html{display:none} The Roots of Cyber Insecurity | Schweitzer Engineering Laboratories

The Roots of
Cyber Insecurity

Video Player is loading.
Current Time 0:00
Duration 0:11
Loaded: 100.00%
Stream Type LIVE
Remaining Time 0:11
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
    • default, selected

    Security is often pushed aside to make way for the convenience that new technologies offer. As interconnection grows, how do we ensure our systems remain secure and defensible?

    Dave Whitehead on reasons why cyber insecurity has spread and how it affects our lives.

    They’re Just Trying to Do Their Job

    Security policies only work if people follow them, use them, and trust them. This doesn’t always happen. Oftentimes, those who write the security policies cannot or do not foresee the realities or emergency situations that workers deal with every day.

    There is an emerging field of research called the Science of Human Circumvention, which studies when well-meaning users circumvent security policies in order to do their job. If people don’t trust the policies, then we will never have truly secure systems. How can we bridge the gap and make security policies usable and efficient?


    “Nurses and doctors circumvent security policies routinely because without circumvention, 80% of patients would die within a few days.”
    —Dr. Sergey Bratus, Research Associate Professor
    Dartmouth College

    It Happens Every Day

    Interconnection is spreading. New technologies are pushed out faster and faster. The number of devices is growing. We rely on computers more and more, and the complexities of our systems and protocols and codes is swelling.

    At some point we have to pause and take a breath. Yes, we live in a more connected world than ever, and that is exactly why we need to rethink our approach to security design and policy. How can we make security convenient?

    “They’re pursuing convenience.”
    —Chris Inglis, Former Deputy Director
    National Security Agency (2006–2014)
    “It’s too easy to fall into this illusion that computers know better.”
    —Dr. Sergey Bratus, Research Associate Professor
    Dartmouth College
    Security is in direct conflict from the trend to connect everything to everything else.
    —Dr. Ulf Lindqvist, Program Director
    SRI International
    “Security becomes an afterthought.”
    —Dave Whitehead, COO
    Schweitzer Engineering Laboratories

    The First Principles
    of Secure Design

    It is easy to get caught up in new technologies, market pressure, and this ability to add on functionality. Some of that is okay, but we have to remember the fundamentals first. We should base our decisions about additional functionalities, policies and procedures, and design on First Principles. Only then will it be easier for us to design and defend systems that are truly secure and efficient.

    “It should be harder to attack a system than it is to defend. Unfortunately, it is usually the opposite.”
    —Dr. Ulf Lindqvist, Program Director
    SRI International

    The Effect of Market Pressure

    Convenience is in high demand, and because of it, this industry has been forced to add more functionalities to our devices. But do we really need all this connectivity, or have we gotten ahead of ourselves? The more connected our devices and systems become, the more vulnerabilities we add. That’s why we must remember our First Principles, remember what these devices are truly intended to do, and limit the amount of interconnection we allow. It’s about finding the right balance of convenience and security.
    “We need to first make a reasonable choice.”
    —Chris Inglis, Former Deputy Director
    National Security Agency (2006–2014)
    “Just because it’s possible to do something doesn’t mean you should do it.”
    —Dr. Ulf Lindqvist, Program Director
     SRI International
    “I think we will see, going forward, a breaking up of systems.”
    —Dave Whitehead, COO
    Schweitzer Engineering Laboratories
    An Ethernet port is a communications barrier.
    —Dr. Sergey Bratus, Research Associate Professor
    Dartmouth College

    The Complexity of Our Assumptions

    Every day, you can see and hear people interpreting the same message multiple ways. Imagine if one of those people had malicious intent.

    This is the problem with complex formats of data design. All code is written under certain assumptions that hold true only if everyone interprets them the same way. When there are too many assumptions, it leads to disagreements, and those disagreements often break security. The solution lies in making our data packaging simpler and cutting out features that give too much privilege to the attacker.


    “We can’t escape complexity. We build complex systems, we want computers to have complex behavior, but we don’t want that behavior to be in exposed code.”
    —Dr. Sergey Bratus, Research Associate Professor
    Dartmouth College

    “There is hope; we should just stop solving those unsolvable problems.”

    —Dr. Sergey Bratus, Research Associate Professor
    Dartmouth College

    “I want to believe that we can create a better future.”

    —Dr. Ulf Lindqvist, Program Director
    SRI International

    It is possible for security to be convenient, usable. We all want security, we want to know we’re safe, and we want to trust our devices. But we also don’t want to feel constricted by security.

    That means we need to rethink our cyber networks and ask ourselves how a functionality or device will be used in six months or five years. How will it evolve? How can it be exploited? If we design with those answers in mind and with our fundamentals, our systems will be both usable and secure.