I attended the Institute for National Security Education and Research (INSER) Cybersecurity 2008 event this morning at the University of Washington this morning where I listened to a very interesting talk by Deborah Frincke called "On the Horizon: How Research in Cybersecurity is Changing and How it Remains the Same." While the talk covered a lot of ground, one particular topic sticks out in my mind.
Right now, research dollars and commercial products are focused on responding to the problems we have right now. Keep in mind that issues that are current for defenders were hatched by the attackers days, weeks, or months ago. We basically have two tools in our arsenal that the bad guys made obsolete a long time ago -- signature-based defenses and attacking worm/bot command and control mechanisms. Research into "next generation" defenses are solving two-year-old problems, and there isn't a lot of funding looking even two years to the future, let alone five to ten.
Assuming that the research money magically appeared, there is one huge barrier to cross that comes to my mind -- the jurisdictional one. If we want to move away from reactive security and be proactive (bracketing for the moment the possibility of active response), what we need first is an intelligence gathering capability. There is a massive amount or raw intelligence data sitting out there; it's sitting in the logs of every server, firewall, and security appliance on the Internet. The problem is that each defender owns only a small piece of the puzzle.
If you're defending a piece of critical infrastructure such as, say, a sewage treatment plant, you can try and extrapolate the attack behavior, vector, and target systems from your own logs. Wouldn't it be easier if you had access to data from similar installations around the country? If one of your competitors had identified and defended against an attack (successfully or no), couldn't that serve as an early warning system to prepare your own defenses? Even a few hours advance warning is a huge improvement over the minutes or hours behind that is the current best-case scenario.
This is a political barrier, not a technical one, that needs to be solved. We definitely need some sort of framework for sharing this sort of intelligence with one another is a technically secure way that doesn't put other business interests (such as competitiveness) at risk.
Leave a comment