Complexity Is Killing Us: A Security State of the Union With Eugene Spafford of CERIAS
Switched: Let's get right to it. What is the State of the Union in terms of security. Are we better off this year than we were last year?
Eugene Spafford: I don't think we're any better, and we may actually be a little worse.
Ouch. How so?
If you look at where a lot of the rhetoric and attention has gone, it's been on the term "cyberwar," which is really the wrong term, the wrong mindset. There's also been a great deal of attention about moving to cloud-based computing and compliance. So a lot of focus has moved away from the basics of security: building secure systems, securing enterprise, reducing complexity, and dealing with computer crime. As a result, we're moving farther away from the fundamentals that need to be addressed.
So how bad is it? What is the rate of infection for PCs?
It's fairly high. I don't have exact numbers in front of me, but possibly above the 50-percent rate. [Ed. note: He's correct; a 2010 Panda Labs report says it's more than 58-percent in the U.S.]
Do we know what the prime method for infection is? Weak OSes or user behavior?
It's a combination of things. There are vulnerabilities within OSes, but, sure, also user behavior. Where you have people who haven't installed patches, and then cruised a site they shouldn't have. Or clicked on a link they shouldn't have, and something ends up on the system. Over time, stuff accumulates.
Whose responsibility is it to keep systems secure? Should the industry be better about making secure devices or ISPs. Or the various bodies who manage the Internet? Or is it just up to users?
Well, it's everybody's responsibility. Trying to point your finger in any one place is like saying, "Whose responsibility is it to prevent everyone from getting sick, or to prevent any kind of crime?"
To be fair, we do have people responsible for those things. We inoculate babies against contagious disease for instance...
Sure, but if you don't bother to take your kid in to be inoculated, then...
Right. I guess I'm just wondering why we continue to have PCs that are so easy to infect. I'm thinking of the old analogy that if you buy a car, you have to do basic maintenance, but you also expect the car to work without the kind of constant upkeep and expertise required for PCs.
Every technology has certain forms of risk. You can't buy a car, take it out on the road and assume you aren't going to run into things. The problem we have is, where is the balance that should be struck? It's kind of the same thing with computers. If you don't know what you're doing, you can't just plug it in, turn it on, and assume it's going to work safely. For people to do that is either stupid or irresponsible or both.
How culpable are the big computer makers?
They're certainly not doing enough either. I think that the whole ecosystem has not yet stepped up and adjusted. The vendors haven't done an appropriate job; the instructions you go through don't give you the appropriate warnings about what you need to do or configuration options. And the systems aren't built to be robust enough in the first place. Also, ISPs don't provide enough instruction or safeguards for you to hook up and connect appropriately. There are very few places you can turn to for the kind of advice up-front that is necessary for your average user who is not technically literate.
We've had home PCs for a few decades now. Why the delay in adequate education?
Part of that has to do with the growth of the industry. It evolved from a community of scientists and engineers and enthusiasts, so it was never really written for the average consumer. As an economic entity it has continually evolved to sell to a larger and larger audience. So, the newer audience doesn't necessarily have the technical literacy to understand it all. If you take terms like "illegal operation" or "fatal error"... Well, oh my gosh! The average person has no idea what those mean.
What is the solution?
It's not entirely clear. Part of the difficulty is providing everybody with such a broad range of powerful capabilities, more than most people need, and so there are so many different avenues for them to damage themselves. If only half the population -- I'm guessing, pick a number -- needs only enough power to read e-mail and surf the 'Net, then giving them the capability to have huge file systems, with the ability to modify the operating system, is totally unnecessary and also provides a huge avenue for persistent threats for spam and botnets. Today's computers are overly complex, overly capable systems that are difficult to administer, difficult to recover and protect. Right now, you buy an OS with 100 million lines of code. That's what's killing us; it's the complexity. Everybody's being given a 200-bladed Swiss Army knife when they only need to use three, so it's no surprise they cut themselves.
How are the issues of privacy and security related?
You can't have all the levels of privacy you want to have without information security in place. So unless you can protect your records and info about yourself, you can't stay private. You can't keep your medical records private unless there's security on them. You can't keep your financial records or love letters private unless you can keep files or e-mail secured. So security is important to protect privacy. It works the other way, as well; privacy is important because it protects personal info that can be used not only in a social engineering context, but also for personal security. Some of the things that are being shared now, such as location with Foursquare, are dangerous. If you know where I am and it's not at home, then you can break in.
A lot of people have argued that our culture of oversharing breeds serious security issues.
Sure, these issues are not being considered well by many of the people online. And in part it's because the younger generation are not as worldly. Certainly a lot of the people I deal with, the students and young professionals, have not yet encountered some of the real-world dangers and consequences online. When we grow up, we're taught as children about washing hands or not talking to strangers as part of the whole childhood experience; those are things that have been deemed culturally important to learn early on because they help keep us safe. When you and I were children, there was no Facebook or Twitter or Foursquare, so there was no need to teach them about not revealing their location or posting pictures on Facebook. For today's younger generation, their parents haven't experienced privacy issues to share that wisdom with them. But there will be warnings for the next generation. Presuming there still is an Internet and a Facebook.
Is that a big presumption?
Yeah, probably at the rate things are going. [Laughs]
But at issue is the fact that, until these lessons about the importance of privacy are learned and taught, a lot of people are going to screw themselves.
Sure, but I mean, we've gone from the free-love generation of the '60s and '70s, where there are a whole lot of embarrassing pictures out there -- "Mom, Dad, is that you at Woodstock?" -- and people have managed to live most of those down. It may just not be such a big deal in another ten years; there will be so much shared that it won't be a big deal. Maybe that's a good thing. But again, we develop cultural norms that we then pass onto our children -- that these are the appropriate and safe things to do -- and so far we just haven't had the time yet for parents to learn what is appropriate to teach their children.
Interesting. You think of security and privacy as cultural traits?
Well, you learned about privacy as a kid, right? Like you don't barge in on people going to the bathroom. That's not something you learn as an adult.
And now we end up with a lost generation. We missed the teaching moment.
Exactly, it's those teaching moments that reinforce culture, not only via schooling and as parents, but through nursery rhymes and games in the schoolyard and TV shows like 'Sesame Street.' And one could argue in fact that some of the asocial behavior in some parts of society is because children aren't exposed to those.
So to reach them we need Big Bird to sing a song about rootkits and malware.
Yes... don't click on that link, kids!