Yesterday I had the honor of keynoting at RSA. This theme of this year’s conference is “the Cipher is Mightier than the Sword” – based on the story of the Great Cipher, which was used for nearly 200 years before its key was cracked in 1893. The lessons for me with this story are that ciphers (and really any attempt to communicate) can mean the difference between life and death, and that nothing is unbreakable… It is just a matter of time.
Over the weekend, as I was preparing for this keynote, I stumbled across the movie Robin Hood. Russell
Crowe’s character remembers a phrase his father taught him: “rise and rise again, until lambs become lions.” When asked what it meant, the father said “never give up.” But it meant something more. It meant that the people can be in charge of their liberties, just as the royals (the lions) are, and they should rise and rise again until that happens.
Hollywood recognizes a great story when they see one, and for a long time, Hollywood has foreshadowed tomorrow’s security challenges. It started with a movie called “Hot Millions,” released in 1968, which portrays a convicted con-man and embezzler who takes on the identity of a computer programmer in an insurance company in order to siphon out thousands of dollars. The film featured social engineering, identity fraud, insider abuse and exploitation. “War Games” made it cool to hack, “Enemy of the State” made us worry about privacy, and cyberterrorism provided the theme for “Jumping Jack Flash,” “Sneakers,” “the Matrix,” “Die Hard 4” and others.
So what are the major ingredients that Hollywood script writers use to spin their tales and how do they apply to security? The first is ample opportunity. With a billion devices today, and growing to 50 billion by the end of this decade, there is no shortage of opportunity. The second is motivation. That usually translates to money, or information (because information is power), or purpose (which can be a very powerful motivator) or injury (think delaying a nuclear power program in Iran). The last ingredient is ability. Without access to the tools and techniques and the wherewithal to learn them, there would be very few successful hacks.
We have evolved from the mainframe and centralized computing, to Windows and Apple and Linux, to real time operating systems and embedded systems. The number of interconnected devices is exploding… and this invisible world of embedded is our future. The stakes here are higher than they’ve ever been before.
Take the example of people who have Type 1 diabetes. About 50% of those afflicted with this condition use an insulin pump to automatically regulate their blood sugar. These are tiny embedded devices that house stripped down operating systems and chips that control the moving parts including a pump that dispenses insulin at a desired rate. What many people don’t know, however, is that all of these units are tiny computer systems… and they are capable of killing people.
To accomplish the goal of securing the unsecurable, we have to admit our weaknesses. Every time we think we have good coverage, we discover a fundamental gap in our ability to prevent. So we throw duct tape and bailing wire on it to fix it. But the world of signatures and blacklisting is over. We have to move to the world of whitelisting, and really grey. Being able to understand what is clean, dirty, and what falls in between needs to be rated, have a reputation for the user to decide.
We need to push security down the stack. We’ve lived in the world of the operating system, and the application, and we’ve moved to the virtual world. But the threats aren’t staying there. They’re pushing deeper into the BIOS, the firmware, the ancillary chips. And that’s where we need to go, with features like security management, device integrity (secure boot), identity (making sure that the one at the keyboard is the person that owns the device), privacy (keeping private information private), and resiliency (when something happens, restore and return to normal quickly). So the next generation of security will really be about Control — control of privilege, control of execution and control of recovery.
In 2012 we’re going to see all sorts of attacks taken up a notch from 2011. Some of these attacks I am sure you’ve thought of, and perhaps there are others you haven’t. Regardless of the attack, remember that you are in charge of their liberties. Never give up, and never forget that phrase, “rise and rise again, until lambs become lions.”