(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Threats to privacy exist in a number of forms. What is interesting about the following case is that the government is using the prosecution of someone who is probably guilty of breaking drug laws as a vehicle to expand its surveillance powers over law-abiding citizens. This is akin to the story of the motorcyclist in Maryland who was charged with wiretapping the police that pulled him over simply because he had a helmet cam. If the government can’t tolerate being observed, taped, recorded, and tracked, than why should citizens? Is not the citizen supreme? Doesn’t the government exist to serve the citizen, not the other way around?

http://www.time.com/time/nation/article/0,8599,2013150,00.html?hpt=T2 (Time.com)

It seems like we’ve reached a state in the US where the value proposition of living in a “free” republic has become less meaningful. Four hundred years ago, European settlers were quite willing to live on the frontier, braving the dangers that come with little or no infrastructure in return for the freedom of self-determination. In contrast, modern America seems to have become addicted to too many comforts; in the course of “outsourcing” the maintenance of law and order (so that we can continue ordering Starbucks, sending Tweets, and watching American Idol), we’ve given away extraordinary powers to those “security” institutions.

And here is the irony of it all — these institutions, faced with solving an impossible problem (the security and safety of every citizen) continually request (or seize) even more power, justifying said initiatives by claiming they need yet another power to keep us safe. This gradual process inexorably ends in a police state: there is no other social attractor at the end of this particular road. Only a determined and vigilant effort at reducing the size and scope of government power can combat this tendency. It likely takes civic leaders willing to assume a short, unspectacular political career: they come in, fix the problem, upset some portion of the electorate, and subsequently get voted out.

I was recently cited, among others (including Sal Stolfo and Chris Kruegel), for a Politifact article by Lukas Pleva on whether it was possible for private industry to shut down the Internet as a protection measure during some large-scale cyber attack with or without some form of government involvement:

The article is here:
Glenn Beck Host Says Obama May Soon Be Able to Shut Down the Internet

Although the folks cited in the article generally agree that the technical capability to do such a thing exists in the private sector, the experts question either the wisdom of such a move or the probability of such an action actually occurring without some form of high-level coordination between their corporate overlords and either the military or some civilian government agency.

The question of whether the government should have its hand on an Internet Kill Switch (this phrase itself smacks of hyperbole, and may be an overreaction or misrepresentation of the actual proposed legislation) has been raised largely due to provisions in recently proposed legislation, a previous version of which this blog has commented on before. This new round of media hysteria was prompted by Joe Lieberman’s resurrection of a similar, but more measured (by some accounts) idea. Schneier recently blogged about his take on this whole controversy.

Both obvious and subtle questions exist here, including:

1. What does “shut down” mean?
2. How complete would this shutdown be?
3. Is it desirable to shut down the Internet during a cyber attack?
4. Is it technically possible to do so?
5. Is it administratively or politically possible to do so?
6. Do private Tier 1 ISPs need either government permission or {techincal, logistical, communications} assistance to unplug?
7. How fast can this shutdown event take place?
8. Where should ultimate authority for such a move rest?
9. Under what conditions do we plug back in?
10. Are there alternatives?

We’ll try to deal with these below one at a time. Briefly, the answer depends on what type of threat it is, what “shutting down” the Internet means, and whether we distinguish between an administrative decision to shutdown versus a technical action to accomplish or realize this shutdown.

Disclaimer: There are only a few folks on the planet who fully understand the subtleties of controlling BGP and interdomain routing and working with it on a daily basis; I don’t pretend to be one of them. I’ve studied the basics of Internet routing along with academic research on routing security issues, but I’m willing to take correction or feedback if I’ve gotten something wrong.

1. What Do You Mean by “Shutdown”?

This term may entail a different series of actions and events to different people. I take this term to mean to termination of layer 3 (e.g., IP) connectivity and the termination of the BGP routes between major U.S. & North American ISPs and the rest of the world. Such a termination in connectivity could be accomplished in any number of ways (some of which are more realistic than others), such as (1) physically unplugging or severing border router links, cables, and fiber, (2) setting up traffic filters on border routers using their installed software (e.g., using IOS)…such a step is quite similar to setting up “firewall” rules for network packet filters like BSD pf or Linux iptables/netfilter, (3) stop announcing BGP routes or issue BGP route withdrawal messages, (4) setting a pack of rabid backhoes loose near network POPs and peering points.

“Shutdown” could also entail the activation of a large number of network filters looking for certain flows, content, or source addresses, networks, or routing prefixes (in the core, these are essentially the same data). These filters would have the effect of limiting traffic from flowing without completely disconnecting machinery or routing paths or implying some type of shut off or power outage.

2. How Complete Would the Shutdown Be?

There are private-sector companies (i.e., large Internet Service Providers or ISPs) that control much of the core Internet infrastructure (e.g., interdomain routing and DNS) that could shut down this infrastructure (i.e., the servers running these protocols) during some kind of global conflict. While it is true that there are a large number of ISPs, only a few really big players exist, and if they decide to terminate connectivity, this action would involve a large chunk of the network. Such an action by “US-friendly companies” would take large sections of the US and some other countries offline (the US serves as a transit network for a lot of worldwide traffice simply because many types of communications lines pass through us).

Such a shutdown would necessarily be incomplete. The Internet was designed by DARPA-funded scientists to be resilient even in the face of widespread nuclear attack. Taking the US routing infrastructure offline would still leave the rest of the world connected, and after a period of a few minutes for routers to reconfigure routes, the rest of the world would be exchanging traffic (probably more slowly, since the US contains a lot of high-speed links), but connected nonetheless (modulo some specific unreachable destinations simply due to how the physical and virtual infrastructure are connected). Many smaller regional ISPs have peering agreements and relationships that would still enable some traffic to flow, albeit more slowly (or possibly not very widely).

The bottom line is that no single company (or government) has the ability to shut off the Internet as a whole, but a small number of companies could disconnect large segments of it if they both chose and agreed to do so (which entails some administrative oversight giving permission to such a drastic change, since ISPs are paid to route traffic: no packets moving, no money).

3. Do We Want to Shutdown?

I think legitimate concerns exist as to whether a shutdown provides the right response in any reasonable case. While we have been conditioned by certain software practices that a reboot or reinstall is the standard way of getting back to a known good state, terminating the global instance of BGP (or a large portion thereof) represents a risky (albeit fascinating) and uncontrolled experiment.

Also, in most cases, eliminating this infrastructure would be the absolute worst course of action system defenders could take, as it greatly reduces communications (email, VoIP, social networking) that defenders require to coordinate against a large-scale threat. Even in the most dire of circumstances (i.e., whatever movie-plot scenario one might imagine), such action really isn’t an option — there are many ways to filter or reduce certain types of traffic that would be much more effective than simply severing links.

4. Is it Technically Straightforward to Accomplish This Shutdown?

I claim that it is technically “trivial” to shut down the US part of the Internet. Private-sector companies run this infrastructure, and their network operators have the skill and knowledge to configure it. In fact, accidental misconfigurations that severly disrupt connectivity occur quite often due to simple human error; see, for example, the AS7007 incident. One need not ask the US government for a technical aid to the shutdown process. This process should be as simple as pressing the right buttons — although I don’t know if these technicians actually practice such a maneuver or plan for it. Even if they do, I take it as given that they might make mistakes in the heat of the moment.

5. Is it Administratively or Politically Straightforward to Do So?

I’d say “no” and give as evidence the furor over this topic. I think that the political world tends to view the Internet as akin to any other piece of infrastructure (roads, water system, electrical grid), and I doubt that analogy provides a serviceable one. In the case of an Internet-scale attack on US information infrastructure, I don’t think that the conditions for the President to request a shutdown are clear or at all well-understood: the administration would almost certainly require private-sector analysis to inform its opinion. Furthermore, from a technical standpoint, this is the “nuclear” option, and we have no technology that tells us “how bad” a cyberattack actually is: are we being tickled with a feather, walloped by an anvil, or smacked on the backside with a plastic shovel? A misjudgment and overreaction here could be a cure much worse than the (misdiagnosed) disease.

6. Do Tier 1 ISPs Require Corporate, Political, or Military Involvement?

This answer depends on the definition of “involvement.” Much of the argument on this topic has been phrased in absolute terms: an administration would have sole command authority to issue an “Internet Kill” order. While government has not restrained itself from overreaching in the technical sphere before (see, for example, the downsides of CALEA and its invasion of the academic sphere), I doubt that political authority over the Internet would really assume this kind of authoritarian form (my personal politics make me extremely uncomfortable with this level of government control, so perhaps this is wildly optimistic thinking on my part). I don’t think that the government would either command or require ISPs to seek permission to enact large-scale filtering.

Nor do I think that ISPs would need a government whip to work together. Although ISPs compete with each other in a number of dimensions, and policy dictates the actual routing, ISPs also peer with each other and cooperate on a range of issues.

I don’t think that the ISPs need government assistance in terms of logistics; there is no need for the government to setup a hotline, website, or working groups, committees, panels, etc. to help ISPs talk with each other during such an emergency. Such communication could happen over the channels that ISPs already have established (some of these are informal contacts such as network operators sharing cell phone information) for Internet-scale emergencies (these happen regularly due to simple misconfiguration or failure of physical infrastructure).

In fact, the relationship is almost exactly the other way around: government requires industry assistance in terms of information, data, and analysis in case of such an event.

I do, however, concur that some part of the government would want to be in the decision loop for taking such a drastic step. They may not actually give the go-ahead or command that it be done, but I suspect that they’d want veto power or at least a warning that the business community was about to do this. This organ might be DHS, DOD, DNI, Interior, Commerce, NSA, or some other agency…I doubt the government has a coordinated plan or point of contact for such events (which I suspect was the intent behind the relevant clauses in the Rockafeller-Snowe bill to enable the executive branch to make such a call). I see this legislative attempt as a symptom of a government/administration that is on the verge of “getting it” in terms of the importance of critical information infrastructure, even if the expression of this awareness is to introduce clarity in the form of additional executive branch power over private commerce.

7. How Fast Could the Shutdown Take Place?

Network operators — the actual technicians in charge of routers and other network equipment — are a small, fairly tight-knit community. Even though these engineers work for many different companies, they (at least those working for the major players or Tier 1 ISPs) know each other quite well, and NANOG holds regular meetings. Informal cooperation happens all the time. I expect that in an Internet-scale emergency (as there have been in the past), this community would be in touch with each other quite quickly: so it is conceivable that they could coordinate a response to a major event and terminate basic connectivity within a matter of hours or minutes. Such a move would probably require some cooperation and coordination from both the political/military world as well as corporate approval. I assume that some minimal coordination happens before admins start typing at keyboards…but in a flat-out emergency, shutting off network interfaces can be accomplished very quickly.

Once either corporate leaders (alone or in consultation with civilian or military leaders) reach a decision, the technical difficulty of shutting down routers and other networking equipment can be accomplished within a few minutes. The bulk of any delay in reducing connectivity almost certainly rests in the human and policy decisions necessary to give the green light to such activity. I suspect that Tier 1 ISPs have some business process (independent of government regulation or cooperation) that requires VP or Director-level permission to execute such an action.

Where Should Ultimate Authority for Such a Move Rest?

This is the whole point, isn’t it? The answer depends on your politics. From a technical perspective, this is the difference between “policy” and “mechanism.” The mechanism is in place and sits almost entirely in private hands. The policy is distributed across the private and public sector, and I’m willing to believe that factions exist in both spheres that respectively (1) want and (2) abhor the responsibility for making such a call.

Under What Conditions Do We Plug Back In?

I see this question as more important than the others. Pulling the plug is a decision made under a certain set of circumstances and with a certain set of criteria in mind; have the politicians planned for when it will again be “safe” to plug back into the Internet? How will they know for sure? Do they realize that the Internet is already a very loud and risky battleground, and that we run this risk every day? Should all commerce, community, and information exchange grind to a halt simply because a few politicians and White House advisors got a bit nervous during a particularly loud cyberattack? Can the US financial markets and other information infrastructure be offline for extended periods of time?

This question highlights how (from a technical perspective) the issue of an Internet kill switch (either public or private) seems a bit nonsensical: it is overkill and almost certainly something likely to be used in a knee-jerk fashion with no thought for the recovery complexity. There is probably a good analogy to be made here that illustrates the self-defeating futility of disconnection, but I can’t think of one at the moment.

What Are the Alternatives?

The deployment of “reasonable” alternative defenses or reactions differs based on what type of attack we have to consider. Companies (including large ISPs, but also your “average” Fortune 500) have a variety of other internal defense mechanisms against cyberattack (coordinated or otherwise), but the efficacy of these mechanisms varies widely, and the effect is almost always local or limited to their own network infrastructure.

More Resources

For understanding interdomain routing, a good place to start is Tim Griffin’s page. You can move on to JI’s Fall 2002 Internet Routing course at Columbia and then Radia Perlman’s Interconnection’s book.

The company Renesys also provides deep, wide analysis of Internet-scale phenomena and conditions. At least in the public world, they have no serious competitor.

[Updated 15 July to point to Schneier's blog post. -Ed.]

I recently spent 11 days in Hanover, NH at Dartmouth College leading the SISMAT (Secure Information Systems Mentoring and Training) summer seminar. This seminar is one part of a comprehensive training, job, and research program for undergraduates. Students go on to an internship in information security and then a follow-on research project at their home institution under the guidance of a local faculty mentor and with occasional advice and support from us.

This year was the third year of SISMAT. Sergey and I refreshed the curriculum and implemented some changes inspired by the “failure modes” learning pattern we (inadvertently) discovered during last year’s seminar (as described in our March SIGCSE paper).

Briefly, the failure modes philosophy holds that students learn topics (e.g., networks) more naturally by observing the interplay in failures of a system (e.g., at layer 2 and layer 3 when certain services or connectivity don’t exist). This learning style seems more informative than just hitting students with the standard code pattern for opening a socket in C or Java. We tried to apply this principle (along with some other Hacker Curriculum principles) to other areas of the craft, including hands-on exercises with Web application vulnerabilities, disassembling various pieces of shellcode, and analyzing the detritus of a real intrusion.

SISMAT is always a lot of fun, and this year we had a great group of lively and talented students who are now well on their way to becoming (ethical) hackers. So far we’ve had 23 students go through the program, and we’ve had about a dozen faculty mentors from these students’ home institutions. We’re in the process of tracing how their projects and future careers have gone.

With severely limited funding for innovative cybersecurity education programs, we’re happy to do our part to fulfilling the need for well-educated information assurance professionals (and we’re grateful to the organizations that have funded us so far). It’s too bad that the prevailing opinion is that nothing fundamental or innovative could possibly happen in the education space: basic research into techniques, mechanisms, and systems is valued much more than actually producing well-educated cybersecurity professionals.

Today there was a meaty post (on the longish side, but worth it) on the DailyDave mailing list about ethical disclosure of vulnerabilities with respect to a recent Microsoft vulnerability.

http://lists.immunitysec.com/pipermail/dailydave/2010-June/006130.html

Juicy tidbit:

“So since most researchers in the security community
have had their spines and sense of justice/fairness contractually
removed by their respective employers, I’d like to comment on some of
these topics. The purpose of my mail is to call out (by name) the
individuals, “journalists”, and companies that manufactured the
controversy for their own benefit.”

There seems to be powerful motivations from both companies and “news”-hungry journalists and bloggers to spin tech events any way they want them. Besides the main point about curtailing the motivation for ethical vulnerability research, I suppose this episode serves as a cautionary tale in terms of the credibility of the “new media.”

Intelligent comments desired:

http://cybersecurity.nitrd.gov/

http://www.whitehouse.gov/blog/2010/05/19/help-change-game-cybersecurity

Recently, this story about a researcher “infecting” himself with a computer virus has made headlines in all sorts of computer press (e.g., Techworld, Slashdot, and Financial Times — this last via ACM Technews).

The MSN article states: “University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.”

This statement simply isn’t true — not because he wasn’t *infected*, but because *he* wasn’t infected. The same outcome / lesson would have happened if:

– the chip was on a USB stick in his pocket or keychain
– the chip was tied to a piece of string around his finger
– the chip was glued to his finger
– etc.

All this publicity stunt teaches us is that you can purposefully insert code onto microchips that have an RFID radio. Shocking. This kind of activity has an impact on the credibility of the computing profession because IT folks (among others) ask themselves in amazement: “PhDs get paid to do THAT? It isn’t even research…”

The underlying issue is about the permeability of the definition of the word “human” — I guess his message is that people are more likely to consider small, unobtrusive devices as part of themselves.

Anyway, this line of thinking is a couple of years old:

http://www.rfidvirus.org/

M.R. Rieback et al., Is Your Cat Infected with a Computer Virus?, in Proceedings of the 4th International Conference on Pervasive Computing and Communications (PerCom2006), pp.169-179, Pisa, Italy, March 2006.

The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:

http://www.dhs.gov/xabout/careers/cyberjobfair

They are looking to fill these types of roles:

• Cyber Incident Response
• Vulnerability Detection and Assessment
• Networks and Systems Engineering
• Cyber Risk and Strategic Analysis
• Intelligence and Investigation

I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.

One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.

It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).

http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html

Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.

Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.

The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).

Followup & Updates: (added 9 Dec)

CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).

http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html

A good article from Wired:

http://www.wired.com/threatlevel/2009/12/tsa-leak/

The Wired article has a link to an Adobe guide to “proper” redacting techniques.

Finally, those wishing to actually read the manual can download it here:

http://cryptome.org/tsa-smoke/tsa-smoke.htm

Biometrics as a measure of intent dates at least to the polygraph. Humans often do have physical reactions to stress, but does this kind of system employed as a filter for further screening really buy us much safety?

In the name of finding terrorists before they board an airplane, the TSA has adopted a number of “advanced” personal profiling methods: essentially, agents looking for tells, signs of nervousness, or other vague symptoms that may or may not be harbingers of doom.

There are of course many innocent explanations for a nervous manner, sweaty shirt or face, irritated look, twitchy fingers, etc. They include people just having had arguments with their friend or spouse, hurrying to catch a flight, getting caught in traffic on the way to the airport, being recently fired, being nervous about a first flight, having a sweating problem by nature, or hurriedly typing an emotional blog entry or Facebook post into their cell phone.

The TSA apparently believes so much in this approach that they want to scale it up. And the only way to do that is to make a computer do the scanning for you. CNN had this article on October 6th: “Will Airports Screen for Body Signals? Researchers Hope So.”

I like the title, because it’s likely that only the researchers getting paid to conduct this work are hopeful that it will get adopted. There is a really nice quote from the article:

“I haven’t seen any research that shows that those measures from the autonomic nervous system … measuring blood pressure, measuring breathing, measuring heat on the face, are at all related to intent,” said Stephen Fienberg, professor of statistics and social sciences at Carnegie Mellon University.

Spot on! Identity doesn’t measure intent, and neither does your biometrics, if just for the plain fact that your individual heat signature, heart rate, etc. are exactly that: an individual signature about which the population statistics have nothing to say and no predictive power. Forensic psychology researchers involved in creating risk assessment measures (e.g., for criminal recidivism rates) argue about whether such measures can actually predict an individual’s behavior, since the rates of a population don’t determine what an individual released on parole and able to exercise free will (and subject to both the social support and temptations of the outside world) might actually do. For example, measures like the HCR-20 are instruments for assessing the risk of violence, but mainly with in the context of ongoing psychotherapy sessions in a doctor-patient relationship.

Now, as a researcher who routinely solicits money from Federal agencies to support my work, I understand that the scientists involved in trying to create this technology will have some reasonable claims about its limitations and shortcomings. They’ll have a justification for why it will work well, and they may even had made a few fundamental breakthroughs in terms of gathering data from dark or dimly lit faces, bad angles, and the like. Unfortunately, they are also likely to have adopted the beliefs of their funding agency: that this type of profiling works to pick out those engaged in illegal activities or those intent on causing harm to air or rail passengers.

I’d like to see this system made to work from high up above Grand Central Station’s main floor, or in a high school auditorium, a supermarket, a sports venue, or a crowded student center. These are dynamic, real environments, not controlled lab conditions where the subject peers directly into the camera in good lighting.

All that aside, however, this view stunned me:

Civil liberties groups maintain this screening technology is an invasion of privacy. “Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar,” said Joe Stanley of the ACLU.
…
[Project manager Robert] Burns denied the project is a violation of privacy. “We’re looking at signals you give off naturally. We’re not asking for any personal information. We’re not asking anything about you,” he said.

Burns is entirely correct — they are not asking anything about you: they are taking it forcefully from under your nose without permission. Earlier in the article, Burns states that “We’re looking for those signals that your body gives off naturally.” The problem is that technology is allowing government workers to do something that they didn’t have the power to do before. These properties are subtle and not detectable by the human eye when scanning a large crowd: heart rate, body temperature, perspiration under clothing, eye movement, etc.

Although your body does display these properties, it does not advertise them on a billboard: there is no neon sign with your heart rate plastered to your forehead. Why should government agents have the power to effectively augment their five senses to know your physical condition perhaps more intimately than you know it yourself?

This recent Washington Post article highlights the competition between DHS and NSA in their publically stated goals of hiring 1000 to 3000 new cybersecurity professionals per year over the next few years.

I find it extremely doubtful that this level of expertise even exists. The sum total of “real” cybersecurity expertise (in terms of deep technical knowledge and strategic foresight) is probably only on the order of 1000 people worldwide. Yes, there are many people who are operational security experts (meaning that they stare at screenfuls of log entries and pretty pictures of network traces flying by), but there are very few who actually understand the internal workings of systems, the properties that lead to weaknesses and vulnerabilities, and how to manipulate real systems, hardware, networks, and program execution in order to install malware or subvert system control.

Without a commitment to educating such a workforce, it is impossible to hire such a workforce into existence. And as Gene Spafford notes, the NSA CAE (Centers of Academic Excellence in Information Assurance) program isn’t really effective in this regard (nor, might I add, is the NSF Scholarship for Service program, at least at producing the sheer volume of needed workers).