Is almost always secure nearly enough?

April 13, 2015

I was interviewed on Dutch national radio this weekend, to talk about the upcoming NCSC One and GCCS conferences. Both deal with cybersecurity (and a little privacy as well). During the interview, after talking about how complex the world has become, how increasingly dependent we have become on computers and the internet, and how hard it is to make systems secure, they asked me whether the situation wasn't basically hopeless. I answered that it depends who you ask, and on the mood the person is in. And this got me thinking...

On the one hand there is no denying that many of the systems we rely on for our day to day business are horribly insecure. Every month or so yet another bug in TLS (the protocol that secures all our internet traffic) is found. We still use the same short password to authenticate at websites and computer terminals. Zero day exploits are routinely found (and traded) for all major computing devices, tablets and smartphones included. IT systems that are responsible for monitoring and controlling critical infrastructure like the power grid or our water dams and dikes are connected to the Internet and poorly secured as well. Huge databases containing personal data are routinely hacked and their data exposed. And these are only the incidents that we hear about in the media.

On the other hand there are indications that cybercrime may be less of an issue than commonly thought. Dinei FlorĂȘncio and Cormac Herley (Microsoft Research) for instance question overhyped estimates of cybercrime, because they are based on unverified self-reported losses, small sample sizes and in general dubious statistical methods. More realistic estimates of the real extent of cybercrime may explain, for example, why 'cybercrime billionaires are hard to locate because there aren't any'. Michel van Eeten (TU Delft) offers a different perspective

For every dollar in the pocket of a cybercriminal, we spend sometimes 1,000 or even 10,000 dollars at preventing that crime. That money would be much better spent at catching and prosecuting the criminals.

In other words: to get rich from cybercrime, you'd better work for the cybercrime prevention industry than trying to be a cybercriminal yourself. It involves the same skill set, but it is legal, and probably earns you more.

There are some interesting factors at work here, I think.

First of all, our society is increasingly concerned (and I would say overconcerned) with security. In a way this is a good thing: apparently we are doing well, we have something to defend. But it has grown out of proportion. Our need for security starts to become suffocating . There is no room for failure, or plain bad luck. Every (security) incident needs a response: new tough anti-terrorism laws, more tools for law enforcement to counter cybercrime. And it doesn't really matter whether the response is useless or even counter productive. It is mostly security theatre, aimed at creating the perception that we (or our governments) are still in control. Our strong desire to be free from anything bad happening to us, also makes us susceptible for FUD (fear, uncertainty, doubt) instilled on us by providers of security solutions. Using the overblown statistics on the extent of cybercrime mentioned above, for instance.

This focus on perception, instead of a more evidence based and result oriented approach, may explain the discrepancy between the amount of money spent on cybersecurity, and the actual security-for-the-buck we are getting from that. What's worse: all this money increasingly fails to make the people even feel secure in our current society...

Does all of the above imply we don't have a security problem? Not at all. Essentially all the systems and networks we use have vulnerabilities and will continue to have vulnerabilities. But the negative impact of these vulnerabilities is exacerbated by the so called 'network effect'. Consider the 'analogue', i.e. real, world. The amount of effort required to exploit a particular vulnerability, say a bad front door lock, increases with the number of doors you want to open and the number of houses you want to loot. There is an inherent physical limitation to the extent a vulnerability can be exploited. The 'discrete' virtual world doesn't work that way. It's more discrete, based on zeros and ones: it is either all good or all bad. Once a vulnerability is discovered, the cost of exploiting it on all systems that suffer from this vulnerability is essentially zero. And the vulnerability can be exploited all over the world, without any real fear of being detected.

The real world responds more predictably, more continuously, than the virtual world. The virtual world is discontinuous. To put the analogy to the extreme: to start a nuclear Armageddon, someone in the Oval Office needs to push a red button. To start a virtual Armageddon it just takes someone somewhere to find the right vulnerability to exploit, and to push the button, from his own desk.

The paradox is clear: on the one hand we want a society that saves us from all misfortune, that protects us. Citizens want a secure society. On the other hand we embrace the convenience of computing and internet services, without giving the risks a second thought. Risks both in terms of the insecurity of the underlying technology, as well as the shift of power to large corporations and larger nation states, leading to what some call cyber-colonialism. We want to be connected.

How do we resolve this paradox?

At the very end of the interview that I mentioned in the introduction one of the journalists urged me (as in: all us experts out there) to solve the problem they felt they (as in: all us citizens) were in. In a way this shows how hopeless the situation is, really. That citizens need experts to secure their daily life; and that they can not rely on (let alone independently verify) the fact that the systems they use do work as expected.

This is the heart of the problem, and a topic I will pitch (sic!) about for three and a half minutes at the Global Conference on CyberSPace (GCCS).

(And yes, I am a Tortoise fan.)

In case you spot any errors on this page, please notify me!
Or, leave a comment.