GEEKONOMICS

Show 046 - An Interview with David Rice

On the bonus-length 46th episode of The Silver Bullet Security Podcast, Gary talks with David Rice, Executive Director of the Monterey Group and author of Geekonomics: The Real Cost of Insecure Software. Gary and David discuss David’s involvement with Infowar at the Naval Postgraduate School and how it impacted his thinking about software, the recent Chinese cyberattack on Google, what incentives exist to create and apply software security best practices, how users may be mistaking marketing for security, and the SANS WhatWorks in Application Security Summit. They close out by discussing unusual yoga positions.

Listen to the podcast on the Cigital website: Show 046 - An Interview with David Rice

Many thanks to Gary McGraw. I greatly enjoyed our conversation.

I will be interviewing Gary McGraw, CTO of Cigital, on Friday, January 22 at 1pm EDT on the impact the Building Security In Maturity Model (BSI-MM) has had on software development programs since its release in Q1 of 2009.

The webcast will be delivered through the SANS Institute and is located here:

The Impact of BSI-MM in Software Development Programs

Gary McGraw also will be giving the opening keynote at the SANS Application Security Summit in San Francisco, February 4th. Please start planning today to attend.

Please join me at the first annual SANS AppSec Summit 2010 in San Francisco on February 4th and 5th (http://www.sans.org/appsec-2010/).

We've got a fantastic line up of speakers and panelists including:

Start making your plans today to attend!

David Rice

Chairman, What Works in Application Security Summit 2010

Operating, but not with confidence

The news that Google and 30 other U.S. companies were victims of “highly sophisticated and targeted attacks” is not new or surprising. Cyberattacks have been increasing in scope and sophistication for more than 15 years. What is interesting is the direct challenge by the U.S. Secretary of State, Hillary Clinton, and what this event reveals.

On January 12th, Mrs. Clinton stated the following:

"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy."

This statement is a direct challenge to Beijing, which in the art of statecraft, is both bold and stern. There are only a handful of times the United States publicly confronted Beijing leadership on matters of cybersecurity. Though Mrs. Clinton’s challenge likely will be brushed aside by Beijing, the kerfuffle is evidence that cyberspace conflict is heating up. At root, insecure software.

Quoting ComputerWorld:

Sources familiar with the situation say that more than 30 U.S. companies, including Adobe Systems, were hit by this targeted attack, which Google first discovered in mid-December. Using an attack that exploited an unpatched bug in widely used software, the attackers were able to gain footholds in these companies and siphon out valuable intellectual property [my emphasis].

Google is right to call foul and Mrs. Clinton is correct to challenge Beijing, but the United States is equally remiss in failing to directly challenge a cold hard fact: preventable vulnerabilities in our own software are undermining our "ability to operate with confidence in cybersapce." Beijing deserves to be scolded; they are not the only ones.

A different approach to cybersecurity for 2010 and beyond.

I strongly believe that our futures are shaped by the questions we ask. Poor questions manifest poor results…and disappointing futures. To date, cybersecurity has delivered abysmally poor results. Every significant indicator of cybersecurity is heading in the wrong direction. Cybercrime is pandemic, on-line fraud is exploding, economic incentives for attackers are increasingly compelling, nation states are becoming more aggressive in cyberspace, cost and complexity of cyber defense is rising, skill gaps are widening, and desired outcomes of cybersecurity strategies regularly fail to materialize, just to name a few.

Cybersecurity’s abysmal results are often blamed on the sophistication of cyber attackers, ambivalent and/or ignorant owners of IT systems, lack of national leadership, and ignorant and/or uneducated and/or unaware users.  Everyone and everything is to blame, it seems, for the sorry state of cybersecurity, except us – the cybersecurity community.

I believe cybersecurity’s abysmal results are driven by our poor questions, not by our customers or adversaries. After reviewing security-related news stories from 2007 thru 2009, and wading through the litany of 2010 predictions, I’ve identified at least three poor questions asked regularly and repeatedly:

• Where are the next new threats coming from and how do we get ahead of them?
• How do we get organizations to consistently and sufficiently protect IT systems and data?
• How do we prevent cybercriminals/hackers from exploiting system (and human) vulnerabilities?

These are poor questions precisely because results have been poor…for over a decade by my reckoning. Considering that many national cybersecurity strategies are based on these questions – or at least attempt to answer these questions in part - I am convinced the future of cybersecurity will continue to be an expensive and unproductive struggle. That said, I remain optimistic. Different results mandate asking different questions.

The more promising approach, I believe, for improving cybersecurity in the years ahead is to disavow the above questions, decouple national strategies from answering these questions, and ask better questions, such as:

• How do we make it more expensive for cyber-attackers to exploit vulnerabilities than for cyber-defenders to protect against them?
• How do we negotiate private and social costs of cyberspace activities so that national and economic security is promoted rather than undermined?
• What would it take to drastically reduce the total number of products, processes, and practices for “good” cybersecurity?
• What if end-users did not need to alter personal on-line behaviors to thwart cyber attackers? What would those systems and applications look like?
• What will it take to know our actions are making tangible differences?

Far from simply intellectual exercise, these questions drive different thinking processes, different approaches, and thus potentially different results. But these are just my thoughts. What are the better questions we should be asking for 2010?

Geekonomics is now on Facebook:

Geekonomics on Facebook