IEEE Security & Privacy Holds Panel on E-voting

IEEE Security & Privacy magazine's RSA panel, "E-Voting: The Politics of Broken Systems," will address the security failures of most e-voting machines. Held from 10:40-11:50 a.m. on Thursday, April 10, the panel will include Ed Felten, founding director of Princeton's Center for Information Technology Policy; Doug Jones, an associate professor of computer science at University of Iowa and principal investigator with the National Science Foundation-funded Accurate; Alec Yasinsac of the Florida Help America Vote Act Planning Committee; and Dave Wagner, an associate professor of computer science at University of California, Berkeley. IEEE Security & Privacy columnist and Silver Bullet Security Podcast interviewer Gary McGraw will serve as moderator. McGraw is the CTO of Cigital and author of nine books on software security.

Protect America Act Gets S&P Coverage

In S&P's January/February 2008 issue, renowned computer-security experts take on Protect America's privacy risks. Authors Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford argue that serious security risks weren't adequately addressed in plans to extend the act. In " Risking Communications Security: Potential Hazards of the Protect America Act," the authors analyze the technical risks neglected during the heated discussion surrounding warrantless wiretapping. The article outlines the necessary requirements to improve the security of such surveillance, changes that could significantly improve the security and privacy of American citizens. The article became part of the dialogue on whether to extend the act, which expired in mid-February but could still stage a return.

Ford and Jones on Linux vs. Windows

Security & Privacy authors Richard Ford and Jeff Jones will engage in the great Windows vs. Linux security debate during a Wednesday April 9th, session (HT2-202) at The RSA Conference. Ford is a Florida State University professor and Jones is security strategy director at Microsoft. Pro-Linux and Pro-Windows users keep the Windows vs. Linux security debate alive, but much common fodder now falls into an "historical" category. Ford and Jones will debate the platforms' security flaws and features as a framework for serious analysis of old claims and progress made since 2000 for both Windows and Linux. Click here to access the S&P paper that applies to this session.

Execs Urge More Holistic Approach

Executives at three major security providers on Tuesday advocated a more holistic approach to computer security as a means of spurring business innovation, making life easier for end users, and responding to tomorrow's rather than yesterday's threats.

"We continue to see a lot of dancing across the entire security industry and we still haven't hit our stride," Arthur Coviello, EMC executive vice president and RSA president told a standing-room only crowd at Tuesday morning's RSA Conference keynotes. "When it comes to security impact on business performance, it's clear we haven't hit our stride."

Coviello advocated a "thinking security" approach that would help security become a business accelerator rather than an inhibitor. According to recent IDC research, more than 80 percent of technology executives admitted that their organizations have shied away from business opportunities because of security concerns.

A thinking security approach would also address the knowledge gap that plagues users. "Security is viewed at best as a necessary evil," Coviello said. "Security practitioners are viewed as people preventing the business from doing what the business needs to do."

Security officers must learn to manage, instead of eliminate, risk. He recommended adopting a strategy of evaluating exposures and the probability of those exposures being exploited and the consequences, then come up with a plan to reduce risk. "That's what the business is looking for so that's what you need to provide them," he said.

Besides being less costly, that type of approach would also prove more effective. "If you focus on security as an end to itself, or as the threat du jour, costs will skyrocket and you will deal with the problems of yesterday," he warned.

Thinking systems should be autonomous, automated, and able to understand and safeguard data throughout the life cycle. And security professionals should come up with tools that behave as users do rather than forcing people to think the way the tool thinks. And rather than being conceived by security professionals, they should be developed in collaboration with practitioners and business executives and be either intuitive or seamless and transparent, he said.

According to Symantec Chairman and CEO John Thompson, in today's distributed and mobile environment, lost and stolen laptops, BlackBerrries, and thumb drives are responsible for the biggest losses of confidential data. "We need to move quickly to protect information. Too many organizations are leaking information just like a rusty bucket," he said.

And with a $200 price tag for each compromised record and more than $6 million for a breach, not plugging those leaks is a costly prospect.

Thompson expects whitelisting to become more important if the growth of malicious software continues to outpace the growth of good software. There's also a need to expand beyond the enterprise to make sure consumers are protected. And he predicted that digital rights management for the enterprise will become "a true reality."

Thompson called for what he called an "information-centric approach to security," which he described as taking a risk-based approach to protecting confidential information.

Information-security processes also need to be consistent across the business, and data should be protected whether it's at rest, in motion, or in use. "We need to be able to protect information wherever it may be," he said.

And controlling the mobile environment is crucial. "Some are still focused on protecting the network to keep a given threat at bay. But they're fighting yesterday's threat," he said.

Craig Mundie, chief research and strategy office at Microsoft, talked about his company's end-to-end trust proposal, the subject of a paper being released at RSA. "You can't look at one piece. We really need to stitch these things together in one complete way," he said.

In such an environment, you have to trust not only the operating system, but devices, applications, and people too. Mundie invited security professionals to help develop the strategy. "This end-to-end trust model is the place where we'd like to get people to go to begin the dialogue. We can't do this by ourselves."

—Margo McCall (04/08/08)

Chertoff Courts Security Industry

Homeland Security Secretary Michael Chertoff came to the RSA Conference with the same goals as any private-sector security executive—to form partnerships, cooperate on solving pressing industry problems, and perhaps pick up an employee or two in the process.

"This is not the federal government coming in to tell you to do something. We have no interest or intention in duplicating a system here," he assured attendees during the conference's Tuesday-morning keynotes. "We want to enable those interested to get the benefit of what the government learns. In days and weeks ahead, we'll be looking to tap into the private sectors for insights, ideas, and dare I say—employees."

If for no other reason, Chertoff urged those in the security industry to do it for their country. "I know some of you will say the government is kind of clunky. It's not cutting edge."

However, he cited the hiring of Silicon Valley entrepreneur Rod Beckstrom to head a new government cyber-security initiative and creation of the Computer Emergency Response Team as a sign the government is making progress.

Noting that the federal government takes cyber threats as seriously as those aimed at the real world, Chertoff painted an alarming picture of what could happen if the US doesn't protect itself from attack. "We could see human and economic consequences that are very much on par with what this country experienced in 2001," he warned.

Chertoff said a single individual or group could use a cyber attack to carry out destruction on the level of that previously done by setting off bombs. Such threats fall into three categories: intruders interested in extorting money or collecting information for financial gain; those interested in government or industrial espionage; and a third, more troubling category—those hoping to interfere with or shut down a system.

Yet, government responses to cyber attacks are hampered by the fact that cyber security isn't solely a federal responsibility. "The federal government does not own the Internet. The federal government cannot be everywhere at once. There is a network that operates in that domain," Chertoff said.

He said last year's botnet attack that shut down the Estonian government for two weeks was a wakeup call to governments worldwide. In light of that, Chertof said the US government is working to implement 24x7 warning systems at all government agencies, reduce the more than 1,000 access points to about 50, and speed up detection and response times. "We need to be able to detect and analyze anomalies not in hours but in minutes," he said.

There were indications during Tuesday's keynotes that government regulation is very much on people's minds. "If ever there was a cry for a change in public policy, the time would be now," said Symantec Chairman and CEO John Thompson.

RSA President Arthur Coviello described today's regulatory environment as "complex and cumbersome," resulting in companies focusing their security efforts on compliance and audit rather than security improvements. "Any regulation can be interpreted to the extreme. Materiality and risk are not given proper weighting," he said, which can result in make-work projects.

Thompson and Coviello both called on Congress to pass a national cyber security law to create baseline standards for safeguarding information and letting consumers know about breaches. Currently, 40 separate cyber security laws are being considered by state governments.

Coviello also advocated more government investment in security research and training for security professionals. He called Chertoff's presence at RSA "an example of the leadership we need."

But Craig Mundie, chief research and strategy office at Microsoft, said regulation isn't always the answer. "It's hard to legislate an answer for the future. People become prescriptive about solving today's problems," he said.

Adi Shamir, a computer-science professor at Israel's Weizmann Institute of Science, agreed. As an example of a security regulation that likely won't appreciably improve security, he cited the federal government's $300 million proposal to expand its two-digit biometric fingerprint requirement to all 10 fingers.

"The current system caught 2,000 people who outstayed their visas. If you upgrade it, you might have one more. He will be a very expensive guy, a $300-million guy," he said.

Shamir recalled being asked if he was a Communist Party member when entering the United States. Now, he's asked if he's been trained to operate an atomic, biological or chemical weapon Just as effective, he joked, would be a self-assessment where foreign visitors would be asked to rank themselves as bad, very bad, or extremely bad.

—Margo McCall (04/08/08)