“Every generation needs a new revolution.” — Thomas Jefferson
A friend of mine recently sent me a link to the Department of Homeland Security’s request for proposals and whitepapers to address various cybersecurity topics. I applaud the government for actively encouraging new defense methods. However, I’m convinced that most of the proposals will not provide a lasting defense.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
No matter what cool idea or whiz-bang way of detecting worms and bot nets comes out of the proposals, malicious hackers and computer malware will continue unabated. That’s because we continue to address symptoms and not the real, underlying problem. I’ve written about this before, but it bears repeating every so often so that my new readers understand how all the feel-good ideas in the world won’t make bad cyberguys go away.
If you want to stop malicious hackers and malware, you must create a new computing ecosystem where every device, user, process, transaction, and network packet is authenticated from source to destination. It means creating a new Internet, one where default anonymity is no longer guaranteed. In fact, a secure Internet would ensure that everyone and everything has a confirmed identity and can be authenticated and tracked.
But creating a new Internet is putting the cart before the horse. Here are the three things we need first.
1. Trusted hardware
We need trusted and authenticated devices. We’re beginning to address this part of the problem with the Trusted Computing Group’s Trusted Platform Module (TPM) chip. The TPM chip is a specialized computing chip that can assist with cryptographic operations and can securely store cryptographic secrets (for example, passwords, encryption/decryption keys, digital certificates, and so on).
But even the boot process is too late to authenticate. Hardware vendors must authenticate their hardware components and connections so that hardware hackers can’t perform unauthorized hardware modifications.
I’m sure lots of readers will disagree with me on this point because they want to be able to make personal modifications to their gaming consoles, cars, and other computing devices. But I say let your dollars be your votes. I respect a vendor’s decision to prevent unauthorized modifications (just like I support the music vendors' right to prevent illegal copying), but I also think consumers who want to perform hardware modifications (or copy music beyond the standard allowed legal copyright usage terms) should buy products from only those vendors who support shared fair use visions.
(On a side note, I think we would have more online, cheap, free-to-copy music choices today if people would stop buying and/or illegally copying digital music. As consumers, we have the ultimate power over music vendors. If we all just stop buying music for a few months in protest of the unfair usage terms and pricing structures, I think we'd see the industry turn on a dime. Most of the music is pretty crappy, anyway — what would you be missing?)
2. Trusted OS
A few operating systems, including Windows Vista, use the TPM to help confirm a trusted boot path and to help encrypt information stored on hard drives. But security takes so much more than BitLocker Drive Encryption. The TPM chip, or something like it, is the root component of a secure computer communicating infrastructure, allowing hardware and software vendors to confirm that the starting boot path for the computing device was as intended and unmodified (for example, making sure a Trojan rootkit wasn't added to the mix).
After the verified boot process happens, a trusted and verified OS can be loaded. For example, 64-bit Windows Vista, where all drivers must be signed, is a start down this path, but it won’t be enough if only Microsoft does it. Every computing device’s OS must do the same, including OSes for Internet-enabled cell phones, BlackBerrys, mobile computing devices, and all the other devices we can’t imagine just yet. And the authentication must be extended for more than boot drivers — it should include any default OS component and installed application.
Every installed application should be authenticated during the install and before each startup. Software vendors, including Microsoft, are working toward this goal with various initiatives. The idea is to confirm to the end-user that every component they are using is trusted and authenticated. This needs to be extended to every process and thread used by the application. Essentially, not a single process can load into memory unless unmodified and preauthorized.
3. User authentication
Users must be securely authenticated when they log in, using something beyond simple passwords. At businesses, this would mean holding senior management and system administrators accountable for authenticating their own users and devices. For home users, this would mean holding the ISPs accountable for logons that result in gaining access to the secure portion of the Internet. Among other things, default authentication would prevent spam, as well as DDoS and phishing attacks.
Unfortunately, none of this will confirm that the authenticated tools, and the resulting data, aren’t used for maliciousness. Therefore, we need all network packets authenticated from source to destination. The users and computers creating or sending data will have to be authenticated and confirmed, and the packets are tracked and authenticated whenever data is sent from source to destination.
I’m not so worried about the data itself. Heck, the data can and should be encrypted by default. We just need to be able to track the packet from source to destination so that if something malicious is sent, we can track it back to its original source computer and authenticated user.
In my vision of a more secure computing environment, the malicious hackers and programs wouldn’t exist because we would be able to immediately identify their sources. And yes, there are bound to be vulnerabilities and errors — the system is made by humans, after all. But with the new structure, once you close the newfound vulnerability, you also close off all forms of malicious hacking at once. Today, we have the exact opposite situation: Close one vulnerability and you stop just one malicious vector.
Of course, if you hate the idea of this new Internet's default authentication and the loss of anonymity, you could continue to use the old Internet. But in order to send me e-mail and send packets to my server, you would have to be authenticated by default. If I don’t know exactly who you are and what you sent, I don’t need your information — that's the risk I’m willing to take to stop malicious hackers.
Business and monetary concerns dictate that we implement an evolutionary process when a revolution is needed. So until I see the government or business request for a proposal that begins, “We are requesting proposals to rebuild computers and the Internet from the ground up in order to guarantee a more secure environment…,” I’m going to politely dismiss any thought that anyone is doing anything that will lead to real security.