Digital Security, part XXI : the mouse gets bigger than the cat
We are digging our very own grave and, to a large extent, we keep going with no flippancy whatsoever: more than 5TB of data/storage per capita forecasted by 2020 – 1GB in 2015, more than 40 billion readily “connectable” devices – 10 billion in 2015, frenetic quests to provide ubiquitous IP connectivity – e.g. SpaceX program, the integration of software-define everything in our businesses and communication networks, the availability of “rentable” ultra-powerful compute and storage centers with embedded tools for data analytics and streaming…The very same technologies and IT/ICT strategies that comfort our lives, are making the cost of data, its access, transport and manipulation converge to zero. Why is this outlook even a problem? simply because information is secure when it costs more to get than it is worth.
Dr. Stephen Herrod, Managing Director at Catalyst, summarized this point perfectly during his talk: our digital environment is changing, in my opinion, the actual seed of the new era of cyber-crime. Not only the digital perimeters are down owed to e.g. distributed storage systems and CDNs, but also the number of points of access grows at a literally intractable rate to monitor and harden; and together with the increasing value of the uploaded data and the penetration of XaaS, the result is a whole new business case for anyone with programming skills and a computer. A business so immediate to execute and with such potentially devastating financial, social, and political consequences – proportional to the economic gains – that represented around $400 billion in total costs already back in 2013. Dr. Harrod quoted Willie Sutton to establish a parallelism that justifies the increasing momentum of cybercrime nowadays, I rob banks because that’s where the money is; well, here is another perspective of the outrageous scale of cybercrime: as per FBI, in 2014, cybercrimes amounted 25x the money of back robbery, while perpetrators, who moreover performed more than 2 crimes in average vs. <1 for bank robberies, had 11x less risk of being arrested. Clearly, there is no $60 “pro” anti-virus subscription that can combat these incentives; which instead are fostering the steady growth of attacks at a rate that exceeds Moore’s Law itself – 1 billion attacks are expected to be reported in 2018 vs. the less than 100 million in 2015.
Essentially, cyber-criminals have now the ideal tools to be creative, selective, polymorphic, and ultra-dynamic, unavoidably relegating DDoS, bulk attacks, or arbitrary phishing to minor concerns; now unseated by so-called advanced persistent threats (APTs). APTs are human-orchestrated long-term stealthy attacks, which continuously/persistently monitor specific sources – e.g. people, enterprise frames, or data centers – looking for specific high-value information via sophisticated/advanced malware that seeks and exploits the systems’ vulnerabilities. Much like pickpockets, and just like we fight them, the ideal protection is to make the effort not being worthwhile. The problem is that most proposed techniques, including employee/people awareness plus training, cyber insurances, large-scale monitoring, threat isolation, serverless technologies and others; are not increasing the effective cost of execution – i.e. proactive, but instead they are reactive and preemptive, and this is like trying to catch a very skilled pickpocket after theft, or avoiding theft by switching your bag to the other shoulder every minute. In this regard, I believe that cyber security should focus on making more expensive to access valuable data and not to make attacks impossible. The latter is impossible, more and more every year, perpetuating the not so successful cat-and-mouse game; while the former would surely destroy their business case.
Nonetheless, proactive systems capable of discouraging future attacks are really hard to conceive, and they will presumably require an end-to-end approach with a combination of perimeter, endpoint, and network security where analytics, introspection, information sharing, and software in general will be critical, but perhaps we need to go deeper. For example, a family of software-free proactive data-protection methods in the network/transport segment is encompassed within the physical layer security paradigm which; unlike bit-level techniques, rely on information theory fundamentals and leverage the secrecy capacity of the propagation channel – see, for instance, quantum key distribution. Resorting to hardware technologies, and network/computer architectural fundamentals to combat security threats appears as one of the most effective and logical action vectors against cyber-attacks that seek for bits at upper layers. This topic, i.e. physical layer and structural cyber defenses, has gained extraordinary research attention as we progress in the definition and standardization of next-gen 5G technologies and IoEverthing, but unfortunately, we may be moving too slow: https://meltdownattack.com/. There had better be more of “us”…
References
– M. K. Weldon, The Future X Network: A Bell Labs Perspective (2016), Taylor & Francis Group.
– Meltdown and Spectre Website [Online]. Available: https://meltdownattack.com/
– Y. Wu et al., “A Survey of Physical Layer Security Techniques for 5G Wireless Networks and Challenges Ahead,” arXiv:1801.05227 [cs.IT], 2018.
– Advanced persistent threat, Wikipedia and sub-references [Online]. Available: https://en.wikipedia.org/wiki/Advanced_persistent_threat
– Quantum key distribution, Wikipedia and sub-references [Online]. Available: https://en.wikipedia.org/wiki/Quantum_key_distribution
– Nokia internal