Federal Cybersecurity R&D Forum

NITRD Cyber Security

General Cybersecurity Comments


This Section is designated for comments not directly responsive to the questions of the other forums.

Views: 41

Reply to This

Replies to This Discussion

matthewPermalink Reply by matthew on June 9, 2010 at 1:41am
What they should ask for is more metrics and what those metrics are to cover. This then would help people provide it. There wording should have been "the lack of metrics (in appropriate places)".
Louis SavainPermalink Reply by Louis Savain on June 9, 2010 at 3:58pm
Matthew,

Is it me or have you decided to hog this forum? I don't know about the others but I have no idea what you're talking about most of the time. Sorry.
matthewPermalink Reply by matthew on June 9, 2010 at 11:46pm
Well apart from adding your temporal idea to a results orientated solution to bug-free/correct software on previous pages..not much. Thankfully though i can understand what everyone says. As you know the reason why others (the companies whose solutions itll affect) arent responding is because they arent getting paid to propose free ideas. Only the unpaid people will frequent this forum and they are most likely to regugitate old ideas not actually put forth solutions. But ive moved on, so enjoy.
Louis SavainPermalink Reply by Louis Savain on June 15, 2010 at 12:52am
Alright. I guess I was being unfair to you. It's just that your prose is hard to decipher at times. I agree with you, though. It's all about making money and nobody in business will support an idea that is guaranteed to put them out of business, especially if it is not their idea to start with. I am reminded of the following quote by computer pioneer Howard Aiken:

“Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats.”
David HeathPermalink Reply by David Heath on June 14, 2010 at 11:29pm
What about support from the public sector?

Citizens with an internet connection and a PC could opt to run a program from the federal government, a security vendor, or private corporation to serve as an enabler for the Moving Target infrastructure. This would provide a highly redundant infrastructure capable of resisting denial of service (and other) attacks, and dynamically detecting and adapting to attacks. By using public systems the high cost of deploying the virtual infrastructure over a large area would be dramatically reduced. It's not difficult to see how it would be beneficial to this goal, and also the potential pitfalls of such a platform. With the proper security considerations and implementation, this could provide an effective tool to change the game - serving primarily as a defensive system, but affording critical intelligence and offensive capabilities as well. This program, I believe, would generate high public interest and have rapid adoption, especially if there are incentives to enhance the security of the system on which it is installed.
Ross Stapleton-GrayPermalink Reply by Ross Stapleton-Gray on June 14, 2010 at 11:42pm
I think this could open up a huge can of worms, e.g., when it turns out that some of these "volunteers" turn out to be working for other parties, where something goes wrong with a moving target app and the federal government turns out to have taken out something important by accident, or where the volunteers are actually suckered by a hostile party posing as the federal government. Kind of like if we had a program where citizens gave copies of their car keys to the police to facilitate more effective police chases, so that foot patrolmen could hope into the nearest vehicle to join in... I can only imagine the grins on the folks asked to write the liability insurance on that one...
Edward L. StullPermalink Reply by Edward L. Stull on June 18, 2010 at 4:41pm
Noting the goals of NITRD, here is a brief overview of a concept under development over the last two years or so by the Internet Security Alliance (ISA: isalliance.org) -- it is called the Cyber Security Social Contract. This concept is a contemporary reformation derived from a successful early 20th century initiative wherein the government recognized that there were substantial public safety and economic benefits in having universal telephone/power service. To assure that this public need was met, government provided substantial market incentives, essentially in the form of a guaranteed rate of return for private investors who were willing to make the necessary infrastructure investment. The result was that the US became the world model for the provision of what became known as public utility service, thereby benefiting consumers with state of the art services while simultaneously, generating trillions of dollars of economic activity for the nation. This early social contract is a real world example of how a successful partnership between government and industry can be created, implemented and completed yielding not only sweeping benefits to the nation in general while spawning new industries, but also building the foundations that we enjoy today and will continue in to the future.

The Social Contract provides an effective concept to deal with the tension between profit drivers in industry and the social needs of the people and government. But, as a concept, more is required to implement Social Contract objectives and enjoy Social Contract benefits. Recognizing these issues, the Internet Security Alliance is exploring the creation of a (Cyber Security) Social Contract Laboratory (SCLab) in that a social contract laboratory environment can be a powerful facilitator by bringing together academic and private sector innovation to meet these cyber security challenges – perhaps even without the administrative, cost and national security protection burdens of “classified”/ mil-spec one-off programs. As a consequence through the SCLab, not only will technology-based issues be introduced, but so will many legal and social concerns. Together with a prudent program of industry incentives, the SCLab will encourage and empower government and industry to build a successful relationship through a range of Social Contracts to reduce the impact, and, if possible, to solve cyber security problems on a broad national scale, even considering international issues.

Indeed, the Social Contract concept with its Social Contract Laboratory strongly addresses five areas of significance to NITRD:
• Enable economic analyses and operational action by establishing trusted repositories of cyberspace data

Perhaps the most significant obstacle to influencing the technology R&D agenda of IT providers to better align with national needs and public policy is the intense pressure these companies have to address severe price/performance competition and meet short term share value expectations. If or when individual and industry users could connect the dots between high-impact cyber risk and their own share value and personal assets – in terms they understand (i.e. EPS and PE multiple factors) – in the next reporting period, they may begin to exert the competitive pressures, aided by Wall Street, that bend the curve. A Social Contract Laboratory will facilitate that insight by sharing the existing methods and tools, as well as those under new development, that can indeed quantify the short and long term consequences of cyber risk – to personal financial security, to corporate share value and to industry economic vitality.

• Develop new theories and models of cyber economics and scientific understanding of the social dimensions of cyber economics.
Many issues trade off the balance between cost/service improvements and safeguards that minimize and mitigate new vulnerabilities and their consequences. The envisioned Social Contract Laboratory as part of its program of work will consider issues that collectively impact national security, economic vitality and public confidence:
o Economic stability
o Service availability
o Public safety
o Enterprise and public information privacy
o Emergency response and disaster recovery, and
o Continuity of operation of key Government Institutions.

Note that the Internet Security Alliance has published a number of publicly available and well-received relevant studies on the economics of cyber security, one of which is the March 2010, “The Financial Management of Cyber Risk”. Survey findings are confirming what the ISA-ANSI Financial Cyber Risk Management Project determined in 2008 with its first publication, The Financial Management of Cyber Risk: 50 Questions Every CFO Should Ask. In an effort to further help organizations understand the true costs of cyber security, ISA and ANSI continued their efforts and authored the recent March 2010 publication, which:
o Articulates the need for businesses to systemically assess and manage the financial dimensions of their cyber risk.
o Outlines a procedure for getting started.
o Provides a detailed program for the functional departments of an organization to use in their development of the needed cross-departmental analysis.
Due to the success of these two documents, ISA and ANSI are considering further studies in financial cyber risk management.

• Develop a scientific framework to incentivize vendors of cyberspace-related technologies

Internet security has not yet progressed and may never progress to the point where it can prevent or detect all breaches and exploitations that affect critical control signals in real-time. The continual leap-frog activity of seeing new attacks and then developing protections to reduce future occurrence or impact is sufficient for many traditional IT applications, but not for potentially volatile control or emergency response systems, where service availability must be absolute at the time of an incident.

Until Internet security achieves the ability to preemptively prevent certain attacks and achieve sufficiently complete detection and attribution, there remain certain functions of CIP that should be designed around, not into, an Internet-centric architecture. In the current environment, industry will continue to develop near-sufficient internet security while promoting it as the state of the art, thus filling the void with solutions that may be short of the national need. Further, new commercial products and services will strengthen the Internet only to the extent that fits the budgets, priorities, and time-to-market plans dictated by competitive market conditions, thus establishing a baseline unsuitable to completely protect the national interests in CI - but establishing the only new status quo. Still even here, an organized exploitation and deployment of existing technologies can provide great social benefits in lieu waiting for new technologies to come.

A Social Contract Laboratory is needed throughout the lifecycles of this new generation of initiatives to:
o Ascertain and ensure appropriate requirements-baselines, acquisition and application of existing technologies in combination with standards and regulations in the short term
o Ensure that CI-based Enterprise Architectures have guidelines and techniques to prevent unwise use of cyber technology for any, and all, control system or incident response applications
o Provide the necessary focus and incentive for industry and academia to solve those extreme internet, information, and application security issues that are not currently at the top of industry’s development agenda.

• Promote an environment where (1) users are well informed about cyber security, so that they reward vendors that provide secure products and services, and (2) individuals have "ownership" of their personal data, are aware of its provenance, and control its authenticated and authorized distribution, use, destruction with greater understanding of the economic value of such data.
As individual and institutional users, we all need to promote better insight into the consequences of cyber risk so that we all may take “ownership” of our own information assets’ safety and security, and not rely solely on ICT HW/SW manufacturers and service providers. This not just a matter of more public education, but a matter of new ways to talk about the problem – better tailored to each community of users – in their own language. There is no single Lingua Franca that transmits the understanding and feeling that motivates people to act about cyberspace! Two dimensions of approach are:
1. Change the conversation from data protection to one of securing Information or Infrastructure Control Signals. Data is still a “geeky” concept to most people, particularly to industry executives. Dialog about adverse effects on their vital Information and their plants’ Control signals begin to align with things they understand, and with the DNA of the cyber problem.
2. Make our training and communication align with each layer of stakeholder – from desk top users, to Board members, to political policymakers – each in their own language – relating to measures they already accept as their own yardsticks.

Here again a Social Contract Lab could provide tangible personal and industrial system “test beds” from which we could promote better insights and try out new paradigms for owning our own problems (at home and at work) as well as voicing our needs to our cyber providers.

• Empower cyberspace service providers to reduce abusive or criminal behavior and to provide the means to better defend services and systems against abuses and exploitation, while offering the appropriate legal/regulatory framework (e.g., exemptions, liability protection) and law enforcement support.

Social contracts offer to be vital instruments in quickly facilitating a unified set of defensible legal and regulatory practices across agencies - across industries - and -across borders. Model legal and regulatory frameworks with global import would not only assure a baseline legal protection but also better allocate excess legal spend required to address repetitive risk issues in the current unharmonized legal and regulatory landscape of today. It would offer a clearly defined path to assure legal defensibility with compliant practices -protect global internet economies and cyber enforcement dependencies. Information privacy protection is critical component that trans-jurisdictionally could offer fast-tracked acceptance and allow for better yet compliant innovation that protects information appropriately .

Developing a legal and regulatory framework is a core social contract value proposition that would:
o recognizes certain legal practices assure a certain benefit - facilitate risk transfer financial stability
o enable cross-border jurisdictional standards for sharing and managing privacy and more effective and faster law enforcement capabilities that are politically neutral
o greater economic benefit and protections to flow to privacy sector that execute on their commitment
o grass roots education is only way to build a globally digitally diligence society in our interconnected social networked world.
o social contracts will provide a transparency and accountability to legal and regularity requirements that takes us towards more unified protections -- economic, personal and governmental
o jurisdictionally agnostic but based on valued principles and practices that will make private sector more facile in leveraging a innovation yet protecting in strength against significant risk and economic stability

In summary, the Social Contract concept with its Social Contract Laboratory have significant potential to become another game changing strategy within the NITRD program for answering the need for near-term cyber security services while also laying the foundations in the industrial base for the future. As such, the services Social Contract Laboratory are envisioned to:
• Develop broad acceptance and consensus of the Social Contract approach through confidence in the findings, through methodology, and through the outreach of the SCL and its participants
• Maximize the use of existing technology
• Embrace a sufficiently large problem scope to create useful and safe solutions through one or more well-engineered Social Contracts by empowering, and focusing, the skills and resources of industry and the government
• Discover technology gaps, including gaps in legal and social support
• Evaluate and exercise candidate models of Social Contracts for feasibility, adequacy, and cost effectiveness, especially in terms of time-to-market issues
• Educate and assist industry and government participants to implement, enter into, and perform on a Social Contract basis

The Social Contract Laboratory must cover the full lifecycle of Social Contracts regarding cyber security. As such, this laboratory will be partnering where possible with other organizations and facilities that currently have cyber security-related resources. The Social Contract Laboratory is envisioned to initially select a “model” critical infrastructure system, for example the Smart Grid, which can be readily and favorably influenced by one or more Social Contracts.
matthewPermalink Reply by matthew on June 27, 2010 at 8:47am
Just to update people.

The USA has given software providers immunity from prosecution should their code be found or used or circumvented in an unwanted way in cyber terroist attacks.... The governement will cover all company losses...or rather taxpayers will...

An incidence of an ISP actually cutting off botnets (aka people like you) from the internet was a surge in calls to find out why they had been cut off and what they should do. It cost the ISP too much in time and resources to answer these calls so they reenabled the connections (to the botnets) and just provided the extra bandwidth.

These two items show you that you can solve the botnet issue like this:

1. Computer systems exist that are infected, yet the companies (software) who are attacked dont provide cleaning services to end users. The companies systems who the governement recently made immune from prosecution .....
So now it appears that the user has to be a computer expert...and there in lies the flaw....The governments.
The governments should make companies instead liable for there software and provide free system cleaning tools to the country in which they reside. All they need is a pool a little money each and make it happen...
But oh no, as a bunch of retards they make cyber crime EASIER...

2. The solution is with ISP's having an automated tool (provided as above) that cleans end user machines on request. That is once the user connects to the internet via the ISP. All the ISP has to do is inform the user it has detected anomalous behaviour from it and explain botnets etc and provide the cleaning service.

So there you go...just a little thought and you can reduce botnets, Companies and ISP's have to take on more responsibility is all. Oh yes and we have to amend Governement policy to make it happen, something like.

All companies claiming insurance for cybercrime have to pay 1% or $1000(max) to this fund which will provide a cleaning service to peoples machines so reducing further attacks in future. The fund would have to be a government entity and in no way be associated with insurance companies.
jome johnPermalink Reply by jome john on September 23, 2010 at 11:24am
In conclusion, I will reiterate my position that NITRD does not have a plan that is designed to solve this problem. Unless they insist from the outset on a decisive and final solution, all we will get is more of the same. The game changing [polo-lacoste] innovation that they seek will not materialize. And that would be both a shame and a waste of the taxpayer's money.
Ross Stapleton-GrayPermalink Reply by Ross Stapleton-Gray on September 27, 2010 at 12:32am
Is that really link spam in your post, jome john? That's the real shame, here.
weaodoPermalink Reply by weaodo on September 28, 2010 at 10:37pm
Thanks for elucidating the difference between safe and secure. I assume that we agree that, due to the excellent progress in encryption and identification methods made in the last few decades, authentication is really not an issue at this time. The issue is that, as you noted, it is possible to circumvent authentication with the use of Trojans or other clever means that exploit flaws in the sytems that we use. We all know that no server or client system currently on the market or in the lab can be guaranteed safe. One reason is that it is always possible for a malevolent and knowledgeable insider to insert some malware into the system. Unless there is an automated mechanism that can uncover every flaw and detect every possible intrusion, our systems will always be unsafe. My thesis is that, contrary to current wisdom, such a mechanism is possible.

In my opinion, the reason that we have a cyber security crisis is that the baby boomer generation (and I admit to being in that group) shot computing in the foot in the last century. Our current computing paradigm is essentially no different than what Charles Babbage envisioned more than 150 years ago. The boomer geeks showed up later and, for reasons that will keep historians and psychologists busy for centuries, imposed their Turing machine cult on the entire industry, which, unfortunately, encased those old flawed ideas in stone. We are suffering the consequences as I write. The biggest flaw with the Turing computing model is that time is not an inherent and fundamental part of the model. I am prepared to argue that almost every problem in the computer business can be directly or indirectly linked to this flaw.

Regardless of what the pundits maintain, the cyber security crisis is really identical to the software reliability crisis. Systems are vulnerable to attacks simply because they are buggy. There is a way to solve this problem once and for all but we will have to switch to a different type of computer, one which incorporates timing at the fundamental level. There is no getting around this fact and the sooner we accept it, the better off we will be. This is a thesis that I am ready to defend because I have given it a lot of thought over the years.

In conclusion, I will reiterate my position that NITRD does not have a plan that is designed to solve this problem. Unless they insist from the outset on a decisive and final solution, all we will get is more of the same. [url=http://www.polo-lacoste.org]chaussures lacoste[/url] The game changing innovation that they seek will not materialize. And that would be both a shame and a waste of the taxpayer's money.
weaodoPermalink Reply by weaodo on September 28, 2010 at 10:38pm
What about support from the public sector?

Citizens with an internet connection and a PC could opt to run a program from the federal government, a security vendor, or private corporation to serve as an enabler for the Moving Target infrastructure. This would provide a highly redundant infrastructure capable of resisting denial of service (and other) attacks, and dynamically detecting and adapting to attacks. By using public systems the high cost of deploying the virtual infrastructure over a large area would be dramatically reduced. It's not difficult to see how it would be beneficial to this goal, and also the potential pitfalls of such a platform. With the proper security considerations and implementation, this could provide an effective tool to change the game - serving primarily as a defensive system, but affording critical intelligence and chaussures lacoste offensive capabilities as well. This program, I believe, would generate high public interest and have rapid adoption, especially if there are incentives to enhance the security of the system on which it is installed.

RSS

© 2012   Created by NITRD Cyber Security.

Badges  |  Report an Issue  |  Terms of Service