Tuesday, October 17, 2006

Thoughts on Gates Security Memo

While reading Gary McGraw's great book Software Security, I had a chance to re-read the famous Bill Gates security memo of January 2002. I wasn't blogging back then, so I didn't record my reaction to it. Almost five years later, the following excerpt struck me:

[E]ven more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.

Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade.
(emphasis added)

Hold the phone (no pun intended). "[A]vailable, reliable and secure as electricity, water services and telephony"? You mean the solid electricity system that blacked out the northeast US in 2003? Or the two water pipes running into New York City that could be disrupted or poisoned? Or the telephone system owned by the Phone Masters in the late 1990s or spied upon by three letter agenices in this decade?

I propose that the main reason that electricity, water, and telephony are (wrongly) considered "secure" is the fewer number of threats facing them. Networked digital resources are exposed to far greater numbers of threats than analog resources like electrical power plants, water treatment facilities, and telephone closets. This is changing as all of these analog resources are being controlled by IP-enabled systems with global reachability.

This makes me wonder if digital security is being held to a higher, possibly impossible, standard. Is there any other system in the world that could be accessed by any threat, at any time? This is not a wise-guy question -- I'd appreciate your thoughts on this. What sorts of man-made systems are relentlessly under attack by intelligent adversaries? I'm adding intelligence here to remove comparisons to diseases, weather, earthquakes, and so on.

The first system that came to mind was the modern casino. People are always trying to cheat, so the threat level is high. A variety of financial systems come to mind, although I'm trying to avoid systems with close ties to digital functionality. Physical security probably has a few useful lessons.

What do you think?


LonerVamp said...

It definitely helps that a certain level of physical presence is not required for so many digital attacks. I would be much more inclined to rob a store or cheat a casino when I'm only controlling a robot or doing so remotely. Similar to how people often act differently when behind the veil of anonymity of the net. Some people act more like their inner selves; others act with more abandon and less ethics.

I actually think digital security right now is held to an impossible standard by far too many people (or perhaps the media perpetuates this feeling). I think it was you in a past post that mentioned how the police departments are not operated in a way to stop 100% of all murders, thefts, and other law-breaking activities.

But digital security is expected too often to stop all of them all of the time. I think this is dangerous because it encourages a false sense of security, allows everyone to throws stones at events that WILL happen, and pressures IT/Mgmt/Admins to not necessarily report everything they should or risk professional or even personal lashback. That approach promotes prevention, but not detection, logging, and response functions.

Anonymous said...

Gates got it mostly right with the highlighted sentence. Electricity, water, and telephony are available and reliable in the USA at least. Even the blackout was a fairly small blip in the big scheme of availability and reliability, in my opinion.

The security of electricity, water and telephony is another matter. I think you're right that they face fewer threats.

Maybe part of the reason is because it is difficult to produce wanted results? Those services seem easy to DoS, but it seems pretty difficult to produce more specific results that help achieve an end.

In the case of telephony, I think it is attacked plenty but successful attacks probably aren't publicised or caught so often. How many hits will an online newspaper get for a story saying someone somewhere tapped a phone to steal some money or catch a cheating spouse? How often is that type of thing caught?

Motive is an important factor, too. In the end, most attacks on digital resources these days are either for money or state espionage, neither of which is a great motive for attacking electricity or water providers, and their are easier ways to both ends than attacking telephony.


Michael Cloppert said...

At the risk of short-stepping my response, I think the answer to your question is in your blog (The answers are within you, Luke). Complete security is in and of itself an impossible standard to meet, regardless the asset being protected. We try, and will always fail, to achieve complete digital and analog security. However, it's only the difference in threat-space that creates perceived differences between digital and analog security, and makes security standards of the former seem more lofty than the latter. I stipulate that the goals of the two are in fact the same, and equally impossible to meet.

Wes Peters said...

This makes me wonder if digital security is being held to a higher, possibly impossible, standard.

Perhaps by researchers confronting what it would take to actually secure something like the Internet, but in the world we have today I think we have exactly the opposite problem -- absolutely no digital security at all! Most of the development of digital security in the corporate world, where the real Internet resides, is completely reactive, based on the reigning philosophy of patching the known holes.

The problem is the entire system is the hole. Security isn't a feature that can be bolted on after the fact, and it's not an operating system, a programming language, or a code walkthrough. Security is a basic feature of any system, digital or otherwise, and if it isn't designed from start to finish to counter all threats that will be employed against it, it cannot be secure.

It's not too hard to see that a system that was designed with no thought to threats is bound to fail until we replace it with a system that has security designed in. The digital systems we have today are the equivalent of a child's race car designed without brakes; somebody decided the driver needs to be able to stop the car so they bolt on a lever the driver can pull to drag on the ground. The lever doesn't stop the car but rather tips it over killing the driver, but we have added a braking system now so we've met the requirement, right?

The logical next step is to design systems where security enhancements are a standard feature, not something cobbled on after the fact. I'll welcome this step as it will show that we have at least conquered the first step, thinking about security first.

Iang said...

> What sorts of man-made systems are relentlessly under attack by intelligent adversaries?

Easy one: war. In military science, we study and practice relentless attacks by intelligent adversaries all the time.

On your other point about electricity and other utilities being stable ... they weren't always so. All utilities had their growth periods, and turmoil reined. Only after some time did they settle down into models that hid all the complexity and delivered utility grade service.

Whether digital security gets to that is an open question. Unlike the telephone, the net product advances dramatically every year or two, and there is no comparison possible between the security requirements of a decade ago.

ciscoblog said...
This comment has been removed by a blog administrator.
ciscoblog said...
This comment has been removed by a blog administrator.