Friday, March 26, 2010

Not a Moment Too Soon ... Carnegie Mellon Silicon Valley Launches Disaster Management Initiative

All of the major cities of the West Coast of the United States are at risk from earthquakes similar to what just happened in Chile. The largest possible earthquake in California would be just above magnitude 8. But millions of people would be right on top of the shaking ... When we have a large earthquake, we will face issues similar to what is happening in Chile right now ... The long duration of shaking in the largest earthquakes have a bigger impact on bridges, pipelines and large structures. Loss of utilities can last for months because the damage is so extensive that the only solution is to create a completely new system ... Without utilities and with damage to a million buildings, businesses, especially small businesses, cannot reopen and the economic consequences continue to grow. Lucy Jones, U.S.G.S., "Are We Prepared for an 8.8 Quake?," New York Times, 3-29-10

Not a Moment Too Soon ... Carnegie Mellon Silicon Valley Launches Disaster Management Initiative

By Richard Power

Information and information systems have a pivotal role in crisis and catastrophe; not only are they highly vulnerable to such disruptions, but they are also vital to crisis management, business continuity and disaster recovery. And today, you have to factor in even more complexity, because dynamic, new elements such as social media, smart phones and crowd-sourcing not only offer the opportunity to empower the populace to participate in recovery and relief efforts, they also confront emergency response planners with the challenge of processing and prioritizing an immense influx of hitherto unavailable information.

Meanwhile, in the 21st Century, the fields of crisis management, business continuity and disaster recovery are taking on a new significance and a new urgency at all levels -- personal, organizational and societal (or at least they should be). As I say in my Intelligence Briefings, the 20th Century model for crisis management, business continuity and disaster recovery was "something bad might happen someday and if it does this is what we will do," but the 21st Century model should be "multiple bad things will occur, quite possibly simultaneously, and when they do, this is how we will adapt and respond."

Consider Munich Re's annual report on the global impact of natural disasters.

The 2009 report was heralded as "good news." The top ten 2009 events combined resulted in less 10,000 deaths, and total economic losses were valued at only $50 billion (BTW, the USA was effected by four of the top ten events in terms of economic losses); as contrasted with the 2008 report which cited 220,000 deaths (200,000 in Cyclone Nargis and the Sichuan Earthquake alone) and economic losses of approximately $200 billion. And although 2009 was not as bad as 2008, the trend line since 1950, and especially over the last decade, is on a steep curve. There is no mystery to this increasing intensity. The planet's exploding population coupled with the increasingly stressed infrastructures of the planet's mega-cities; and yes, despite the vehement denialism of a dwindling few, extreme weather brought on by the rapid acceleration of global climate change is already having a major impact.

What do you think Munich Re's report for 2010 will look like?

It is only March, and we have already seen devastating earthquakes in Haiti (over 200,000 dead and hundreds of thousands more homeless) and the 8.8 magnitude quake in Chile, which plunged 93% of the country into a prolonged blackout, and led to tsunami warnings in over 50 other nations.

But perhaps more to the point, what does it all mean to you personally, to your loved ones, to to your enterprise, to your community, and to your country?

The clearing of the rubble in Haiti will take 1,000 trucks 1,000 days.

The quake that hit Chile less than one month later shifted the earth's axis, and shortened our day by 1.26 microseconds. (Likewise, the 2004 Indian Ocean earthquake, also shifted the axis and shortened our day, by 6.8 microseconds.)

How much would an 8.8 earthquake shift the axis of your own individual world? What would you do if your headquarters or your production center were located in a disaster zone where it was projected it would take 1,000 trucks 1,000 days to clear the rubble? What would the first twenty minutes of the aftermath look like for you? What would the first twenty hours of the aftermath look like to you? What about the first twenty days? Where would you begin? What have you done to prepare in any way?

My personal interest in crisis management, business continuity and disaster recovery has been on a steep arc of its own, since the late 1990s, when I started looking at the likely impact of climate change (and related sustainability crises) on the overall risk and threat matrix for business and government; and it become very personal after I directed a 24x7 response to the Indian Ocean earthquake and tsunami for a global enterprise of 100,000+ people in 100+ countries. (See A Corporate Security Strategy for Coping with the Climate Crisis.)

So I was delighted to find myself in the front row at the NASA AMES Convention Center for the launch of Carnegie Mellon Silicon Valley's Disaster Management Initiative (DMI).

Martin Griss, Director of the Carnegie Mellon Silicon Valley and the CyLab Mobility Research Center, has a vision of the DMI as a collaboration "to prepare the SF bay area for a coordinated response to a major multi-jurisdictional incident, using open technologies and software."

In articulating Carnegie Mellon's critical contributions to the DMI, Griss stressed establishing relationships, submitting proposals and managing grants, creating and launching collaborative events, and participating in research into technical components of the DMI, such as sensors, devices, communications infrastructure, situational models, common operating picture, information reporting and sharing, system testing, etc.

Numerous speakers from diverse organizations led segments of DMI workshop.

Mathhew Bettenhaunsen, Secretary of the California Emergency Management Agency (CalEMA) gave a sobering keynote, admonishing those who have not taken yet personal responsibility for preparing themselves, their families and their organizations for the inevitable, and exhorting those present to make haste in their efforts to develop the kind of coordinated, 21st Century emergency response articulated by Griss.

David Oppenheimer, Chief of the Northern California Seismic Network Earthquake Hazards Team of the U.S. Geological Survey (USGS), spoke on an earthquake early warning system being developed.

The system is based on hundreds of hundreds of monitoring stations throughout the state, and is predicated on the span of a few seconds between the p wave and the s wave of an oncoming earthquake. In that space, it is possible determine the location and the magnitude of an earthquake.

Imagine what could be done with that few seconds (maybe as many as five or ten seconds depending how far you are from the epicenter)? Could you broadcast a warning within one second? Could you bring elevators and trains to a safe stop? Could you provide for an orderly transition in air traffic control? What else could you do? Yes, like much of what was explored in the DMI workshop, this extraordinary capability brings both opportunities and challenges.

Xavier j. Irias, Director of Engineering and Construction for East Bay Municipal Utility District (EBMUD) spoke on how his critical infrastructure provider is coming to grips with the inevitable.

Imagine having to develop a crisis management, business continuity and disaster recovery strategy for an entity consisting of four thousand miles of pipe, thirty dams, four hundred major facilities, and serving over four million people. Oh yes, and "everything has been placed right along the fault," Irias remarked, "to make it easy to find," and anything not built along a fault line has been situation in "a liquefaction zone."

"There is not a single facility immune to damage," he added.

Seismic Modeling is not enough, Irias observed, to be truly useful, model results must be integrated with real-time field data; so EBMUD is using USGS's open-source Shakecast together with its own open source disaster management application Marconi in an open technology approach to enhancing the Common Operating Picture; and it is this Common Operating Picture that enable a prompt and appropriate response.

"Shakecast and Marconi integration exemplifies the [open technology] concept," Irias said, "both are freely available and applicable worldwide."

Let's say an earthquake hits at 3 a.m., and by 3:30 a.m., key personnel arrive at their district operation centers. Within an hour, the sites to be inspected can be prioritized based on the information available through Shakecast and Marconi, and by 5:00 a.m., the highest priority inspections could be completed.

Robert Dolci, Chief of Protective Services and Director of Emergency Services for NASA AMES, spoke on the daunting challenges that will confront the Next Generation Emergency Operations Center (EOC).

"Let's assume a regional Joint Operations Command (JOC) staffed with local, state and federal personnel, and assume the worst case scenario, e.g., 7.8 earthquake on the Hayward fault ..." This JOC EOC would be interfating with the EOCs of nine counties, forty-five cities, two hundred and fifty corporations, different State entities, thousands of incident command posts, ten commodity distribution centers, hundreds of shelters ... plus, at the Federal level, F.E.M.A., DoJ, DHS, DoD, DoT, GSA and "at least ten other agencies," ... plus emergency response teams from other states, volunteers from non-profits and faith-based organizations like the Red Cross and the Salvation Army, hospitals, news media (both local and national), and of course, the general public, and all of them reporting and making requests in real-time.

"From strategic level, the regional JOC/EOC of the future will need to be aware of all significant events, effectively gather and disseminate information, effectively communicate across all levels, etc. ... as many as five thousand command elements will be reporting up to and requesting support from that regional JOC/EOC ... There will have to be food, shelter, etc. for the responders, as well as the populace ...

Like the other presenters, Dolci emphasized the need for open technology approaches to enhancing the Common Operating Picture.

"If the next generation JOC/EOC cannot keep up with it all," he quipped, it will be a disaster."

Eric Rasmussen, CEO of InSTEDD also spoke. InSTEDD is an innovation lab and capacity building resource, which is working with governments and NGOs in crisis areas from Haiti to the Mekong Delta.

Rasmussen spoke on some of the "free and open source" technologies his team has developed to empower "seamless and reliable collaboration" in the field:

Geochat:"A unified mobile communications service designed specifically to enable self-organizing group communications in the developing world. The service lets mobile phone users broadcast location-based alerts, report on their situation, and coordinate around events as they unfold, linking field, headquarters, and the local community in a real-time, interactive conversation visualized on the surface of a map."

Riff:"An interactive decision support environment that combines the power of virtual teams of human experts and advanced analytic, machine-learning, and visualization services to allow its users to collaborate around streams of information to detect, characterize, and respond sooner to emerging events."

Mesh4X:"An adaptive data integration platform designed to break down barriers to information flow, allowing organizations and individuals to share awareness reliably, selectively, and securely, with anyone, using any device, from any database, over any network. Using Mesh4x, every user knows what every other user knows. When a disaster relief worker notes in a spreadsheet that beds are available in a local shelter, that piece of information is automatically synchronized to all of the different websites, PDAs, databases, and maps of every organization cooperating in the response."

Nuntium: A messaging flow management system that "allows applications to send and receive all type of messages," e.g., sms, emails and twitter direct messages.

Carnegie Mellon Silicon Valley's impressive list DMI collaborators includes:
Golden Gate Safety Network and MapLab
California Emergency Management Agency (Cal-EMA)
TWiki, Inc.
Wireless Communications Alliance (WCA) and the WCA's emergency Communications Leadership & Innovation Center (eCLIC)
NASA Ames Research Center Disaster Assistance and Rescue Team (DART)
Airship Earth Corporation (AEC)

To the deepen the experience of the participants, Carnegie Mellon Silicon Valley followed up the DMI Workshop with a weekend-long Crisis Camp

Stay tuned for more news of this compelling initiative as it progresses.

Wednesday, March 24, 2010

A Report from "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," a University Lecture Series Event

GoDaddy, the net’s largest domain-name registrar, announced Wednesday it would stop selling .cn domain names, saying it was unwilling to comply with new rules from the Chinese government that require new and existing .cn domain-name holders to provide photo ID. Wired, 3-24-10

Iranian security forces say they have arrested 30 people and disabled "the most important U.S.-backed organized networks of cyber war launched by anti- revolutionary groups." ... Some 29 Websites were "hacked" by Iranian security in order to find the accused, according to the reports. The Iranian government accused the sites and their operators of conducting a clandestine espionage effort under cover of human rights initiatives. Dark Reading, 3-15-10

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack. Washington Post, 2-4-10

Thousands of emails, from the University of East Anglia's Climatic Research Unit (CRU) were first published on a small server in the city of Tomsk in Siberia.
So-called ‘patriot hackers’ from Tomsk have been used in the past by the Russian secret service, the FSB, to attack websites disliked by the Kremlin ... Russia, a major oil exporter, may be trying to undermine calls to reduce carbon emissions ahead of the Copenhagen summit on global warming.
Telegraph/UK, 12-6-09

A Report from "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," a University Lecture Series Event

By Richard Power

As you can see from the four stories I selected to introduce this post, the second decade of the 21st Century has gotten off to a tumultuous start in regard to security and privacy in cyberspace. On 3-18-10, I was privileged to participate in a Carnegie Mellon University Lecture Series (ULS) panel on "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," which explored these issues in uncommon depth and clarity.

The event was a testimonial on just how uniquely situated Carnegie Mellon University really is, to serve as a vital national resource; the event also underscored the importance of CyLab's role within the University, cultivating, as it does, both the human factor and the technological edge. (Indeed, five of the six panel participants have CyLab affiliation.)

At the opening of the session, panel moderator Peter Madsen, Distinguished Service Professor for Ethics and Social Responsibility, Office of the Vice Provost for Education and Heinz College, provided some background on how the session came about: "It originated with a request from University President Jared Cohon to Dr. Indira Nair, our Vice-Provost of Education, in the wake of the so-called "Climate Gate" affair. There was a great deal of consternation about the hacking that went on at the University of East Anglia. President Cohon thought it would be appropriate for our community to take a look at the issues surrounding hacking. He must have been prescient, because since then issues have arisen, such as Google alleging that China was hacking its proprietary information, and just the other day, Iran has claimed that the United States, since the days of President George W. Bush, has been running a cyber war attack against it, trying to de-stabilize the country. They made the claim that $400 million dollars was allocated by President Bush for this cyber war ..."

Richard Pethia, Director of the CERT Program, Software Engineering Institute Fellow and CyLab Co-Director, served up "A Brief History of Hacking" from the ARPAnet attacks (1986), chronicled in best-seller The Cuckoo's Egg, and the Morris Worm attacks (1988) through what he characterized as "nuisance hacking" in the 1990s (e.g., hackers looking for free use of computer time, phreakers avoiding phone charges, technical "explorations" by the curious, "noisy" viruses that clogged e-mail inboxes, etc.). After that, Pethia went on, in the mid- to late 1990s,"it got more serious."

As an example, he cited, the Phonemasters, a cyber crime ring that attacked major companies such as MCI Worldcom, Sprint, AT&T and Equifax, and the Citibank case, in which Russian hacker Vladimir Levin stole $10 million. (BTW, both cases are documented at length in my Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace.)

Pethia than moved on to the rise of Distributed Denial of Service (DDoS) attacks in the late 1990s (including the headline grabbing attacks on eBay, Amazon, CNN, and other icons of the Internet in 2000); these DDoS attacks, Pethia remarked, were "the beginning of what we call today 'botnets,' groups of machines that had been pirated, control software placed in the machines ..."

In 2001, he went on, the influence of Eastern European organized crime on the hacking of e-commerce was revealed as a serious problem, and continued to evolve throughout the decade.

"Along about the same time we became to see Spyware, and over time we began to see Spyware used to gather information from home machines. And what were they collecting? Your bank accounts, your banking passwords ... So all of this starts to come together."

Pethia next hit on the rise of the Cyber-Mercenary in the mid-2000s: "People who will create a botnet for you, if you don't want to buy it, you can rent it; they will create special viruses or worms for you, they will give you a money back guarantee that at least for some period of time those viruses and worms will not be detected ..."

Moving on from the mid-2000s, Pethia pointed to a "growing electronic crime infrastructure."(Shadowcrew, e.g., had 4,000 members, buying and selling credit card numbers, e-mail accounts and other personal ID documents.) He also touched on cyber-extortion and the growth in identity theft (he skipped over phishing, since another panelist, Jason Hong, would be addressing it specifically) and links to terrorist activities. And concluded, by highlighting some significant attacks on U.S. Defense Department (DoD) computers in 2007, as well as attacks against the Defense industrial base (e.g., the breaching of a U.S. fighter jet project) in 2009.

Pethia's presentation was a compelling yet comprehensive tour-de-force journey in time, ranging from 1986 to the year 2010, and it provided an excellent framework for the rest of the panelists to work within.

(NOTE: Pethia's remarks begin 00:03:33 minutes into the video recording.)

Next, Paul Fischbeck, Professor of Social and Decision Sciences and of Engineering and Public Policy at Carnegie Mellon spoke on "Climate Gate: A Case of Hacking or Whistleblowing?"

Fischbeck's fascinating presentation focused on the inside politics of the climate science dispute that lead up to the "Climate Gate" disclosures. In the course of his remarks, he identified the key players, shared insights on the contents of the e-mail, and offered a frame for the ethical and statistical issues behind the dispute.

Fischbeck also articulated some lessons learned for scientific researchers, stressing that the affair will have a "huge impact on science."

"All the Royal Societies have spoken very strongly against the procedures that were [revealed], saying you got to be much for open then you have been."

"Blogs and the Internet, and sort of non-traditional experts," Fischbeck added, "are having a big impact on climate change."

Concerning whether or not this event was a hack attack or a leak, he said only, "It has not been determined yet, and it swings back and forth from week to week as to which is more likely."

(NOTE: Fischbeck's remarks start 00:16:16 into the video recording.)

From my point of view, the question is not necessarily an either/or, and the answer (if one is arrived at, or ever made public) may well included elements of both, or elements that could be interpreted as one or the other, depending upon your bias, or your interpretation of law, ethics, etc.

Take note, for example, of the scenario suggested in a recent Independent story on the affair: Climate emails hacked by spies: Interception bore hallmarks of foreign intelligence agency, says expert, Independent, 2-1-10.

Whether or not a state intelligence agency is found to be involved, considering this story broke on the eve of the global climate conference in Copenhagen, I would be surprised if a powerful commercial entity, or a related industry grouping, were not found to be pulling the strings, one way or another. (Of course, I would also be surprised if the involvement were ever revealed publicly.)

But to be clear, this is my view, not Dr. Fischbeck's.

Next, Dawn Cappelli, Senior Member of the Technical Staff in CERT, Software Engineering Institute, spoke on CERT's Insider Threat Research.

Offering a high-level overview, Cappelli started off with insights into some actual cases, including this story of staggering financial fraud:

"This guy we actually got to talk to in prison ... He was a foreign currency trader in a large financial institution. His bank thought they were making all kinds of money. He was the star. He was the greatest trader they had. After five years, they discovered he had actually been covering up almost $700 million in losses. When you think about the controls they have in the financial industry, the auditing, the separation of duties, it is pretty amazing that someone could actually get away with this. Since this case, there have actually been two more cases that were very similar."

Cappelli also gave a glimpse into the scope of the data that CERT's Insider Threat Research has collected (including 112 cases of sabotage, 129 cases of financial fraud, 132 cases of espionage, and 62 cases of intellectual property theft). She closed her presentation with a Summary of Best Practices, e.g., "Anticipate and manage negative workplace issues" and "Consider insider threats in the software development cycle" to "Track and secure the physical environment" and "Log, monitor, and audit employee online actions."

(NOTE: Cappelli's remarks begin 00:29:19 into the video recording.)

CyLab research Jason Hong spoke on "Phishing and Espionage." Hong is an Assistant Professor, School of Computer Science, Human Computer Interaction Institute, as well as one of the Co-Founders of Wombat Security Technologies (along with fellow CyLab researchers Lorrie Cranor and Norman Sadeh).

In his remarks, Hong outlined the ways in which Phishing is increasing in sophistication: e.g., spear-phishing, targeting specific groups or individuals, using information about your organization or information specifically about you, such as fake e-mails from friends or fake videos of you using publicly available information, all with the intent to install malware or steal your passwords.

Hong also discussed whaling, phishing focused on big targets, and cited an incident in which thousands of executives been targeted, with what appeared to be official subpoenas from a U.S. District Court. He also noted that although there aren't too many documented cases so far; it is clear that the motivation for such attacks is no longer limited to petty cyber crime, but also extends to corporate espionage on behalf of competitors and nation states (and "not just China," Hong added emphatically).

In regard to what can be done to mitigate this threat, Hong cited a range of solutions, and stressed that all are needed in order to make a significant impact.

But again, you will have to view the video to learn more.

(NOTE: Jason Hong's remarks begin 00:39:35 into the video recording.)

Next was my presentation on the China-Google story.

To provide some context in regard to China's cyber activities over the last few years, I touched on nineteen open source stories related to economics, politics, intelligence and cybercrime, e.g.:

If you read Google's explanation about why it threatened to withdraw from China, you might think it's all about a recent Chinese cyber-attack and Google's anger over being made complicit in the persecution of human rights activists. But cyber experts and China hands alike point to a much broader issue: The Chinese government has adapted the tactics it has used for military cyber espionage for corporate purposes and is now using them on a wide scale. Foreign Policy, 1-14-10

MI5 has accused China of bugging and burgling UK business executives and setting up “honeytraps” in a bid to blackmail them into betraying sensitive commercial secrets … In 2007 Jonathan Evans, the director-general of MI5, had written privately to 300 chief executives of banks and other businesses warning them that their IT systems were under attack from “Chinese state organisations”. Times (London), 1-31-10

Such context is of vital importance.

For the last fifteen years, I have been telling information security professionals and executives alike that if they want understand cyber risks & threats, they need to pay as much attention to the front page headlines of the Financial Times, Yomiuri Shimbun, Der Spiegel, the Asia Times, etc., as they do to patch bulletins, virus signature updates, and the IT security news media.

Industrial espionage has been subsumed by Information Age Espionage.

Tomorrow arrived yesterday.

It is not just how, but also who, why & when that you need to wrap your minds around. Cyberspace is no longer just a shadowy world in which bottom feeders take advantage of the naive or the reckless, it is a global arena of economic and geopolitical struggle.

(NOTE: My remarks begin 00:53:12 into the video recording.)

As you will see from the video record, our presentations were followed up with a lively Q and A with the audience.

Video Recording of ULS Panel: View online | Download

[NOTE: Viewers will need to have the Windows Media 9 player or higher to view this webcast. Mac users will need to download the flip4mac for QuickTime plugin from Microsoft.]

Sunday, March 21, 2010

A Caravanaseri at the Crossroads of Alternate Futures: A Report on the CyLab Silicon Valley Briefing

A Caravanaseri at the Crossroads of Alternate Futures: A Report on the CyLab Silicon Valley Briefing

By Richard Power

As we hurtle forward into the 21st Century (a mere synonym for the Information Age), there is a profound challenge before us. Year by year, day by day, moment by moment, the importance of digital information and cyber systems increases in almost all aspects of human life; and likewise, the spectrum of related risks and threats deepens and broadens year by year, day by day.

Will we develop the 21st Century cyber security technologies and strategies required to cope with this runaway risk and threat matrix? Or will we continue to try and make do with 20th Century visions of cyber security and its digital thumb in the dike approach? Which of these alternate futures will we find ourselves in at the end of the second decade of the 21st Century?

Recently, an impressive gathering was held at the Carnegie Mellon Silicon Valley Campus in NASA Research Park. The presenters were all CyLab researchers. The other participants consisted of CEOs, VPs, CTOs, CSOs and leading technologists from a range of companies from Cisco and Microsoft to WhiteHat Security and iSEC, along with regional representatives from the Federal Bureau of Investigations and the U.S. Secret Service, as well as Board of Directors members from the local chapters of Information Systems Security Association (ISSA) and the American Society for Industrial Security (ASIS). The ultimate aim of the gathering was to push for the better of those two possible futures.

Attendance was RSVP, and by my personal invitation; there was no advertising for this event, no marketing, no hype. It was limited to 50 people, and the attendees were selected to provide a cross-section of concerns, knowledge, influence and experience. If you have been in cyber security for any length of time, you know there are many circles, there is the law enforcement circle, the security professional circle, the technical expert circle, the technology vendors circle, etc. It is at the points where these circles intersect that the most vital work is done. At the CyLab Silicon Valley Briefing, all of these circles intersected, and the dialogue that ensured was rich and rewarding.

Jeremiah Grossman, Founder and CTO of WhiteHat Security: "The speakers were highly informative and very qualified. Definitely good data to be had and I'm happy to we attended. I personally learned several things. Even the audience was well qualified, which is not something ones tends to find at smaller events."

Leslie Lambert, former CSO of Sun Microsystems: "The dialogue with the attendees was rich, as well. The event was very valuable and has the opportunity to increase the interactions between industry folks, government folks, and CMU folks. Good use of my time."

The theme of the event was "Harnessing the Future to Secure the Present," and the agenda highlighted four of CyLab's research thrusts: Trustworthy Computing Platforms and Devices, Software Security, Privacy Protection and Mobility. (Driven by over fifty faculty researchers, working with over one hundred graduate students, CyLab's program, is organized around seven research thrusts and seven additional, cross-cutting thrusts.)

Adrian Perrig, CyLab Technical Director spoke on "Building Secure Applications with Attestation."

"The problem I am going to address is how do we trust the computer we are currently using? How do I really know, as a human user? The goal is that we want to provide the user with strong security properties, such as execution integrity, data secrecy and authenticity.

"Virgil Gligor, CyLab Director, has coined the phrase Cyber-Secure Moments (© Virgil Gligor). So when you connect to your bank account, you want to have a Cyber-Secure Moment, you want to make sure that you have connected to the correct bank, that there is no man in the middle attack, no malware on your local system, stealing your credentials.

"You will also want to make sure that there are no transaction generators, that is one of the most recent attacks; malware is on your system, it waits for you to log-in to your bank account, and as soon as you are logged in, it conducts transactions with your secure login. How can you make sure that no one these malicious activities are happening? So how can you live these Cyber-Secure Moments?

"But you also want to be compatible with existing systems ... we can't easily change all the hardware or change all the operating systems ... We also want efficient execution. There are some solutions, which people have proposed that would slow down your system ten-fold, but obviously we want performance.

"So ideally in the presence of malware, we can still perform secure operations ..."

Perrig went on to explore Attestation, a promising approach for building secure systems, based on the recent development of a Trusted Platform Module (TPM) by the Trusted Computing Group (TCG). In particular, Perrig highlighted four related CyLab projects Flicker, XTREC, Sec Visor and Lockdown, and demonstrated the roles each can play in creating those precious Secure Cyber Moments.

CyLab researcher Alessandro Acquisti (who rocked the world last year with his revelations on predicting Social Security Numbers) spoke on "The Economics (and Behavioral Economics) of Privacy." In his talk, Acquisti outlined evolution of the economics of privacy, and highlighted some experiments in investigating privacy valuations and decision making through the lenses of behavioral economics.

"Contrary to the assumption in much social science that people have stable, coherent preferences with respect to personal privacy, we find that privacy valuations and concerns are highly sensitive to contextual and non-normative factors, and even internally inconsistent. This research raises questions about whether individuals are able to navigate in a self-interested fashion increasingly complex issues of privacy, as well as information security."

CyLab researcher David Brumley spoke on "Safe Software and Systems."

"A major focus of my research is developing techniques for protecting vulnerable applications when the program is only readily available as binary (i.e., executable) code. Since most programs are available in binary form, and binary-only analysis does not require cooperation of the source code vendor, this line of research is likely to impact a wide audience."

Brumley described two new security applications of binary code analysis: "automatic patch-based exploit generation, demonstrating how binary analysis can be used to automatically generate exploits based upon patches released from Windows Update, allowing attackers to create new exploits before all vulnerable hosts can receive a patch, and automatic input filter generation, which offers a way to defend against exploits by automatically generating input filters."

After a delicious Middle Eastern buffet luncheon, which was a abuzz with dialogue spinning of the morning's presentations, there were three more sessions.

Martin Griss, Director of the Silicon Valley Campus and the CyLab Mobility Research Center (MRC) spoke on "Creating a Truly Mobile Companion."

Griss' research is focused on the vision of a mobile device, with an integrated suite of applications on the device and services in the cloud and on telecom infrastructure.

"It must be context-aware. It must understand where I am, and what I am doing. It must be adaptable and able to learn, so that I do not have to repeat the same things over and over again. Machine-learning ...

"It should be pro-active; it should do thing for me, but it shouldn't constantly do things for me or to me; so it should be considerate. So we are trying to define what it is to be a proactive but considerate system. There is this balancing act between too helpful and not helpful enough.

"It must be secure and private, of course. Because as people use it for more and more things, and as you carry it more and more of the time, it knows more and more about you.

"It must be social; it must interact well with me and others as well as with other devices and with the social networks. It should be a device that recommends, reminds and advises. The obvious example is having turn by turn driving instructions on your phone, but we can do much more than that.

"And it should act for me, when needed. So, in extreme cases, I tell it to do something, and then I go off and do something else, while the phone, or the phone and the services are doing things for me, it will negotiate in the background. So when I would like to make a meeting, I would rather not go poking around on my calendar, I could just tell it 'meeting with my friends,' and at some point later it would say, 'meeting with your friends.'"

CyLab researcher Collin Jackson spoke on "Securing the Web Platform."

He outlined his work on Browserscope, an ongoing collaboration with browser vendors to improve browser encryption, defend against the most common web application vulnerabilities, and develop building blocks for securing third-party advertisements and applications; Browserscope has been deployed in many of the world's most popular browsers, including Firefox, Google Chrome, and Safari.

Patrick Tague spoke on "Guaranteeing Availability and Reliability in Mobile Wireless
." He delivered an overview of issues related to availability and reliability of service in mobile wireless networks, and presented a variety of vulnerabilities and attacks of interest at the network layer and below, including interference and jamming by external adversaries and data- and control-plane routing attacks by internal adversaries."

Perrig and Brumley flew in from Pittsburgh, PA. where the main campus of Carnegie Mellon University is located. Griss, Jackson and Tague are based at the Silicon Valley Campus. Underscoring the bi-coastal nature of Carnegie Mellon's program, Acquisti spoke via video conference from the Pittsburgh campus.

As the host of the event, I was delighted that the level of engagement between the presenters and the attendees was so genuine that I had to cut-off the Q and A at the end of every session to keep on the event on track.

Indeed, "Harnessing the Future to Secure the Past: A CyLab Silicon Valleuy Briefing" was a compelling re-affirmation of academic research's vital role in helping us choose the better of the alternate futures that stretch out before us, i.e., the one that demands 21st Century responses to 21st Century challenges.

Friday, March 5, 2010

RSA 2010: Lost in the Cloud, & Shrouded in the Fog of War, How Far Into the Cyber Future Can You Peer? Can You See Even Beyond Your Next Step?

The Rosetta Stone Photo Credit: Hans Hillewaert CC-SA-BY-3.0 (Theme of RSA 2010)

RSA 2010: Lost in the Cloud, & Shrouded in the Fog of War, How Far Into the Cyber Future Can You Peer? Can You See Even Beyond Your Next Step?

By Richard Power

Some final observations on RSA Conference 2010:

The presentations I wanted to get to, but couldn't, because of time constraints: "Local is the New Organic - A Bottom-Up Model for Information Sharing," in which Michael Hamilton of the City of Seattle introduced a model for the automated collection of security event data from public and private entities across a metropolitan area, and "Crowd Sourcing Fraud and Abuse Detection," in which Lee Holloway of Project Honey Pot presented early success in breaking down barriers and facilitating the free flow of abuse information between organizations. I hope that even today we live in a world that still allows for the possibility that such ideas can be propagated and exploited for the good of the many as well as the few.

The more and more I hear about the Cloud, from the C-level ("C" for Cloud as well as "Chief") keynoters, the more and more I wonder just where it is we will find ourselves as we migrate lock, stock and barrel into the Cloud (and make no mistake about it, that is where we are all going, or at least that is where most of our IT infrastructure is going).

What are the implications, beyond the obvious security issues? (Indeed, for some enterprises, security in the Cloud will be better than what they have on their own? For example, will all of us find ourselves enveloped in a billowing Cloud so thick it will trump Net Neutrality?

And what about the security and privacy established inside that billowing Cloud, and guaranteed by a cluster of major corporations and massive law enforcement agencies? Will it protect you and I from everyone and everything except (perish the thought) ethically challenged corporations and misdirected law enforcement agencies? Don't get me wrong. We are all going into the Cloud, like it or not.

I just hope you keep one eye on the exits, and remember where everything is (or was) outside that Cloud.

I have covered the RSA Conference annually since the early 1990s. I remember when it consisted of couple of meeting rooms, at the Sofitel Hotel, crammed with cryptographers and a few developers. Then it became an e-commerce conference disguised as a security conference. Then it became the defining event of the year for the IT security sector. And now, it has become even something even bigger; it has become a cross-roads for whole industries, and for government and business, and a window on cultures (corporate, institutional and popular). Swirling in the din that rises up from this Barnum & Bailey production, you can detect intermingled strains of music that are both disturbing and inspiring.

After four CyBlog posts (one for every day of the conference), and over 60 tweets, I will close with a few brief excerpts from a presentation on "Wired for War: The Robotics Revolution and 21st Century Conflict," delivered by Dr. Peter Warren Singer, a Senior fellow and director of the 21st Century Defense Initiative at the Brookings Institution.

Dr. Peter Warren Singer, Brookings Institution: There is something big going on in war today, and maybe even in the overall history of humanity itself. The US military force that went into Iraq in 2003 had a handful of drones ... we now have over 7,000 in the U.S. military inventory. The invasion force on the ground utilizied zero unmanned ground vehicles, we now have over 12,000 ... This year, the U.S. Air Force will train more unmanned systems operators than it will train manned bomber and manned fighter plane pilots combined ... These Predators, [etc.], are the first generation, they are a lot like the Model-T Ford or the Wright Brothers Flyer ... very soon it is not going to be thousands of robots as we use in our war today, it is going to be tens of thousands ...One of the things that you are familiar with, of course is Moore's Law: the idea that we have been able to pack far more computing power into our micro-chips, such so that they just about double in their power capacity just under every two years. Moore's Law, in action, is the reason that if you have ever gotten one of those Hallmark Greeting Cards that opened up and played a little song, you held in your hand more computing power than the entire U.S. Air Force had in 1960 ... Now if Moore's Law holds true, over the next twenty-five years, our systems, our computers and our robots will be over a billion times more powerful than today ... literally ... What if Moore's Law doesn't hold true? Yeah, it's hold true over the last forty years, but there is no guarantee that it is going to hold true over the next twenty-five. What if it only goes one one-hundreth as fast? Well, that would mean that our computers and our robotics mere million times more powerful than today ... The kind of things we only use to talk about at Science Fiction conventions, like Comic-Con, need to be talked about by people like us here, and at the Pentagon. We are living through a robots revolution.

Recent history offers some compelling evidence for the reliability of Moore' Law. Unfortunately, spanning the entire history of human consciousness, there is scant evidence that our collective common sense or our collective conscience will increase in sufficient depth to keep up with the demands that have already long since overwhelmed their existing capacities.

So, lost in the Clouds, shrouded in the Fog of War, how far ahead of your next step are you able to peer?

Here is a summary of CyBlog posts from RSA Conference 2010, in chronological order:

RSA 2010: Lifestyle Hacking -- Notes on "Social Networks & Gen Y Meet Security & Privacy"

RSA 2010: Hacking the Smart Grid -- Myths, Nightmares & Professionalism

RSA 2010: Merging Mind & Machine - Hacking the Neural Net

RSA 2010: Lost in the Cloud, & Shrounded in the Fog of War, How Far Beyond Your Next Step Are You Able to Peer into the Cyber Future?

See also RSA Conference 2009: Summary of Posts

Wednesday, March 3, 2010

RSA 2010: Merging Mind & Machine - Hacking the Neural Net

The Rosetta Stone Photo Credit: Hans Hillewaert CC-SA-BY-3.0 (Theme of RSA 2010)

We are developing encyclopedia of the brain, neuron by neuron ... Dr. John P. Donoghue, Brown University

RSA 2010: Merging Mind & Machine - Hacking the Neural Net

By Richard Power

On Monday, at the I.S.S.A. CISO Executive Forum, I delivered the current iteration of my Executive Intelligence Briefing. I update it quarterly, and have delivered it in forty countries, over the last 15 years. The 2009-2010 theme is "Starting Over After A Lost Decade: In Search of A Bold New Vision of Security." The CISO Executive Forum presentation was the fifth time I have delivered this version.

In the current iteration, I continue to track the evolution of the five areas of concern that I started with: i.e., E-Commerce Crime, Information Age Espionage, Infrastructure Attacks, Personal Cyber Insecurity. But, in addition, I articulate five new areas of concern: IT supply chain insecurity, virtualization and the Cloud, Corporate Governance, Climate Change, Sustainability and Cyber Security, and Being and Consciousness in Cyberspace.

The last of these, "Being and Consciousness in Cyberspace" is an exploration of some philosophical issues from what "the Wisdom of Insecurity" and the theory of the "Biocentric Universe" can offer us in terms of perspective, to the existential implications and security consequences of the merging of human and cyber, a radical transformation which is happening at a far more accelerated pace than most of us realize.

At the ISSA CISO Executive Forum, as elsewhere, the responses registered in attendees range from bewilderment to a deep grokking.

So I smiled when I saw that at the last keynote session, at the end of the day on the second day of the RSA, featured Dr. John P. Donoghue, Director of Brown Institute for Brain Science, Brown University and his work on "connecting the internet to the brain," i.e., "hacking the neural net."

Why would we want a sensing neural interface system? Well, the principle answer (at this point in time) is to transform the lives of people paralyzed by disease or injury.

Five paralyzed people were implanted with BrainGate in a pilot project.

In his powerful presentation, Dr. Donoghue answered these questions:

Can motor intention activate neurons after long-standing paralysis? Yes.

What area of the brain? "Primary Motor Cortex/Arm."

What signals are there to read? "FP and Spikes."

How are these signals decoded? "Neural patterns in the Spikes become control signals."

Donoghue showed how researchers could listen to one brain cell of a patient, as the patient imagined opening a hand (active) and then closing a hand (silent).

What technologies are involved (and evolved) in this research?

Donoghue showed a video of a paralysis patient using the brain to move a computer cursor to open e-mail, & then draw a circle. He also showed a video of a paralysis patient controlling robotic "assistants."

The Brown Institute team is working on a version of BrainGate with wireless, fully implanted sensors.

Such neural output, it is projected, will be used not only to assist paralysis patients, but to replace the limbs, and even to restore movement in limbs.

Referencing TV Sci-Fi, Donoghue illustrated how BrainGate was now somewhere between technology imaged in Star Trek and technology imagined in Star Wars.

"Neurotechnology," Donoghue remarked, "is already here." He cited some examples: electronic stimulation used to "turn off" Parkinson's Disease, as well as bionic ears to restore hearing, and bionic eye to transmit some imagery to the brain.

BTW, I was inspired when Donoghue showed a slide juxtaposing an image of the human brain and with a mapping image of the internet, because my briefing starts with a slide juxtaposing images of the earth from space with a mapping image of the internet. Yes, I will soon be juxtaposing all three images in the next iteration of my briefing.

Now, we are getting somewhere ...

After Donoghue's dazzling presentation, he sat with Ari Juels of RSA Laboratories to answer some compelling questions.

Here is just a brief excerpt:

Ari Juels: BrainGate restores lost capabilities to patients who are suffering from a dysfunction, but as you have shown it is possible to control more than just artificial limbs, you showed, for instance, the ability to control a cursor. Can you envision a day when healthy patients have implants of this sort, to supplement their functionality in the world, implants that help people stick to their diets, or control devices for a third arm, or something along those lines?

Dr. John Donoghue: There are many people who think about these things, and who want to be able to extend their capabilities. This is a medical device. We are trying to develop something for individuals who have disabilities, to make their lives better. The biggest barrier is that this does require brain surgery. We don't take that lightly. It is something that always raises a concern. Where we go with this, and how we use it will require serious debate and discussion. But, as I said, I think the barrier will always be the surgical one. We will not in any cavalier way, implant able-bodied people to have frivolous functions. On the other hand, we have many things already available to us that are aids, we have smart phones that we carry around with us that are substitutes for our memories, we have many, many devices; so it would have to be clear that at some point we would outstrip all of the available external technology before we begin to think about enhancing ourselves by implanting something in the brain.

Juels: Have you in fact been approached by industries, or companies, or government agencies that are hoping to exploit BrainGate for purposes other than the strictly medical ones?

Donoghue: I would say "exploit." I mentioned this EEG-like signal that is available from outside your head. There are a lot of people interested in how much control can you get from that. It is, in fact, a very noisy and hard to manage signal. And it is not very reliable. There are a lot of people who are interested in seeing that signal be as good as the one that you can from inside your head ... One place where there is a lot of interest is in the toy industry ...

Well, I am going to leave it there.

There are profound implications for security and privacy.

First, the network perimeter vanished, as the internet popped up inside the enterprise, and vice-versa; and now, both the network and the internet are vanishing into the Cloud. What's next? Will Being and Consciousness vanish into the Cloud, or will the Cloud vanish into Being and Consciousness? The answer to that either/or question is, of course, a very Zen "Yes."

Stay tuned ...

RSA 2010: Hacking the Smart Grid -- Myths, Nightmares & Professionalism

The Rosetta Stone Photo Credit: Hans Hillewaert CC-SA-BY-3.0 (Theme of RSA 2010)

NOTE: What do we mean by smart grid? Speaking on "Investing in Our Energy Future" at a Gridweek event on 9-21-09, Secretary of Energy (and Nobel prize winning physicist) Steven Chu offered a worthy definition: “Dynamic optimization of grid operations and resources. Incorporation of demand response and consumer participation.” (For your convenience, I have embedded Secretary Chu's full presentation at the end of this post.) Ah, but what about it's security?

RSA 2010: Hacking the Smart Grid -- Myths, Nightmares & Professionalism

By Richard Power

The implementation of Smart Grid is in the vital national interest of the U.S., and all other industrial (and post-industrial) nations; it is vital both in terms of energy security and climate security, which, of course, means Smart Grid is also vital to economic security.

Any nation that wants to compete in the 21st Century needs Smart Grid. Indeed, any nation that wants to survive in the 21st Century needs Smart Grid.

In framing the issue for this RSA 2010 session on "Hacking the Smart Grid," Gib Sorebo of SAIC (one of CyLab corporate partner, BTW), cited several Smart Grid drivers, most notably, resiliency and reliability and reduction in carbon emissions, as well as several Smart Grid challenges, including the integration and distribution of renewables, the complexity of transmission networks, how to eventually provide infrastructure for electric vehicles (hopefully much sooner than later), and yes, what to do in regard to cyber security.

A smart grid, after all, is not necessarily a secure grid.

Smart grid is full of innovation, and it is being designed and implemented swiftly (or certainly should be), and innovation and urgency only tend to exacerbate security issues.

Furthermore, the issues swirling around the cyber security of power grids, whether legacy, smart or in transition, have shifted from the theoretical to the down and dirty. A decade or so ago, talking about attacks on the power grid were mostly speculative, but a decade ago, well, that was a century ago.

Some incidents have even ended up in the headlines:

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities. Washington Post, 1-19-08

A power failure has blacked out Brazil's two largest cities and other parts of Latin America's biggest country for more than two hours, leaving millions of people in the dark after a huge hydroelectric dam suddenly went offline. All of neighbouring Paraguay also lost power, but for only about 20 minutes ... The blackouts came three days after the CBS's 60 Minutes news programme in the US reported that several past Brazilian power outages were caused by hackers. Guardian, 11-11-09

So what is really happening in the space of Smart Grid cyber security?

The RSA 2010 panel Sorebo moderated consisted of Matthew Franz, Principle Security Consultant, SAIC, Matthew Carpenter, Senior Security Analyst, InGardians and Seth Bromberger, Information Systems Security Manager, PG&E.

For those of us who have firsthand knowledge of the decade-long struggle to promote critical infrastructure protection for existing systems, this few brief excerpt from their discussion offer a tantalizing, but humbling glimpse into this profoundly promising, yet clearly perilous undertaking glibly dubbed Smart Grid:

Seth Bromberger, PG&E: The research is being done on security in these components is not necessarily new. We are talking about encryption, key management, strong authentication. These are not new concepts. The devil is in the implementation. Where you have vendors, manufacturers and product developers taking short-cuts, or implementing poorly, that's where we are finding these vulnerabilities ...

Matthew Carpenter: We need pen-testing out of everybody. That doesn't mean everyone in the audience should go disassemble our firmware and look for buffer overflows. But there are so many different layers in this very complex system, and sometimes we just need critical thinking done about how we implement x, or whether this is a great feature to have. For instance, some utilities are thinking about having [an automated process by which] a person's credit report could impact whether or not that person can actually have power. This may not be the smartest choice to have automated throughout the system, without checks and balances in place. But it is actually something that has been pushed forward as a To-Do. So I can break into meters using this technology, but what about the guys who can influence credit reports? Or how about getting in between the communication of these credit reports? How can I manipulate the system? So we need everyone in the entire implementation of Smart Grid to be thinking critically about this could be abused. If I turn on this security protection, how could it be abused to cause more damage? How do I turn on anti-tampering technology in this device? OK, now what? So if I have anything higher than a 1.0 on some scale, I just shut down my entire neck of the woods? OK, maybe not the best bet. We need critical thinking done by everyone who has purview into the system, and good communication of "Well, maybe this isn't such a good idea." We need to open up that flow of communication.

Gib Sorebo, SAIC: For a long time, the [utility] industry has had a reputation of being tight-lipped about incidents, even about vulnerabilities that have been discovered (and, of course, it is not the only one). There have been a lot of bad feelings, recently, about some disclosures related to meters, people were branded not as terrorists, but it was almost that kind of thinking; in other words, "You guys are destroying the industry by revealing information about these vulnerabilities." And then we have the issue of everyone complaining that incidents are never reported to the regulators, or to the industry, or to whatever. Is there a middle ground? Obviously, we do not want to disclose vulnerabilities right away for an infrastructure that takes a long time to change, but where can we go with that?

Matthew Franz, SAIC: I am still kind of traumatized by my involvement with the disclosure of some SCADA vulnerabilities. Speaking of [being called] terrorists, I remember a utility software vendor that ... I gave a case study back in 2006 about some ... protocol vulnerabilities that I worked through the CERT process ... To paraphrase, what I was told was that by telling US CERT, i.e., giving them the details, and how to reproduce it, etc., and having US CERT release an advisory, we were arming the terrorists ... Just as a bell-weather of where we are I went to four or five of the leading meter AMI vendors this morning, and I looked for their /security site. The kind of site that Microsoft and Cisco and others have, in terms of how you go about reporting vulnerabilities, and only one of these meter vendors had the contact information, the GPG keys, etc., and that is the first step if that researcher wants to do the right thing, to get a hold of these vendors, and there is no way to do that ... The level of transparency you have is far less than Cisco or Microsoft ...

Matthew Carpenter, InGaurdians: We have to be more cautious than a Microsoft vulnerability disclosure. If you know me, you have probably heard me talk about responsible disclosure being a communication mechanism for vulnerabilities, but also a way to keep vendors in line. For IT, I think that makes a lot more sense. We have to be more cautious because of the impact in this arena. But we need to have fluid motion for our vulnerability research, we need to have a way to disclose to a vendor that there is an issue. We need to be able to have discourse throughout the utility space, so that effected customers have an early warning, "Hey, something's up, we've got a fix that's in the works, but just to give you some warning, when this comes out, you need to put it into test immediately, and in a certain amount of time, roll it out ... I remember hearing a vendor say, "Think about thirty days." I said, "That seems a little long, but if get a vulnerability notification, and within thirty days you have a fix out, well, you're better than Microsoft." But no, thirty days was actually the number to push out the patch from the time they clicked the button. "Whoa," I said, "we have some problems in our viewpoint into vulnerability handling." Disclosure needs mechanisms ...

Seth Bromberger, PG&E: You talked about making sure that the affected customers are made aware of the vulnerability. I am all for knowing ... The challenge that we have is that the lines dividing customers and non-customers are very blurry when it comes to things like critical infrastructure. I could see an argument that anyone who consumes power is a customer of the vendor whose control systems help deliver that power. From a utility perspective, I would say that the utilities are probably the customer base that the vendor would be beholden to. So when we talk about disclosing vulnerabilities ... to what end is the researcher disclosing, is it to feed ego? If so, that is probably not the most responsible way of doing it. Sending out on one of the public lists, information on a zero-day in a control system handling power or manufacturing is probably not the best way to people who are going to be impacted by it. And someone could argue that everyone is impacted by it, but I would challenge [by saying] that the average power consumer doesn't have any ability to effect the change and necessary remediation in those systems. So there are mechanisms the word to the right people, and again, I would say from my perspective, knowing about it is better than not knowing, so if the only way to get it out there is full disclosure, well, if it is actionable, I can take action, if I don't know about it, I can't do anything, and we can't pressure the vendors to fix it. But ultimately the utilities are in the position here of being the consumers of the product, and not necessarily the manufacturers of the product, and so the leverage we have is as a paying customer ... But it also puts us at a little bit of a disadvantage in that we need to be able to have the influence with our vendors to actually affect this change. We can't do it by ourselves.

Tuesday, March 2, 2010

RSA 2010: Lifestyle Hacking -- Notes on "Social Networks & Gen Y Meet Security & Privacy"

The Rosetta Stone Photo Credit: Hans Hillewaert CC-SA-BY-3.0 (Theme of RSA 2010)

When e-mail was just starting to be introduced in the workplace, I was a summer intern at IBM, before I went to graduate school, and you couldn't send anything outside of IBM, and there was a lot of struggle about whether or not to allow it. Now we are just seeing the exact same thing is repeating. -- Avi Rubin

People have been looking at social networks and crowds and how they reinforce productivity ... People who are on social networks are more productive, make better decisions, and have many advantages over those who are not. -- Kimberly De Vries

RSA 2010: Lifestyle Hacking -- Social Networks & Gen Y Meet Security & Privacy
By Richard Power

After a long morning of heavy hype and lofty notions at the RSA 2010 keynote sessions (see for my 33 tweets from inside), I went looking for something to sink my teeth into. And therefore, not surprisingly, I drifted toward "Social Networks & Gen Y Meet Security & Privacy," a panel organized by the worthy IEEE Security and Privacy.

The panel was moderated by Gary McGraw, CTO, Cigital, and included Kimberly De Vries, Assistant Professor, CSU Stanislau, Avi Ruben, Professor, John Hopkins University, James Routh, Consultant, Archer Technologies and Gillian Hayes, UC Irvine.

Whatever Gary has his hand in is going to be refreshing, yet relevant, timely and yet ahead of the curve. This session was no exception.

He led off by having his panelists role-play in two little skits, both entitled "Pursuit of Productivity."

The first skit depicted a meeting between an H.R. Director, a CISO and a Chief Operating Office.

The COO remarked that there seemed to be some sort of generational gap, but that there was no way the enterprise could allow employees to fritter away time on social networking, declaring, "we need to focus on productivity."

The CISO showed the COO an analysis of recent security incidents, showing that they had increased dramatically, and that most were from the inside, because employees were seeking to by-pass the enterprise's controls to use social networking sites.

The COO responded, "Well, just tell me their names and we will fire them."

The HR Director then showed the COO results of studies that showed loosing up policy might make people more productivity, as well as the results of focus groups that showed in order to attract and hold on to the best candidates we have to update our current policy.

The COO remarked, "I never thought I would see the day when the security geek would propose loosening up policy, I will have to think about this ..."

In the second skit, the HR Director was depicted in a meeting with two employees who were both really outspoken about the need to access social networking, one from Sales and one from Technology.

The Sales person said, "I have over 600 contacts on LinkedIn."

The Technology person said, "On the product development team, if you don't keep up forget it, social networking is how I keep in touch with my peers and gurus."

The Sales person said, "I cannot be productive unless I clear my head with tunes on You Tube."

The H.R. Director asked for a percent of how much social networking was business as opposed to purely social.

The Sales person said, "It is very hard to compartmentalize between social and business."

The H.R. Director insisted, "I will need a percent for the form."

The Technology person answered, "LnkedIn: 100% business, 30% social."

The Sales person said, "Here's a percent, if LinkedIn and Facebook are banned, it is 100% certain I am going to quit; well, let's say 90%, yes, I have 600 contacts, and there's a 90% that one of them will hire me."

These two little skits really do capture the essence of a great upheaval going on inside the enterprise, in regard to how best to tap into the power of social media, without it turning into a well of woe.

Here are some of the insightful commentary from the panel discussion that followed.

Gary McGraw: Do controls encourage breaking rules? Is hacking around controls a gateway drug?

James Routh: It is not a gateway drug; it is more of a manifestation of a convenience factor. The generation that is coming out of school, and into corporate America, there are certain expectations coming to work, so to them, hacking around policy is trivial, it is not like crossing the line in their minds.

Gary McGraw: How do you define productivity? How do you balance maximum productivity against tools that do genuinely cause productivity loss?

Gillian Hayes: I am doing a lot of work with public schools, and what we see is this emphasis on 21st Century skills; what that means is solving problems creatively, and often that involves using technology, and it involves a sort of mash-up culture that kids have, i.e., grabbing bits and pieces of information, grabbing different services, bringing this all together, using your social network, etc. This is explicitly how we are teaching kids to solve problems when they are in school. It is probably a really good way to teach kids to solve problems, but we then put them into a very different environment. We take all those tools away, and say work inside this little sandbox. This is not a generation of people that is prepared for that. At the same time, what we are teaching them about information is "keep all your data private all the time." This is the abstinence-only model of teaching kids about security and privacy. So we have a real tension in which we are not teaching kids to make these decisions intelligently. Kids are taught very early: "Hide all the crazy things you're doing, but do them so that you can solve the problem."

Gary McGraw: Is there a parallel to the history of phones in the workplace?

Kimberly De Vries:Actually, there is a parallel to almost every new technology. Even if you go back and look at the introduction of writing, it was felt that if people learned to write, their memories would suffer, they wouldn't be able to focus. Plato complained about. People use to memorize everything, they use to be able to listen, people could remember; but if you can write things down and have that crutch, your brain is going to turn to oatmeal.

Avi Rubin: I have three elementary aged school children. I look at social networking and all the cool things you can do on-line, and say, "How cool is that, I can google this, and my GPS can tell me where I am ..." But my kids know no other world. If we go somewhere my son will tell me to pause the TV because he has to go to the bathroom. And I have to tell him, "we can't pause this TV, it's not one of those TVs." They use this stuff all the time. They live it, they breathe it. My son was using some video game that they play on-line, he knows how to get there, I don't ... He's seven years old. he created a user account. I overheard the conversation between my eleven year old and my seven year old. "Well, I need a user account and a password." And my daughter says, "Wel, don't use the same password that you use for other things, like your e-mail." "Well, how am I going to remember it?" "Here's what I do, have a good password, and then find something from that site and then combine it together, and if you go to another site, do the same thing with something from that site ..." I can't believe I a hearing my kids talk like this, they live in a completely different world.

Yes, I have been doing a lot of thinking, writing and speaking about the state of security and privacy, and where we are going in the future. And I have come to the conviction that the very nature of security and privacy must change radically to prevail, and that our best hope for this is the next generation, and the generation just beyond them. It was good to hear a similar sentiment echoed in the remarks of the panelists, particularly Hayes and Rubin.