I just read an excellent article on the cyber security crisis by David Talbot, Technology Review's chief correspondent. My position is that the cyber security crisis is identical to the software reliability crisis. The cyber security industry has a conflict of interest in that it is in no hurry to see the problem solved once and for all because a final solution would put it out of business. Below, I argue that the crisis will be solved when we change to a new software model. I defend my thesis by commenting on a few quotes I selected from Talbot's article.
It Is All About Bugs in the Code
Code is more complex, and that means more opportunity to exploit the code. There is more money to be made in exploiting the code, and that means there are more and more sophisticated people looking to exploit vulnerabilities.The cyber security crisis is really identical to the software reliability crisis because vulnerabilities are, as everyone knows, bugs in the code. And the more complex the code is, the more buggy it gets. What is a bug? A bug is either a defect in the code or an omission, i.e., something important that the programmers and/or designers overlooked. Usually, a savvy attacker will use his knowledge of a specific bug in a software application in such a way as to cause it to behave in a manner that the original software designers did not intend.
So it is rather interesting that the cyber security industry chooses to focus on virus and other malware detection and not on finding ways to construct bug-free code. But then again, why not? After all, the security industry is in business to make money and the more buggy the code is, the more opportunity there is for the attackers, and the more money the industry makes. They have no interest in coming up with a final solution to this pressing problem. Now you know why Eugene Kaspersky, the head of Kaspersky Lab, a famous Russian cyber security company, eats Japanese baby crabs in his Moscow office and grins for the camera. Business is good and getting better all the time. (read Talbot's article for context)
Eugene Kaspersky Is HappyBring in the Lawyers
"Hardening targets--and having good laws and good law-enforcement capacity--are the key foundational pieces no matter what other activities we want to try to pursue," Christopher Painter, the White House senior director for cyber security, pointed out at a recent conference.Now that everyone has given up on eliminating the vulnerabilities that malevolent hackers exploit, it makes sense to bring in the lawyers. The problem with the legal approach is that it is not just criminals that are a threat to cyber security. Governments are engaged in it as well, probably more so than the criminals.
"Botnets are a serious threat, but we're out of luck until there is international agreement that cyber crime really needs fairly rigorous countermeasures and prosecutions across pretty much all of the Internet-using nations," says Vern Paxson, a computer scientist at the University of California, Berkeley, who studies large-scale Internet attacks.In truth, a country's hackers are a national treasure. Why should they incarcerate them when they can use them for spying on other countries? China does it. So do the US, Russia, India, and others. So good luck on getting those countries to vigorously enforce international cyber security laws. Not that the lawyers really care. There is money to be made either way.
What if there were a way to construct 100% bug-free code and a hostile nation finds out about it and uses it to protect its critical systems from your cyber war specialists while at the same time continuing to spy on your country's networks and finding ways to disrupt them? This would create a dangerous situation. My thesis is that there is indeed a way to construct 100% bug-free code and I have written about it elsewhere (see links below). The solution has to do with making timing an inherent and fundamental part of the software model. The only drawback is that it will require a switch to a new software model.
One may argue that we cannot wait for the industry to switch to new software model because it would take years to implement. Legacy systems must be protected right now. True but I contend that it is not necessary to reprogram our entire network infrastructure to gain the full security benefit that comes with bug-free code. By reprogramming a few critical nodes of a network, we can fully protect the entire network against cyber attacks. Of course, every software system in the world will eventually have to be reprogrammed. There is no way around it.
My advice to cyber security policy makers is to take a good look at the folly of our current approach. Unless something is done now that has not been tried before, the whole thing can get very ugly in a hurry. There is a way to solve the problem once and for all but do not count on the cyber security industry to do it. We must acknowledge that the baby boomer geeks have shot computing in the foot in the last century with their Turing cult and their infatuation with the Turing machine. The truth is that the Turing computing model is the problem, not the solution. It is time for the boomers to retire so that a new generation can have their turn at the wheel.
Technology Review: Moore's Outlaws
How to Construct 100% Bug-Free Software
How to Solve the Parallel Programming Crisis
The COSA Software Model
Why Software Is Bad and What We Can Do to Fix It