networking and computing as communications services have created new problems, and put a new spin on old problems, in the security and law-enforcement resources of the American society. These problems can be addressed on three levels: threat and protection models, deterrents, and law-enforcement resources.
Threat and Protection Models
All security practices depend on the development of a "threat model," which details foreseeable risks and threats. Then a "protection model" is developed to address the perceived threats and risks, tempered by additional factors such as law, policy, and costs. Traditional models of both threats and protection have had flaws that have increased the cost of secure computer systems and networks.
Threat models that have been developed for computer and network security in the past have reflected a "laundry list" of potential threats, with no regard for the cost (to the attacker) of any particular attack method. In
other words, all threats have been considered equally likely, even if the cost of producing an attack might be prohibitive. If a threat is considered "possible," it must be addressed by the protection model.
Protection models have not been without their problems, as well. Historically, most attempts at building secure computer systems and networks have followed the "castle" model: build high, thick walls with a few well-understood gates. This paradigm is reflected in the terminology used in information security: firewall, bastion host, realm, password, domain, and Trojan horse.
This mind-set limits the ideas that can be discussed and thus the tools that will be developed. Furthermore, approaches focused on prevention are limited to the scope of the modeled threats and typically are strictly reactive to demonstrated examples of these threats. But, to date, no sufficient threat models have been developed. This approach is the epitome of passive defense, which is not a viable strategy in the long term as advances in offensive technologies will always overwhelm a static defense. To go beyond this focus on prevention to encompass investigation and prosecution, we need to consider alternate modes of thought about information security.
A deterrent is anything that deters a person from performing some undesirable action. It can be as simple and direct as a padlock, or as indirect as strict punishments if a person is caught and convicted.
Traditional, technical, computer and network security has focused on building better "locks," stronger "doors," and so on. Until recently, crimes committed via computer or network were almost impossible to prosecute. The laws were silent on many issues, the courts (including juries) were uneducated concerning computers and networks in general, and law enforcement for such white-collar crimes was seen as less critical than that for violent crime.
With more awareness of the Internet, the spread of home computers, and increasing reliance on computing resources for day-to-day business, there has been a popular push for more legal deterrents (laws) and for better education for judges, attorneys, and law-enforcement personnel. As a result of increased media attention to the Internet and more computers in homes, schools, and business, it is now no longer impossible to get a jury capable of understanding the cases.
Law-enforcement resources will always be at a premium, and crimes against property will always (rightfully) be of less importance than violent crime. As a result, computer and network crimes will always be competing for resources against violent crimes and other, more easily prosecutable ones. In other words, only the largest, most flagrant computer crimes will ever be considered in a courtroom.
Analysis and Forecast
Over the next 5 to 7 years, the Internet will most likely become the de facto national information infrastructure (NII). Talk of hundreds of channels of TV, videophones, and so on will continue; but it is access to people and data on demand that has driven and will continue to drive the growth of the Internet. The Internet is here, and it works. New technologies such as integrated services digital network (ISDN) and asynchronous transfer mode (ATM), higher-speed links, and new protocols such as "IPng" (Internet ProtocolNext Generation) will become part of the Internet infrastructure, but it is unlikely that a separate, parallel network of networks will be constructed.
The problems of making the Internet a safe computing environment will require significant research and development in the areas discussed above: threat and protection models, deterrents, and law-enforcement resources.
Threat and Protection Models
Tsutomu Shimomura (San Diego Supercomputer Center), Whit Diffie (Sun Microsystems), and Andrew Gross (San Diego Supercomputer Center) have recently proposed a completely new approach to computer and network security. This new model actually combines the threat and protection models into a new model referred to as the confrontation model.
A new research activity at the San Diego Supercomputer Center, undertaken as a cooperative venture between academia, government, and industry, will soon begin exploring an approach to information security based on confrontation in which we engage the intruder by using winning strategies within the scope of policy. Hence, we call our model the confrontation model. As alluded to above, many of our ideas come from conflict-type situations such as might be found in business, intelligence work, law enforcement, and warfare, and so we draw on all these areas for ideas and examples. The research for this new paradigm will require developing both strategies and tactics.
Using the paradigm of an intrusion as a confrontational situation, we can draw from centuries of experience in warfare. The network and other infrastructure are the "terrain" upon which our "battles" are fought. From a tactical viewpoint, certain resources will be more valuable than others (e.g., fast CPUs for analysis, routers to change the topology of the terrain, and critical hosts near the activity for intelligence gathering). We need to know the terrain, make it easy to monitor, and use it to our advantage against intruders. Once we understand the terrain, we can plan infrastructure changes that allow us to control it or position ourselves strategically within the terrain, and thus make it easier to counter instrusions.
Executing strategies within the terrain is complicated by the need to adequately identify an intruder's intent. Confused users may at first appear to be hostile, while real intruders may try to hide within the terrain. To represent this, traditional threat models must be amended to incorporate the extended terrain.
A proactive approach is needed that simultaneously considers the "terrain" in which the engagement is occuring, the disposition of resources to counter intrusions most effectively, and a cost-benefit analysis of countermeasure strategies. Such an approach to information security proved successful in the apprehension of wanted computer criminal Kevin Mitnick. Note that all conflict occurs within the scope of policy. Such policies include criminal law and its rules of evidence. In business, they include contract law, civil procedure, and codes of business ethics.
In addition to understanding the "warfare" context, there is also a need to communicate with and become part of existing law-enforcement structures. Instead of trying to adjust law enforcement to fit the peculiarities of computer crime, we need to adjust the way we think about computer security to more accurately match the law-enforcement model to facilitate prosecution of computer crimes.
New deterrents will be developed over the next 5 to 7 years. Many of these will be in the form of stronger doors and locks. These technical advances will come from research in many different areas and can be expected to proceed at a rapid pace.
It is expected that such proactive technical measures, leading to identification and prosecution of intruders, will be an effective deterrent. If intruders are aware of the risk they incur when attempting to compromise computer systems and networks, they may modify their behavior.
More important, however, are the societal deterrents: ethics and law. A more vigorous campaign of educating business and the public will need to be undertaken. This education will need to focus on privacy rights, intellectual property rights, and ethics in general. It is not unreasonable that every computer education course of study include an ethics component. This is already starting to happen in many engineering and computer science curricula.
The law of the land will require updating, not wholesale change, to accommodate the digital landscape. However, instead of knee-jerk reactions to highly publicized events (child pornography on computers, etc. that have resulted in laws dealing specifically with the Internet and computers, we need expansion or reinterpretation
of existing laws in the light of computers and networks. If something is already illegal, why should there be a separate law making such an act illegal when a computer or network is involved?
Increasing the ability of existing enforcement structures to initiate and carry through successful prosecution of crimes that happen to involve computers and networks will indirectly increase the deterrence to commit such crimes. This will require educating existing judical personnel, as well as changes in policies and procedures, and increased resources as well.
As already noted, law-enforcement resources will always be at a premium. There will never be enough law-enforcement resources to fully investigate every crime, and crimes against property, including computer crime, will always (rightfully) be of less importance than violent crime. But this limitation primarily refers to government law-enforcement resources.
As on the American and other frontiers, one solution will almost certainly be resurrected: private security forces. Just as the American frontier had its Pinkerton agents and Wells Fargo security, the Internet will soon have private investigative and security organizations. In fact, the Internet already has the equivalent of private security agents: the consultants and companies that deal with computer and network security. These agents perform such work as establishing "safe" connections to the Internet for companies and providing security software, intrusion-detection, and auditing software and hardware, and so on.
But what about the investigative side?
As part of the research on a confrontation model mentioned above, there is growing commercial interest in private investigative services to perform intrusion analysis and evidence gathering, for use in civil or criminal proceedings. The confrontation model will lead to technical solutions (tools) that will be available to both governmental and private investigative services.
A recent Defense Advanced Research Projects Agency (DARPA) Broad Area Announcement (BAA) stressed the desire to commercialized computer security services, including the detection of intrusions and the tracing of intrusions to their source (perpetrator). At least two existing companies are investigating entering this field.
The government must support open, public security standards and mechanisms. It must remove inappropriate impediments to private-sector development of security technologies, including encryption. This approach will require support of research activities, legislative changes, and increased awareness of how digital communications change the law-enforcement landscape.
The government must foster more research into new protection strategies, and this work must be done in conjunction with the private sector. The computer industry is well aware of the problems and is (finally) being driven by market forces (consumer demand) to increase the security of its products.
However, the computer industry does not always have access to the proper theoretical groundwork, and so academia and government must find ways to cooperatively develop open standards for security software and hardware. This will inevitably lead to more joint research efforts, which may require revisiting the current interpretations of some antitrust laws.
As part of cooperative research and development, testbeds need to be built to provide a better understanding of the battleground. This understanding will enable us to predict the types of intrusion strategies that can be expected and will allow us to develop appropriate counterstrategies. A better understanding of intrusions will allow us to better predict the intruder's intent. Given what we believe the intent to be, we then need
mechanisms to identify an appropriate response, appropriate for the chosen policy. For instance, if we identify an intent to access critical resources, then the response may need to support more comprehensive data collection to facilitate prosecution.
To be a viable platform for analyzing the confrontation paradigm, any proposed testbed must be a collection of hardware and software systems that encompass the complexity and extent of today's networking infrastructure. The testbed will be a heterogeneous collection of vendor computer platforms, network routers, switches, firewalls, operating systems, and network applications. These are the terrain in which a confrontation occurs.
Understanding the range of intrusions is required to build credible defenses. Insight must be developed for both the feasible intrusion mechanisms and the types of countermeasures that should be pursued. This insight must quantify the cost of an intrusion, the cost of the countermeasure, and the level of risk that is being reduced. A cost-benefit analysis is needed to understand the best possible response. A testbed serves as a tool to quantify the risk associated with providing desired services and allows the development of mechanisms to reduce that risk. Once the risks are quantified, it should be possible to create systems of graduated resilience as a function of the provided services.
The testbed will be used for "war games," actual intrusion attempts against both current and emerging technology. One person can develop an intrusion mechanism and distribute it widely on the network, resulting in a widespread problem that puts our entire infrastructure at risk. An equally wide distribution of defensive abilities is needed to counter this. Evaluation of successful intrusions from the games will show where effort should be put to best bolster system security. The system bolstering can be in the form of cryptography, better programming standards, and a better understanding of the actual system functionality. Vulnerabilities can be created when a developer's perception of the function of the system differs from its actual function.
As a product of the analyses done in the security testbed, prototype mechanisms will be developed. An application of the confrontation paradigm was used by Shimomura and Gross to analyze the flaws exploited in the intrusion of Shimomura's computers on December 25, 1994. Their analysis resulted in an understanding of the "address-spoofing" technique that was used. The tools, most of which they developed on the fly, focused on two areas: noninvasive examination of the preserved system state of the compromised computers and packet-trace analysis. Understanding the initial intrusion mechanism and the goals of the intruder required analyzing the situation with minimal disruption to the traces left by the intrusion. These tools enabled an appropriate response to this particular intrusion. Other intrusions may require a different tool set.
It is important to note that although tools exist to examine the integrity of a suspected compromised host (for example, TRIPWIRE), they all rely on computing cryptographic checksums. This computation requires reading all the critical files, which destroys all access time stamps in the file system. In some cases, it may be appropriate to have a toolset that examines the system kernel memory and all on-disk structures noninvasively, preserving all available information for further analysis (and as evidence).
The confrontation paradigm provides a framework that can be used to understand intrusions. The actual mechanisms may be built from scratch, such as reconstructing data sets that were "deleted" from a disk. Or they may be built by modifying existing security tools such as logging mechanisms. For example, logs of packets seen on a network were constructed to reproduce all the simultaneous sessions, either keystroke by keystroke or at least packet by packet. (These tools are capable of correlating the simultaneous activities of multiple sessions to trace their interactions on a target computer system or network.) Playback of the sessions in real time was helpful in understanding what the intruder was trying to accomplish and his relative level of sophistication. Analysis of other intrusion mechanisms may require the construction of a different set of tools. In this case, loss of packet logs necessitated a more subtle and thorough analysis.
Analysis tools have been developed that extract relevant log records from centralized log facilities. Sophisticated pattern matching tools were built to monitor for suspicious or unusual events. Such pattern matching tools constitute a software implementation of the knowledge that was acquired. The particular implementation is only valid for a specific set of tactics.
The state legislatures and Congress must become more aware of the impact of digital technologies on the citizens, residents, and businesses of the United States. This will necessarily include education, briefings, and technical information from researchers and users of the Internet.
All computer and network security methods rely on cryptographic technologies in one form or another. Congress must remove impedimentssuch as the current classification of all cryptographic technologies as munitionsto domestic production of cryptographic methods. If the technologies cannot be exported, then U.S. companies are at a disadvantage in the world market.
Recognition of digital communications as ''protected speech" as defined in the Constitution would significantly clear the currently muddied waters and greatly simplify the legislative and law-enforcement burden.
"Jurisdiction" is also a current problem. Consider the case of Kevin Mitnick: He was a fugitive from the Los Angeles area, allegedly intruded into computers in the San Francisco area, but was actually in Seattle and Raleigh.
The law-enforcement landscape is going to change. Along with new technologies for fighting computer crime will come an increased burden for investigation. Education of law-enforcement agents to include computer crimes and methods will help, but it seems inevitable that private computer security investigators will play an increasing role in the prevention, detection, and investigation of computer-related crimes.
Hafner, Katie, and John Markoff. 1991. Cyberpunk. Simon and Schuster, New York.
Farmer, Daniel, and Eugene H. Spafford, "The COPS Security Checker Systems," Proceedings of the Summer USENIX Conference, pp. 165–170, June 1990.
Stoll, Clifford. 1989. The Cuckoo's Egg. Doubleday, New York.
Tzu, Sun. 1963. Art of War. Oxford University Press, Cambridge.