Earlier this week, Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS) held its annual Information Security Symposium. This year’s symposium was well-attended, and the keynote speakers perhaps had something to do with that.  The keynote speaker for the first day was the Honorable Mike McConnell, a former Director of National Intelligence, among several other posts.  The day two keynote speaker was the current Under Secretary for the National Protection and Programs Directorate in the Department of Homeland Security, the Honorable Rand Beers. Of course, the internationally-renowned director of CERIAS, Gene Spafford, was there, along with a collection of academic and industry representatives serving on three speaking panels.

With the exception of the poster session, the content of the symposium was largely non-technical.  This is fitting, since many of the greatest challenges in cyber security revolve around social or political difficulties, not technical limitations.  Both Admiral McConnell and Mr. Beers discussed at great length the interactions between the public and private sectors and the need for a mature cyber security policy.

In his keynote, Admiral McConnell opened with a discussion of the history of information security, especially from the perspective of US efforts to break the security of enemy communications from World War II and beyond.  Despite the popular understanding, McConnell suggests that the confidentiality of information (via some method of encryption) is not the highest priority.  In fact, it ranks fifth behind authentication, integrity, non-repudiation, and availability.

McConnell also presented a pessimistic view of the current state of readiness for cyber attacks in the US.  The government is talking about cyber security, he says, but nothing substantive will be done until a catastrophic event brings the issue to the forefront.  A digital 9/11, so to speak, could easily be a small kinetic attack to create a distraction, and then a determined attack on a large US financial institution.  Such an attack, according to McConnell, could bring the American economy (and by extension, the global economy) to a halt.  Washington, D.C. responds to four things: ballot, law, money and crisis.  McConnell suggests that there is no motivation for the the first three and that motivation will not come until the fourth happens.

McConnell believes that the role and effort of the government in cyber security must and will change in the future.  He expects that the Internet will be re-invented to take advantage of the security technology and policies currently available.  This new Internet will be more secure with greater authentication, and will initially be a painful change for users.  What he didn’t discuss is the moral positives of Internet anonymity, which I see as the ability for an oppressed person or a whistle-blower to bring unacceptable situations to light.  It is possible that he envisions two separate Internets, one for general traffic resembling the Internet as we currently know it, and one for Serious Business™ that is more secure.

The first panel discussion focused on the visualization of security.  There’s a glut of data available regarding security, especially in network traffic. So much data, in fact, that it is extraordinarily difficult to come to meaningful conclusions, especially in real- or near-real-time. (“It’s not so much the needle in the haystack,” remarked Ross Maciejewski of VACCINE, “it’s the needle in the stack of needles.”) Northrop Grumman’s Donald Robinson claims the real goal of data visualization in the security realm is not to understand past threats, but to anticipate new ones.  As such, cyber security is the “intersection of psychology and technology.”  Because of this, computer scientists are often the wrong people to develop visualization tools. Many of the users of these tools are non-technical (e.g. law enforcement and military), and it is important that the tool meets the ever-changing user demographic.  Robinson expressed hope that one day security visualization tools will reach the levels of ubiquity and usability that the MRI has achieved in the medical profession.

The second panel discussed the ethics of information security.  This topic could easily span an entire day, as the introductory talks touched on a variety of topics including “who is responsible for software vulnerabilities?” and the privacy policies of websites.  The former sparked interesting discussion, including a Twitter comment that only software vendors are “responsible” for vulnerabilities. In a broader sense, the panel and audience discussed how programmers should be trained to prevent vulnerabilities and who should do the training — schools, employers, or perhaps professional organizations.  Ultimately, Symantec’s Cassio Goldschmidt says that “vulnerabilities are like pollution — it is a problem we all share” and in order to combat this security should not be a course but should be a part of every course.

The privacy policy issue is interesting as well.  Currently, 45 states have laws addressing data breaches, but no federal law currently exists in the U.S.  Despite these breach laws, Purdue’s Melissa Dark told the audience that individuals have no right of action against websites that violate their stated privacy policies. Privacy policies themselves are often written by lawyers (or amateur lawyers), and can’t always be understood by users.  It has been suggested that a standardized privacy policy summary is in order, similar to the nutrition labels used in the United States.

To close the first day, Spafford, McConnell, and Beers conducted a fireside chat (or as one attendee suggested a “firewall-side chat”).   This was an interesting opportunity to hear three top security experts speak their mind (although Undersecretary Beers was a bit constrained by his position).  The three participants reaffirmed the idea that the main challenges in cyber security are non-technical.  Political inertia may be the single biggest problem: Beers likened the problem to climate change in that we have evidence of a problem but lack the will to make any changes.

Even once there’s motivation to make changes (which McConnell repeated was likely only to happen after a catastrophic event), much of the focus has been on the United States.  A single-country focus is unlikely to provide a true increase in security due to the international nature of the Internet.  McConnell suggested that China will be an important, if unexpected, partner in these efforts. However, before international agreements can be reached, an internal consensus needs to be developed, and there needs to be some method for determining global norms.

The fireside chat also featured some disagreement, primarily between Spafford and Beers, about the degree of authentication needed.  As Beers noted, we all give up some degree of privacy in order to participate in society.  The real question is to what degree does privacy need to be surrendered.  McConnell’s view is of an authoritarian nature, and trusts that “if we get the laws right, we’ll conduct ourselves correctly.”  Spafford argued, and I am inclined to agree, that the strongest authentication is not always necessary.

Day two opened with a keynote from Undersecretary Beers, who began with a discussion of the responsibilities of the Department of Homeland Security.  Like Admiral McConnell, he noted that threats are increasing on a daily basis.  One of the more interesting themes of his talk was the unexpected impact in cyber space of physical attacks.  As an example, he shared the story of a bond trading company which had to evacuate during the 1993 World Trade Center bombing.  They did not have off-site data backups and the fire marshal prevented them from entering the building to retrieve their data.  It took intervention by the president to get this company re-admitted to the building.

DHS is making a concerted effort to improve the nation’s cyber defenses.  One method for reaching this goal is to hire 1,000 people in cyber security in the next 3 years.  The difficulty is that institutions don’t currently produce enough graduates to meet this demand.  Fortunately, not all all of the need is in technical positions.  Much to the surprise and amusement of the audience, there aren’t enough lawyers in DHS.  It takes a long time for DHS leadership to get legal advice on some topics because there are more questions than the lawyers can answer.  Some of this would be rectified by having better laws relating to cyber security.

The final panel discussion focused on the changes in research funding and projects.  I’ll admit to being less interested in this discussion than in the first two.  The panelists did note that research funding is shifting from government programs to the private sector, a trend that is being observed in many fields.  As a result, researchers need to give consideration to the business aspects, including how to monetize the research and getting it into the field.  Fortunately for aspiring security researchers, the field is very young.  Panelist Joe Pekny says we’re “in the stone ages” as far as research and policy go.

In the afternoon, CERIAS students presented posters of their research efforts.  I didn’t understand all of it, but there were some very interesting posters, including one describing a very trivial but dangerous attack against Linksys routers.  I won’t go through all 30+ posters here, the interested reader can see the CERIAS website for abstracts and PDFs of posters.

The symposium closed with a talk by Dr. David Bell of “Bell-La Padula model” fame.  Unfortunately, I wasn’t able to give his talk my full attention, so I have very little to say about it.  His talk has been posted to his website.  In all, it was a very informative symposium, and I look forward to next year’s.

Thanks to the following Twitterers for their contributions to my notes: TheRealSpaf, joel_rasmus, dscouch, KlitchS, ikawnoclast, funkatron, JacobyDave, RayDavidson, infinitesteps, akmassey, selil and to www.icerocket.com for their Twitter search page.

Note: the quotes presented above are presented to the best of my recollection. My summary of talks and presentations is my own interpretation and doesn’t represent any policy statements that you want to infer from them.