A paradigm shift requires a crisis, so the primary question posed by Dan Geer, CISO of In-Q-Tel, in his RSA Thursday morning presentation on The future of security, was, ‘Is cyber-security in enough of a crisis to need a paradigm shift?'
Certainly the paradigm of cyber-security based on the perimeter no longer exists in the age of always on, universal addressable communication, and new paradigm candidates are now competing to replace it.
Geer asserted that what drives the future is culture and science and combining both he kicked off by providing an academic outline of what make a paradigm and why and how they change. Heavily quoting Thomas Kuhn's book, The structure of scientific revolutions, Geer described how a science is defined by beliefs that are shared, that impenetrable jargon insulates science from society – and that when anomalies occur they need to be resolved, deferred or a new paradigm created that resolves them. Anomalies that can't be resolved within the existing paradigm put that paradigm in crisis from competing paradigms that better explain the anomalies. And like the dinosaurs, those who fail to adapt to a change in environment become extinct.
A major problem faced by any new paradigm will be authentication for authorisation, to be established prior to use, but one which had previously been solved in the paradigm of perimeter control, with components such as ‘defence in depth' being as old as the origin of cities.
Geer also suggested that because cyber-security has sentient opponents it is entirely different from all other sciences ‘of unsolved puzzles' such as economics, physics, chemistry etc as the truth it researches is not stable and so cannot simply be exhaustively explored. The unprecedented rate of change faced was described as the sum of technical advance and sentient opponents.
A second crisis for cyber-security is the size and growth of the attack surface: for example, the cores in central CPU are many- from 18 to 21 in a mobile phone CPU, so is that one perimeter or almost two dozen? And the rate of growth of connected Internet of things is currently put at 35 percent pa, so a doubling of the perimeter in 17 months.
Alternative paradigms include one of surveillance and accountability, focussed on what is observable, and that sensors show to be true. Authentication is described as a fork in the road as to what approach may be taken. One goal of authentication is that of a single un-spoofable identity that the individual doesn't need to prove – but that leaves the individual to either submit or withdraw from the system that can ‘unmask them in the street'.
But the current view in democracies is that there should be personal control of personal data, and that a person has free will to be able to selectively reveal oneself to the world – including the capacity to misrepresent yourself.
Geer suggests that a new authentication based on an accountability regime will not be interested in who you pretend to be, but what you did. It will reject the idea of providing specific permission for discreet chunks of information. Data traffic analysis is more powerful than content analysis – hence government assurances that it only keeps metadata – who you contacted, when and for how long, recorded in real time - relies on the ignorance of the public to not realise the actual content is only of archaeological interest.