In cyberspace, no one can hear you schemeNew paper says nothing short of reinventing the computer will secure IT infrastructures
A radical new approach to countering the growing menace of contemporary cyber threats has been proposed in a recent EastWest Institute paper. The authors say new thinking is necessary because most prominent ideas for cyber defense are “immature and strategically misaligned.”
“We have to reinvent the computer, the base technology,” said co-author Sandro Gaycken, a senior computer science researcher at the Institut für Informatik, Freie Universität Berlin.
Gaycken said there's a lot that can be done that is simply not debated at present, that while 100 percent security is not possible, it is possible to make cyber assets difficult, expensive and even risky to attack.
“But this requires not just new ad hoc security technologies, but a reform of the computer as such - a new kind of computer,” she said.
Gaycken said hacking into systems would then be much harder than it is now, and that some problems such as economic espionage would be gone for good.
Gaycken said current IT security ideas build on wrong perceptions of the power and the development of offensive cyber warfare and cyber espionage, and they believe that the current IT-environment can somehow be maintained.
The EWI paper, however, argues that the IT-environment cannot be protected by ad-hoc security technologies or by current active defense approaches, that what is needed instead is ‘highly secure computing.’ Highly secure computing is a concept of passive defense, of deterrence by denial.
“Active defense is far too easy to fool,” Gaycken said. Active defense methods include tactics like honeypots to lure hackers and decoys to disrupt attacker activities.
Gaycken said highly secure computing considers security the topmost item in specifications and compromises everything else, a top-down security concept that starts with the best security and assumes the toughest attacker.
Gaycken said current concepts of IT-security is to bolt some ex post facto security technology on top of computer operating systems, but the base computer technologies are so full of security problems that no security product in the world can patch them all.
The way things exist now, Gaycken said, knowledgeable adversaries with abundant resources and expertise at covering their tracks will always be able to remain anonymous in cyber-attacks.
Co-author Greg Austin, a EWI fellow, told Homeland1 the idea of the paper is also about seeing national cyber security as an internationally shared interest.
"Neither China nor the United States can be secure if they go into a full blown cyber arms race," Austin said. "They are both highly insecure now simply because of overwhelming U.S. and allied military superiority in cyberspace. We need to shift to common security principles and execute that in technology and in industry policy."
Austin said current active defense schemes also carry geopolitical risk.
"History repeatedly confirms that states with offensive military doctrines are more likely to take risks and make big mistakes in use of force," he said. "Active defense just compounds the problem by undermining a sense of order in cyberspace.