[soen321-f04] risk management (Sep 03)[soen321-f04] risk management (Sep 03) David K. Probst PROBST at vax2.concordia.ca Fri Sep 3 16:12:46 EDT 2004 Previous message: [soen321-f04] course outline (Sep 03) Next message: [soen321-f04] week 1 material (Sep 03) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Security And Other Technology Incentives ________________________________________ One of the infrastructure services that keeps the Internet running smoothly is the Domain Name System (DNS), which translates between domain names---such as "news.google.com"---and what are called IP addresses, which are used by Internet routers to speed packets safely to their destinations. On Monday, October 21, there was a major distributed denial of service (DDoS) attack on the 13 root servers of the DNS. This time, the "White Hats" succeeded in beating back the flow of malicious Internet Control Message Protocol (ICMP) packets---running at more than 10 times the normal rate of traffic---but a more sustained attack could have resulted in significant delays and failed Internet connections. The most brilliant White Hat was Internet Software Consortium Inc. Chairman Paul Vixie. His server was one of four or five that were able to withstand the attack and remain available to legitimate Internet traffic throughout the one-hour assault. Somewhat cryptically, Vixie said he kept the server at Internet Software Consortium Inc. operating by pushing the flood of packets far enough away from his servers that legitimate traffic could flow around the obstruction. Why did Vixie fight so valiantly? How could he not? Vixie is the principal designer of the Berkeley Internet Name Domain (BIND) software, the open-source software that runs on most DNS servers. For Vixie, defending against this attack was a matter of sacred honor. Even the dullest observers agree that computer security is risk management, in which security spending is determined by a careful balancing of cost and risk. The object to be protected can be as small as an individual computer system or as large as a significant portion of the Internet. But the Internet is owned by many large and small corporations, such as ISPs and domain-name registries. Corporations of all kinds---infrastructure providers, businesses that depend on computer systems, security vendors, etc. --are motivated by rational self-interest. We cannot formulate federal policy for information-systems security without an adequate model of _security incentives_. Security incentives are one kind of technology incentive. Actually, many technology incentives in the U.S. are skewed relative to the nation's needs. In this writer's opinion, the rebalancing of supercomputing incentives is more urgent. In September, at an International Data Corporation HPC User Forum meeting, one of the questions posed to the panel on HPC requirements was, "If you controlled the Boards of Directors of the major computer vendors, what would you change about their products, strategies, etc., to make your life as an HPC user better? [Remember] the Board has to help ensure that the vendor makes money". Whoa! First, there are two types of "high-performance computing". There is throughput or capacity computing and there is capability computing, now called high-bandwidth or Type-C computing. Second, in this writer's opinion, very few U.S. computer vendors could be persuaded to refocus their business plans on high-bandwidth computing---and rightly so! Vendors are interested in making money by finding the "sweet spot" that maximizes return on investment. One needs to understand this in evolutionary terms. A corporation, like a biological organism, exists inside a framework of external conditions that determines whether that corporation will survive. A corporation has _preferences_ that may cause it to adopt a new behavior (product line) and consequently a new ecological niche. But the framework of external conditions is cold and unforgiving. For example, until high-bandwidth (Type-C) users approach, say, IBM with significant development money ("Here's the money, IBM; now build me a high-bandwidth system!"), it is not in IBM's rational self-interest to invest in high-bandwidth computing. It makes more sense for IBM to stay with the SP. User money---which may be federal money---defines the _economic conditions_ in the framework of external conditions, and creates the ecological niches that vendors might choose to inhabit. For that reason, much of our security thinking will remain flawed until we get the economics right. We illustrate this by looking at critical infrastructure protection. Compared to problems over the last decade, DDoS attacks represent a new flavor of hacking because they touch on problems of network security, not problems of host security. Since not everyone is as smart as Paul Vixie, AT&T security guru Steve Bellovin has been working on automating the defense against DDoS attacks, looking for ways to rewire routers so that they can identify and stop DDoS packets. But Bellovin is stumped because implementing his ideas requires the router manufacturers to make hardware modifications which, for sound economic reasons, they simply will not do. It's the same story with trying to add security to the Internet. The central problem with the three main Internet protocols: Internet Protocol (IP), DNS, and Border Gateway Protocol (BGP)---which controls interdomain routing between carriers---is that all three lack any means of authenticating communications. Although the Internet Engineering Task Force has spent more than a decade trying to retrofit these protocols with encryption and digital signatures, these security fixes are not widely used by ISPs or their corporate customers because of the high cost and management overhead. The hitch is that these security fixes---known as IP Security (IPSEC), DNS Security (DNSSEC), and Secure BGP (SECBGP)---are too complex and too expensive for ISPs and companies to deploy. The new protocols require hardware and software upgrades to handle the assignment, management, and processing of cryptographic keys, digital signatures, and digital certificates---as well as additional operator support. And ISPs and domain-name registries are not being pressured by their corporate customers to spend millions of dollars on security upgrades. This reminds one of something called the "tragedy of the commons". A common resource can be degraded by overuse, e.g., when too many sheep are allowed to graze upon a grassy area. Indeed, whenever a public good does not belong to some legal entity empowered to manage the resource through usage restrictions and/or fees, there are inadequate incentives for individual users to restrict their usage to the collectively optimal level. Bellovin calls on the government to create market incentives for software vendors and ISPs to build security into their offerings, perhaps by passing legislation regulating product liability. One shudders at the thought of Microsoft being financially liable for each and every one of their security flaws. However, requiring a minimum of due diligence from software vendors sounds appealing. It is common to hear recommendations for more federal management of key components of the Internet infrastructure. Allegedly, government involvement could take the form of tax incentives or direct federal funding for private companies and public organizations that manage key DNS severs to incentivize them to secure their systems. This writer has been railing against the federal government for eight years now asking that it provide better federal support for U.S. supercomputing. Does that mean he thinks the federal government should step in and secure the Internet? Maybe not. As noted above, computer security is risk management, a careful balancing of security cost and security risk. In a corporation, the risk-management expertise is found in the finance department rather than the systems department. Chief information officers, chief financial officers, and other executives already know how to do risk analysis. Management may call upon technical staff for certain factual assessments but management calls the shots. If the technical staff has been watching too much T.V. and natters on about an "electronic Pearl Harbor" or the dangers of cyberterrorism, it gets fired. Who do we trust to do an objective risk analysis of the Internet? Richard Clarke, who is the Administration's cybersecurity tsar, is beginning to bore people with his scare-mongering. The head of SRI recently called for a "Manhattan project" to secure the nation's information infrastructure. This is utter nonsense. This writer's best estimate is that there is at present no serious threat--- no clear and present danger---to the Internet that would justify a frantic crash program to render it robust, quite apart from the fact of the extreme overambitiousness of any such program. Obviously, computing is changing from being an optional tool to being a mission-critical utility. Obviously, we can no longer continue this migration without basic security. But we need sober adults to do an objective risk analysis of our common information infrastructure. We cannot suspend the laws of economics. We cannot spend billions of federal dollars because of someone's far-fetched scenario of cyberdoom. Securing the nation's critical information infrastructure will be a slow and gradual process as large corporations and the federal government chart a sensible evolutionary path to a goal we all cherish. We don't need a revolution. We don't need a Manhattan project. Piecemeal Internet engineering with gentle federal pressure on the incentive space fits the bill very nicely, thank you very much. Previous message: [soen321-f04] course outline (Sep 03) Next message: [soen321-f04] week 1 material (Sep 03) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the soen321-f04 mailing list