The Internet Has No Security Architecture: Public Key Infrastructure And The Road To Secure Online Spaces
Dammit, dammit, dammit!
Photo credit: Nelson Syozi
I spent a good part of last summer on national radio shows trying to alert people to what is happening to our information infrastructure. Time after time, the hosts would implore me with "Please tell our listeners what they can do today to protect their computers. What virus and spyware protection software and firewalls and other security widgets should they buy with their hard earned cash in order to make their world safe once again?"
Time after time, I would try to be polite while giving my answer: "Nothing you can purchase will protect you, your computer, your family and the information and communication infrastructure on which you increasingly depend. If we are to have any hope of security, of quiet enjoyment in our online world, we must all start thinking about our information facilities as we think about our physical facilities."
Well, now the hard facts are starting to show just how bad the situation has become.
On March 13, 2005, in a paper entitled Know your Enemy: Tracking Botnets, the Honeynet Project & Research Alliance published for the first time (that I know of) the results of a fairly comprehensive analysis - not an analysis of what worms and viruses are out there and how prevalent they are but what kind of network are they constructing.
Yes, that crud that your child picked up while visiting a game or music site does more than slow down your home computer. It makes your computer part of a network on top of the Internet, a kind of criminal intranet. Here are the conclusions arrived at by the respected researchers at The Honeypot Project:
"Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon. Since botnets pose such a powerful threat, we need a variety of mechanisms to counter it." The next paragraph concludes, "We are currently not aware of any botnet usage to harm military or government institutions, but time will tell if this persists."
Mainstream media is also finally starting to catch on.
The next day's (March 14) issue of Forbes featured an article entitled "Our Frankenputer", with the following text highlighted: "In security terms, the PC's design is a breathtaking kluge. Patches play a futile catch-up game."
Stories about rampant online identity theft and Web-based fraud are everywhere.
Those who have read my books and articles know that I can't let one of them go out without invoking a quote by the eminent cryptographer Taher Elgamal, who is responsible for the popular and effective SSL security protocol. When asked by a reporter from Red Herring magazine, "What's the biggest mistake people are making with their security architectures?" Elgamal responded: "The biggest mistake is that there are no security architectures!"
Whatever you do, please do not go on about your day thinking, "That can't be right, there must be a straightforward way to adjust various computers in order to protect myself, my family, my bank account, my health records, my community, my country's vital information infrastructures." Also do not think that the problem can be solved by more diligence on the part of information technologists.
It cannot.
We have big problems. They will get bigger. They will not be solved with more diligence or more hardware and software widgets.
Allow me to illustrate with a not-so-strained metaphor.
Imagine that all your personal and professional information and communication facilities sit in the center of a doughnut-shaped pile of construction materials. Both, in turn, are situated in a rest area alongside a busy highway.
You want to know whether your information and your email communication are secure, so you ask a security expert: "Are my files and my communications secure in the center of that pile of stuff?"
He examines the pile, goes away and comes back with a box containing more stuff. "You need this and this and this. First, this metal box is called an Intrusion Prevention System. This second item, this disk, has updates to your malware profiles. And this third item is a list of upgrades to the rules that govern the operation of your firewall." He tosses the metal box onto the pile, connecting its cords to those of other devices in the pile. He sticks the disk into one of the devices in the pile, then finds a keyboard and changes your firewall policies. "There" he says, "now you're as secure as you can possibly be!"
"How secure is that?" you ask.
But he's gone, leaving only an invoice that flutters in the gusts created by vehicles as they whiz by on the highway.
How can we as a worldwide economic culture have invested trillions of dollars in information technology and have ended up with stuff that doesn't provide elementary security and manageability?
The answer this time is the same as the answer twenty-five years ago.
When personal computers were new, we didn't know what to ask for. Vendors had carte blanche in setting our expectations, using interfaces and formats and standards to manipulate our information appliances to their own advantage.
We didn't know what to ask for then, but now we must learn. When a set of customers - in this case all the Internet users in the world - do not know what they can have, they once again get info-trinkets strewn before them, each one dazzlingly, seductively innovative - but few of them working together toward a secure and manageable total online resource.
Increasing parts of your life are sitting in the middle of a doughnut-shaped pile of construction materials - fairly good construction materials - in a rest area alongside a busy highway.
In many ways the center of that doughnut is where you live.
Let me recall the exchange with Taher Elgamal, because it perfectly captures the nature of the problem - and because it suggests the solution:
"What's the biggest mistake people are making with their security architectures?"
"The biggest mistake is that there are no security architectures!"
Well, [expletive], if what you're lacking is architecture, doesn't it make sense to seek out architecture? Shouldn't you call an architect?
If you were a bank president and woke up one fine day to realize your bank had a secure vault door but no building around it, who would you call? A bank vault door technician? You'd call an architect, wouldn't you? You'd say, "Please start designing a building! When you're done I will give the plans to a contractor, and only after the contractor is on board will the two of you start contacting the vendors of sheet rock and framing materials and door locks and alarm systems and vault doors."
Or would you call the vault door guy first and hope for the best?
Now, the trouble is, Elgamal is an optimist. Because not only are there no architectures, there are almost no architects.
If you ask an information technologist for an architecture, listen carefully because you will get a detailed, expert explanation of how to fit various construction materials together.
It is unlikely that you will get architecture.
In information technology circles "architecture" has come to mean something very non-architectural.
The good news is that, through a new way of doing things, we do in fact have the ability to meaningfully improve our physical and online security, to reduce threats to our privacy, and to make our quality of life much better.
The architectural approach begins with something called Public Key Infrastructure (PKI).
This is not a new message, and PKI solutions are far from new. PKI is based upon something called public key cryptography (PKC). Please don't let the word "cryptography" put you off - you don't need to know any mathematics to put it to use.
But while public key cryptography is dazzlingly effective and, when its keys are sufficiently long, secures and authenticates information 100 percent of the time in "laboratory conditions," PKI's reputation is one of disappointment.
Getting PKC applied and working in the real world via PKI is a task that simply defies the efforts of the technologists who try to tackle it.
It seems impossible to get the right people and servers and clients and other things deployed and updated and managed in such a way that PKC can actually provide to the real world the benefits of which we already know it is capable.
So, where do we go from here?
Let's start by examining that previous paragraph. PKI "defies the efforts of the technologists who try to tackle it."
The problem that PKI tries to solve - integrating a spectacularly good tool into every part of our lives that is touched by information and communication - is much bigger than the world of technology. It involves authority, trust, governance, communication habits, commerce habits, architecture, construction, and property management.
The technologists, in this case the cryptographers, have done their job well.
They have given us a wonderful building material. But is it also up to them to design, build and manage the facilities in which this material will be used?
Do we expect the guy who turns the tree into lumber to decide what kind of dwelling we need and draw up the plans? Drive the final nail? Install the wiring? Move our stuff inside and unpack it?
Until now, that is exactly what we seem to have expected from those who manufacture this remarkable public key construction material.
The result is exactly what we should expect: piles of construction materials instead of buildings.
Indeed, the very writings of the public key cryptographers and trust engineers decry the lack of things that others can easily provide.
For example, there is a way to build the identity portion of a well-designed PKI so that it actually accomplishes the long-sought goal of putting control of information about a person in that person's own hands. It will be a huge advance in the war against identity fraud and privacy erosion. But since the solution involves a mix of technology and law (existing law, no legislation needed) it tends to be overlooked by technologists.
Professions seldom step forward to proclaim the limits of their domain - the boundaries of that part of the world which they ought to control. Certainly I have never seen an information technology department head step forward to tell the CEO that she, the CEO, must make the ultimate decisions regarding the use of information technology, even though that is always the case.
Professions like to see their members grow in importance, authority, power, control, and income. Every profession thinks the world would be better off if its members were in control of everything.
Fortunately, the tendency of everyone else to understand how absurd that would be prevents it from happening.
We need to keep that bit of common sense in mind when it comes to information technology.
Why we as a culture stubbornly insist that we are technologically illiterate and therefore must allow information technologists to control the way technology is used - while we at the same time make good use of advanced technology in our daily lives - is a subject that some sociologist ought to get busy with.
But here we are not talking about an academic exercise.
The design and deployment of this one precious chunk of technology, this desperately needed thing called public key cryptography - PKC - and its transformation into a useful public key infrastructure - PKI - are far too important for us to continue shirking our duty under the guise of imagined incompetence.
PKI cannot be successfully deployed by technologists. Its composition and goals reach far beyond the scope of the information technology profession.
Who is then qualified to take the lead in the deployment of public key "buildings"? If you are qualified to tell an architect what you need in a home or office building or other type of building, then the answer is: you. Yes, we need qualified architects and many other professionals to make this happen, but it all starts with you.
When a building provides what its occupants need, a real estate professional will say that it provides "Quiet Enjoyment."
You don't need a security expert to tell you whether your home or office building provides you with Quiet Enjoyment. You do need to start demanding from them that same security - that same right to and degree of Quiet Enjoyment - in your online environments.
Note from the author:
Feel free to re-use and publish this (with due credit) as you see fit. You will of course wonder what's my angle, what am I trying to sell? I do have books and reports to offer, but I am not going to mention their titles or anything else about them here because I want the focus to be on the issues.
I have kids, and I want them to have a livable world to grow up into. I fear that if we don't do something soon, they will be facing crime and anarchy on a scale that is impossible for us to imagine.
Instead, I want my children and your children and their children to grow up in a world where it is reasonable to expect quiet enjoyment.
Sincerely,
Wes Kussmaul
blog comments powered by Disqus