Security ‘Arms Race’ Turning against Defenders, Says Top Researcher
BERKELEY, Cal. -- The tide is turning against network security, and computer networks will be vulnerable at least 10 years, security researcher Vern Paxson, speaking at the U. of Cal. here, said: “The notion that we'll build fundamentally trustworthy systems is a very longhaul notion.” Paxson, who chaired the Internet Research Task Force 2001- 2005, teaches and does research at the university and is centrally involved in IT security at Lawrence Berkeley National Lab.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Eliminating vulnerabilities means swinging the stick of imposing liability at those neglecting to protect themselves, Paxson said. But there’s -- availability of insurance against the liability, he said. Setting rates to encourage vigilance depends on development of actuarial analyses and security best practices, Paxson said.
Commercialization of the Internet attack has remade the game, Paxson said. Yesterday’s challenge-driven hacker has given way to profiteering criminal gangs, he said. Profits make a market, breeding specialization and leading competitors to create far more dangerous techniques, Paxson said: “We have this economy emerging, and that is going to accelerate innovation” in attacks.
Paxson displayed easily customized attack tools readily available online from a Turkish-based company with servers in southern Cal. “Check it out: ‘Customer support,'” he noted. Paxson said that as far as he knows, using the software is illegal but selling it isn’t.
Until lately, network security was a fairly even contest between attackers and defenders, he said: “It seems unlikely that this will continue. It seems likely that the attackers will pull away… My bet is the pace of this arms race will accelerate… I hold out hope but don’t know how to drive the efforts in the legal and liability domain.”
Other big trends dramatically have worsened security challenges, Paxson said. After years of rising in a straight line, with growth of 58% yearly, lab traffic has spiked 600% annually since 2002, he said, marking would-be attackers’ “incessant probing of [every] point in the Internet.” And Internet activity of all kinds is far less predictable in terms of entry points to networks than last decade and the early years of this decade, negating static filtering, Paxson said. “Skype bends over backwards to hide on ports” of network devices, he said. The IP phone technology is “aware many sites want to control it, and Skype is adversarial. It doesn’t want to be analyzed or controlled.” Botnets, the “heart of today’s large-scale attacks,” are “even more of a big deal… they'll pick out any port of the blue.”
Worms have been eclipsed by the more effective botnet, Paxson said, confidently that the worm will return as a cyber weapon deployed by nations.
Disclosure laws and publicity on personal data breaches are altering security priorities at the Lawrence lab and similar entities, Paxson said. Under Cal.’s breach-notice law, SB-1386, “a single such event costs the campus hundreds of thousands of dollars to the low millions,” he said. When a big university donor learned his Social Security number had been exposed, his response was “'Goodbye to the fat gifts I've giving,'” Paxson said. And “way up in the threat model is keeping us out of the papers,” he said: “An embarrassing article can cost millions, ‘cause it’s read in D.C.” That sort of network attack ordinarily wouldn’t be among the main threats defended against, since it isn’t necessarily “a disaster for the lab” directly, but now “these really have to go into the thinking of our how we're going to defend ourselves,” Paxson said.