Thursday, June 08, 2006

Dan Geer on Converging Physical and Digital Security

Dan Geer published an interesting article in the May/June 2006 issue of IEEE Privacy and Security. He questions the utility of converging physical and digital security "within a common reporting structure." In brief:

This observer says convergence is a mirage. The reason is time. Everything about digital security has time constants that are three orders of magnitude different from the time constants of physical security: break into my computer in 500 milliseconds but into my house in 5 to 10 minutes...

That is true, but the value of compromising a system doesn't necessarily come from just getting a root shell. This is especially true when organized crime, corporate espionage, and foreign intelligence activities are involved. Achieving the goals of each of those groups usually takes more than a few minutes, with the first taking the least time and the last the most. Nevertheless, Dan is probably still right. What he says later is even more compelling:

Human-scale time and rate constants underlie the law enforcement model of security. The crime happens and the wheels of detection, analysis, pursuit, apprehension, jurisprudence, and, perhaps, penal servitude... law enforcement generally has all the time in the world, and its opponent, the criminal, thus must commit the perfect crime to cleanly profit from that crime.

In the digital world, crime must be prevented; once committed, it's likely never ameliorable -- data is never unexposed, for example. It's not the criminal who must commit the perfect crime but rather the defender who must commit the perfect defense.

Time is the reason.

Consequently, the physical world strategies of law enforcement are of limited value in the digital sphere. Law enforcement officials (or the military) are not our natural allies or even mentors.


At first I accepted this argument. Then I thought more closely about it. Time has nothing to do with this argument. Preventing crime is the key. The analog world example makes it sound acceptable that a crime has occurred. The digital world example makes it sound unacceptable that a crime has occurred -- "data is never unexposed, for example." Well, death is never reversed if a murder is committed. For horrible crimes like murder, as with the digital world, in the analog world "crime must be prevented; once committed, it's likely never ameliorable."

Geer doesn't see this, but he reaches a conclusion for the digital world that is already happening in the analog:

[The] only answer is preemption. Preemption requires intelligence. Intelligence requires surveillance. If, as digital security people, we have any natural allies or even mentors, they're to be found in the intelligence model of security, not the law enforcement model where this talk of "convergence" has itself converged.

And there we are -- London's Cameras:

British authorities have sought to reassure the public that no effort will be spared to prevent further atrocities. For that promise to become a reality, however, London needs to move more from after-the-event analysis to before-the-event anticipation.

Intelligence is one way to prevent risks from occurring, to the extent that intelligence can identify threats and direct counter-threat activities. Removing vulnerabilities is another way to prevent risks from occurring, but that is far more difficult in most circumstances.

4 comments:

John Ward said...

Minority Report... Good movie, even better book. Of course, its kind of difficult to have authorities ready to strike at the time of an incident, no matter which world. You are correct in that intelligence is the key, not only to preempting incidents, but also as indicators to improve preventive measures.

Richard Bejtlich said...

I should mention that analog criminals generally lack the ability to clone, automate, and project themselves as their digital counterparts do. This is an important aspect of Dr. Geer's argument.

Spence said...

The missing link in converged security operations is a preventive mentality. I speak from some experience. As a former practitioner of the arcane art of crime prevention in law enforcement, and as a current practitioner of digital enforcement in the corporate world, my experience lends itself to understanding the dichotomy.

The law enforcement model is not a security model, it is a reaction model. The definition of crime prevention (according to the National Crime Prevention Institute) is the anticipation, recognition and appraisal of a crime risk and the initiation of some action to remove or reduce it. Security is at heart a function of this definition.

To provide a preventive posture, one must develop a proactive rather than reactive methodology. From a fiscal perspective it is drastically more expensive to initiate a proactive prevention program, even though in the long run there should be a cost savings due to a reduction in incidents.

But how do you prove it? If the only reliable metric for success of a prevention program is the absence of successful breaches of defense, can you attribute low numbers solely to your prevention program, or could there be other reasons that your numbers are low, like absence of attackers?

This problem is endemic to the prevention mentality, and is very difficult to overcome when attempting to demonstrate effectiveness at budget time. This is in direct contrast to the reactive "law enforcement" model, which will always have solid numbers and tangible benefits. In the end, each bad guy caught is a statistical victory over prevention.

Dr Anton Chuvakin said...

The most fun comment I've heard on convergence was:

digital SECURITY to information SECURITY

has the same type of relation as

LEAD singer to LEAD pipe :-)