The security solution revolution

“Every generation needs a new revolution.” — Thomas Jefferson

A friend of mine recently sent me a link to the Department of Homeland Security’s request for proposals and whitepapers to address various cybersecurity topics. I applaud the government for actively encouraging new defense methods. However, I’m convinced that most of the proposals will not provide a lasting defense.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

No matter what cool idea or whiz-bang way of detecting worms and bot nets comes out of the proposals, malicious hackers and computer malware will continue unabated. That’s because we continue to address symptoms and not the real, underlying problem. I’ve written about this before, but it bears repeating every so often so that my new readers understand how all the feel-good ideas in the world won’t make bad cyberguys go away.

If you want to stop malicious hackers and malware, you must create a new computing ecosystem where every device, user, process, transaction, and network packet is authenticated from source to destination. It means creating a new Internet, one where default anonymity is no longer guaranteed. In fact, a secure Internet would ensure that everyone and everything has a confirmed identity and can be authenticated and tracked.

But creating a new Internet is putting the cart before the horse. Here are the three things we need first.

1. Trusted hardware

We need trusted and authenticated devices. We’re beginning to address this part of the problem with the Trusted Computing Group’s Trusted Platform Module (TPM) chip. The TPM chip is a specialized computing chip that can assist with cryptographic operations and can securely store cryptographic secrets (for example, passwords, encryption/decryption keys, digital certificates, and so on).

But even the boot process is too late to authenticate. Hardware vendors must authenticate their hardware components and connections so that hardware hackers can’t perform unauthorized hardware modifications.

I’m sure lots of readers will disagree with me on this point because they want to be able to make personal modifications to their gaming consoles, cars, and other computing devices. But I say let your dollars be your votes. I respect a vendor’s decision to prevent unauthorized modifications (just like I support the music vendors' right to prevent illegal copying), but I also think consumers who want to perform hardware modifications (or copy music beyond the standard allowed legal copyright usage terms) should buy products from only those vendors who support shared fair use visions.