A paradigm shift requires a crisis, so the primary question posed by Dan Geer, CISO of In-Q-Tel, in his RSA Thursday morning presentation on The future of security, was, ‘Is cyber-security in enough of a crisis to need a paradigm shift?'
Certainly the paradigm of cyber-security based on the perimeter no longer exists in the age of always on, universal addressable communication, and new paradigm candidates are now competing to replace it.
Geer asserted that what drives the future is culture and science and combining both he kicked off by providing an academic outline of what make a paradigm and why and how they change. Heavily quoting Thomas Kuhn's book, The structure of scientific revolutions, Geer described how a science is defined by beliefs that are shared, that impenetrable jargon insulates science from society – and that when anomalies occur they need to be resolved, deferred or a new paradigm created that resolves them. Anomalies that can't be resolved within the existing paradigm put that paradigm in crisis from competing paradigms that better explain the anomalies. And like the dinosaurs, those who fail to adapt to a change in environment become extinct.
A major problem faced by any new paradigm will be authentication for authorisation, to be established prior to use, but one which had previously been solved in the paradigm of perimeter control, with components such as ‘defence in depth' being as old as the origin of cities.
Geer also suggested that because cyber-security has sentient opponents it is entirely different from all other sciences ‘of unsolved puzzles' such as economics, physics, chemistry etc as the truth it researches is not stable and so cannot simply be exhaustively explored. The unprecedented rate of change faced was described as the sum of technical advance and sentient opponents.
A second crisis for cyber-security is the size and growth of the attack surface: for example, the cores in central CPU are many- from 18 to 21 in a mobile phone CPU, so is that one perimeter or almost two dozen? And the rate of growth of connected Internet of things is currently put at 35 percent pa, so a doubling of the perimeter in 17 months.
Alternative paradigms include one of surveillance and accountability, focussed on what is observable, and that sensors show to be true. Authentication is described as a fork in the road as to what approach may be taken. One goal of authentication is that of a single un-spoofable identity that the individual doesn't need to prove – but that leaves the individual to either submit or withdraw from the system that can ‘unmask them in the street'.
But the current view in democracies is that there should be personal control of personal data, and that a person has free will to be able to selectively reveal oneself to the world – including the capacity to misrepresent yourself.
Geer suggests that a new authentication based on an accountability regime will not be interested in who you pretend to be, but what you did. It will reject the idea of providing specific permission for discreet chunks of information. Data traffic analysis is more powerful than content analysis – hence government assurances that it only keeps metadata – who you contacted, when and for how long, recorded in real time - relies on the ignorance of the public to not realise the actual content is only of archaeological interest.
But it is not clear where the limits would be to this model of us built from metadata alone; we have pictures of us taken on street without our permission, so why not record our heart rate, iris, temperature and other details to identify us?
Alternate paradigms to selective revelation of personal information could see confidentiality becoming quaint and irrelevant says Geer. Maybe we will prioritise integrity - so the data had better be right. Integrity of data would need to be as absolute as we can make it, so for example, our health records could be used to prescribe drugs genetically specific to us.
Resiliance and reliability could be key with defence as the paradigm, how to harden and defend. If defence is the paradigm it is also in crises as the level of skill and technology available is not expanding as fast as the attack surface and neither technology nor colleagues can keep up.
Geer was also a proponent for the view that all cyber-security knowledge (and tools) is dual use – and it is inherent in the tools that they are strongly in favour of offense right now. That's not a reason to not build defence tools, but the defenders need to be cognisant of their dual use. Others would say, ‘build security in,' but just as cryptography is typically by-passed and not broken, other security methods of bypass are being investigated by opponents.
Another objective for a new paradigm would be to meet the need for defenders to outrun the attackers, who always need some time to respond to new defences. Thus there could be constant code change – but this would be fundamentally incompatible with compliance. But creating a moving target of defence, preventing exportability and randomisation of code bodies need to be considered. Geer comments: “Where we are losing we have to change the rules of the game. The principal goal is no failure whatsoever.”
Greer reminded his audience that 80 percent of breaches are discovered by 3rd parties, that 55 percent of companies in the sector found failures in other organisations, and that the greater failure, the more likely the finder was to be silent. This crisis in code security was therefore described as requiring a new paradigm. All inputs should be treated as a language that must be recognised.
It could be that the paradigm shift could come from another field than cyber-security, or even that the anomalies can be resolved and the scarcity of competing paradigms suggests we don't need a new one. But if imminent change is near, we are unlikely to spot it until it arrives, and even then it will be fiercely resisted – which serves its own purpose as resistance to change means that anomalies penetrate existing knowledge to the core.