The CIA Secret to Cybersecurity That No One Seems to Get
If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices.
The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Edward Snowden’s NSA leaks revealed the US government has its own national and international hacking to account for. And the Ponemon Institute says 110 million Americans saw their identities compromised in 2014. That’s one in two American adults.
The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
How Did We Get Here?
One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about.
Malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Network security seeks to protect those endpoints with firewalls, certificates, passwords, and the like, creating a secure perimeter to keep the whole system safe.
This wasn’t difficult in the early days of the Internet and online threats. But today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. As Ajay Arora, CEO of file security company Vera, notes, there is no perimeter anymore. It’s a dream of the past.
But the security paradigm remains focused on perimeter defense because, frankly, no one knows what else to do. To address threats, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats.
The CIA Triad
The information security community has a model to assess and respond to threats, at least as a starting point. It breaks information security into three essential components: confidentiality, integrity, and availability.
Confidentiality means protecting and keeping your secrets. Espionage and data theft are threats to confidentiality.
Availability means keeping your services running, and giving administrators access to key networks and controls. Denial of service and data deletion attacks threaten availability.
Integrity means assessing whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code or bugs. Viruses and malware compromise the integrity of the systems they infect.
The Biggest Threat
Of these, integrity is the least understood and most nebulous. And what many people don’t realize is it’s the greatest threat to businesses and governments today.
Meanwhile, the cybersecurity industry remains overwhelmingly focused on confidentiality. Its mantra is “encrypt everything.” This is noble, and essential to good security. But without integrity protection, the keys that protect encrypted data are themselves vulnerable to malicious alteration. This is true even of authenticated encryption algorithms like AES-GCM.
In the bigger picture, as cybercrime evolves, it will become clear that loss of integrity is a bigger danger than loss of confidentiality. One merely has to compare different kinds of breaches to see the truth of this:
[[INSERT CHART HERE]]
Most companies focus overwhelmingly on encryption and perimeter defense in a post-perimeter world. Their security plans undervalue availability, and rarely address integrity.
Fortunately, important people are catching on. In testimony before Congress this fall, James Clapper, the director of national intelligence, said the biggest emerging threat to national security is “cyber operations that will change or manipulate electronic information in order to compromise its integrity instead of deleting or disrupting access to it.” NSA Director Michael Rodgers echoed the point.
It’s worrisome to think that top-level decision makers might not be able to trust the integrity of key information and systems – or, worse, that hackers could take over those systems altogether. Equally worrisome, few organizations have the tools to prevent it.
What Can We Do?
Part of the problem involves the technology the cybersecurity sector relies on. Public key infrastructure, also known as PKI, has been the dominant system for decades. It’s a lock-and-key system, preventing unauthorized access to sensitive systems or messages. Like the locks on your doors, PKI ensures that only those with the correct “key” can access what’s inside. But hackers are attacking every door and window, and once they get in, PKI is useless. That’s why most companies have no idea who’s hiding in their systems, or what they’ve been doing there. And, as noted, the keys themselves remain vulnerable to integrity attacks.
An integrity solution, on the other hand, would act less like locks and more like an alarm. It would monitor all parts of a network, from the access points at the perimeter to the sensitive data within it – and provide an alert if something changes unexpectedly. Such technology is no longer a pipe dream. Data integrity schemes based on Merkle hash trees, scalable provable data possession (SPDP), and dynamic provable data possession (DPDP), among others, enable protection of data in untrusted stores from intentional and malicious modification. The challenge lies in efficiently scaling these technologies for practical deployment, and making them reliable for large networks. This is where the security community should focus its efforts.
Once the security community moves beyond the mantras “encrypt everything” and “secure the perimeter,” it can begin developing intelligent prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
We can no longer count on keeping the hackers out. Let’s work on ensuring we can catch them once they break in.