Cybersecurity reboot: Two game-changing ideas

Current computer and network technologies were built to help process and move data quickly from one site to another. Unfortunately, until recently, efforts to protect that infrastructure played second fiddle to business needs.

Consequently, cybersecurity has been implemented in an ad hoc and often slapdash fashion, leading to the current mess of firewalls and other devices backed by inadequate identification and authentication protocols and inhibited by piecemeal policies and fragmented responsibilities.

That state of affairs has meant job security to the hackers who want to damage networks or steal data from them. As organized criminals and well-funded nation-state actors have joined their ranks, it has become clear that existing security regimes can’t stem the tide. Attacks on military and other government systems continue to grow and are increasingly successful.

Government and industry are now trying to jump-start a new era of innovation in cybersecurity, one in which security is a design and policy priority rather than an afterthought.

Such goals have been recognized as a priority for basic research in the Obama administration’s fiscal 2013 budget proposal, with millions of extra dollars requested for research and development at the departments of Defense and Homeland Security, the National Science Foundation, and the National Institute of Standards and Technology. And in December 2011, the White House published a strategic plan for the next few years of cybersecurity R&D.

There are many ideas on the table. The following are two examples of future approaches that are gaining attention, support and most importantly, funding. One is a technology plan that makes computer systems a moving target to stymie hackers, the other a policy approach that provides a more coordinated defense against attacks. Officials hope that ideas such as these can lead to game-changing solutions that tip the balance back in favor of the good guys, but like anything to do with cybersecurity, it won’t be easy.

Moving target defense

Current cyber defenses are designed to protect systems that operate in relatively static configurations for long periods of time. That is also a major weakness. Attackers can spend an equally long time looking for a single vulnerability in a key system, assessing how the system’s security would respond and planning attacks accordingly.

Defenders, on the other hand, have to try to plug the security holes in all their systems and keep them plugged, which soaks up a lot of resources and time. Given the complexity of most agency IT infrastructures, it’s an almost impossible task.

Moving target defense (MTD) strategies turn that approach on its head. Instead of presenting a security barrier for static systems, they create a dynamic, constantly changing set of system parameters that presents a much more complex scenario to would-be attackers. They would have to expend much more effort to find and exploit vulnerabilities, and they would have far less time in which to do so.

In a Small Business Innovation Research program notice published in November 2011, DHS recognized that MTD challenges the traditional belief that adding complexity to systems adds risk.

“The complexity of today’s compute platforms and analytic and control methods can now be used to frustrate our adversaries,” the notice states. “The challenge is to demonstrate that complexity is indeed a benefit and not a liability.”

The Defense Advanced Research Projects Agency included MTD as a potential component of its Mission-oriented Resilient Clouds program in an R&D solicitation released last May. MTD solutions “are sought that periodically change the allocation of tasks to hosts…making it difficult for an attacker to ‘map’ the system well enough to launch a coordinated attack,” the solicitation states.

One of the most promising areas for MTD is the software code that is used in most systems today, said Anup Ghosh, founder and CEO of Invincea and a former senior scientist and program manager in DARPA’s Strategic Technology Office.

“Most of the exploits you see today are based on specific vulnerabilities in the way code is structured,” he said. “MTD strategies are to create different instances of the same software where semantically or functionally the behavior of the software is the same, but its structure would change with each instance.”

The idea is to keep the adversary guessing about what the software actually does, he said.

The good news is that many of the technologies that will be needed to deploy MTD already exist or soon will. For example, continuous monitoring will be vital to know the status of the various servers and network systems in real time in an MTD environment. Agencies are already moving in that direction through initiatives that include DHS’ Einstein system, which monitors numerous agencies’ Internet access points for malicious activity.

Virtualization will also be central to many MTD programs, which depend on being able to change servers and other resources around quickly. Virtualization gives administrators the ability to freely move data within a virtualized environment and quickly set up and close down virtual servers. It’s also a fairly simple job to move files and data from a physical server to a virtual server in a completely different location. Agencies are already using virtualization to consolidate data centers as part of government mandates to cut costs.

In addition, new technologies such as IPv6, which agencies will graduate to in the next few years, will be essential to MTD. Unlike IPv4, for which the number of usable Internet addresses has all but run out, IPv6 offers a virtually inexhaustible supply. That guarantees the ability to move through a large number of short-lived IP addresses quickly, another central feature of MTD.