U.S. Presidents have always wanted to fix things; that is why they become presidents. Our current President has stated he wants the Department of Defense and other agencies to submit recommendations for US Cyber Security in 60 days. They will. But you will not like their solution. Let’s do something about it.
Here is the original document. Notice it is NOT an executive order yet. This is also not the first time a president has made this stand. But let’s take it seriously.
What is the problem?
Right now we drive the internet like a car without seat-belts. Unfortunately it’s not as simple as “Insert the metal fittings one into the other.” We can get close to lap-belts with steps below. It will take at least 4 years to get real change. And then we can look at the 5-point harness of race cars.
The scope according to the document: assets, vulnerabilities, adversaries, and capabilities.
This is a good way to get answers, but those answers and questions will come from military thought leaders, not cyber security professionals. What is wrong with that? Replacing the concept of bullet with packet makes everything work right? You and I know that the physical concepts do not equate to virtual concepts. Many have suggested blocking or breaking the internet [SOPA/PIPA]. Many have said a central authority should have control over encryption [CLIPPER CHIP]. Telling people to be aware works for 5 minutes… well maybe 6. As proof I offer ALL password audits.
Every time people use concepts from the physical world and they push on one side of the cyber balloon, it only bulges on the other side, pushing the problem away not solving it. We must think differently.
Think in terms of: What are achievable objectives? What will people and corporations understand and support? What will do the most good? What do we have to work with now? What will work without breaking most of the internet? Over the next four week I will discuss these questions, but let’s start with the last one first.
What will work without breaking most of the internet?
Standards & Protocols that we already have.
- DNSSEC = Integrity of resolution
- IPv6 = identification of origin and possible privacy
- Certificates = Non-repudiation of source or both people and devices
1. Say YES to fully implementing DNSSEC– if you do, a few things happen: 1. Spam goes down dramatically. 2. Impersonation is much more difficult. 3. We can depend on resolution response. DNSSEC resolution is quality resolution, but current DNS is very easy to attack and has a low quality of trust. Services offered by companies need to be trustworthy,;we need to know they are who they say they are. DNS is not trustworthy; DNSSEC is.
The ultimate goal would be DNSSEC reverse resolution for every end point (when you make a query, we know who is asking the question). We need to say NO to DNS. We can do this technically: first implement DNSSEC for all resolution, then block all DNS. Impose filtering by all ISP’s, and corporate firewalls.
2. IPv6 only no IPv4- What makes V6 better? Location, Location, our ability to pinpoint LOCATION. What makes V4 bad? Spoofing of location. If we only used V6 we could know where a computer, IOT, laptop, or mobile phone is located. If you know where it is, jurisdiction is established. Now we know where it is; we can hold someone accountable.
Sidebar- at this point, really technical people are screaming ‘you can still spoof, you can still move around’ – yes but… there is another…
Want a build a wall? You can with internet routing tables. We know that routers route around failure; that is what makes the internet so resilient. That needs to change just a little. I am not in favor of breaking the Internet, but a lot of other countries do it. We are not saying don’t route, just don’t route attacker’s crap/spoofed packets. Do a little inspection.
The rest of the world may not use V6 – fine. That means less trust; less trust means we should limit traffic and increase inspection. If other countries play the V6 game, the U.S. can offer “most favoured nation“ routing status. If you break the rules, “Embargo on.”
Choices for those Sanctuary ISP’s who want to facilitate illegal v4 packets? I don’t mind if you do not want to play the same game, but don’t make us pay for your poor protocol choices. Your poor choice means you shoulder the routing burden and get less trust.
Side benefit of IPv6: it has an optional header for IPSEC. IPSEC is for encryption/privacy. One of the key components of IPSEC is the ability to authenticate endpoints and people via certificates. Which leads me to…
3. Smiles everyone smiles… I mean CERTIFICATES FOR EVERYONE AND EVERYTHING: You want to control the Mirai botnet? If everyone and everything was issued a certificate (X.509) you know the device or the person and you can either block or fix.
If your DVR is a part of Mirai, the ISP can block the one device and not everything you own. If you cannot get your favorite show, you will individually scream at the vendor who sold it. This places the responsibility back on the vendor who sold the poorly-secured device. Oh, the vendor doesn’t want to issue certificates? Fine – but then you have less trust, less bandwidth and the ISP is in control. If the ISP issued the crappy device, then (via certificates) we can attribute bad behavior, see a pattern, and hold them responsible.
We can control who issues certificates or their certificate practices with a little oversight. If we cannot control the CA, then we can control what root certificates we trust. More importantly we can take that trust away when entities hit the naughty list.
Combine these three.
You have the start of a solution that places the burden on the vendors; they can then choose to push that cost on to an informed customer. If we use crappy devices with none of these security features, the receiving end has the choice to reject us. More next week…
Things will break along the way.
Yes this will break a lot of older applications and IOT. Breaking means fixing. This fixing will direct money to solving the cyber security problem in a very narrow focus.
The Federal government is good at imposing a public safety like seat-belts. These are safety measures, it will reduce cyber-death but not eliminate it. People need choice (not to wear seat-belts) But the government should make sure seat-belts are there.
So if you do not want to use these cyber security tools, fine. Ignore them at your own risk. For military, government, and large commercial entities, these 3 should be the cyber law.
This is an outline of a solution that I will expand upon with your help below. Now it is your turn to add to the solution. You have a few key technology tools to convert to regulatory tools that don’t break the internet. You have a few tools that allow for privacy. You have a few tools for guiding net neutrality with responsibility. Now it is your responsibility to tell someone. Someone at the DOD, your legislator, your President.
More to come.
My next 4 weeks will be spent discussing:
- What will most people understand and get behind?
- What are achievable objectives?
- What will do the most good?
- What do we have to work with now?
Don’t understand what we are talking about? Come to class.
CISSP / CEH / Cloud Security and others. Ask for a free seat.