Engineering Enterprise: What is your perspective on the information security disruptions we seem to be increasingly experiencing in private and public enterprises?

DeMillo: To address this question, we need to consider the contemporary nature of enterprises. The depth of the enterprise as we are used to thinking about it — as we learned about it in textbooks, as we became acquainted with it when we first entered the Web age — is a consequence of what is going on both within enterprises and with the infrastructure that is used to support enterprises. This has profound consequences for IT security.

Think about how things have transitioned in large businesses and small businesses during the last 10 to 15 years. One way of looking at the growth of the enterprise is as a set of premises where activities are taking place, assets are being held, and where there are definite boundaries. Vertical integration of enterprises refers to enterprise activities now located across a metropolitan area, across a state, or across a geographic region to the emergence of globally integrated companies. However, it remains a recognizable enterprise in that the connecting components of the enterprise are owned by the enterprise itself. For example, a closed network, a free relay network, a local area network, an internet, an intranet, or something like a railroad that connects two cities — something that is owned, recognizable, and tangible.

During the Internet boom, these things really started to change. Manufacturing and distribution partners became less tightly coupled to their enterprises, so the notion in particular of an intranet became problematic. We also saw extranets opening up the corporate resources to manufacturing and distribution partners. Then, in the 1990s, change continued very quickly, including exchanges and outsourcing. Not only did we open things up, but we also created marketplaces, so that we do not have complete control over who enters our borders and boundaries. Finally, there was the climactic emergence of the Web and portal technology, and B2B, B2E exchanges.

The first time this hit me in a dramatic way was in the employee portal at Hewlett-Packard (HP), when I realized that with one push of a button, I was changing an address that spawned transactions to my 401K, my cell phone service provider, and to many people who were not within any business sphere of HP, but were connected by relationships that were either constructed in real time or on the fly.

John Leggate of British Petroleum (BP) refers to the "commoditized enterprise." As John tells us, this notion came about when he was talking to someone in the new Department of Homeland Security (DHS) in the federal government. John couldn't get across the idea that BP does not really own the channels that it takes to connect its wells, suppliers, dealers, or even its customers. Instead, it uses commodity hardware, open-source infrastructure, open protocols, and the Internet. If a planner or strategist in DHS thinks that the energy infrastructure is going to be contained within borders and within a set of business processes that you have control over, forget it. It just does not happen. BP has always been ahead of the curve on this, but you can find many examples where the commoditized enterprise is a reality today, and more and more companies are moving towards this view.

The interesting thing about this for an IT dogmatist is the obvious parallel in the evolution of information processing technology. Joel Birnbaum, who was chief scientist at HP for many years, gave me the multidimensional view shown in Figure 1. The evolution of information technology is a series of Moore's Laws: a series of exponential curves followed by inflexion points, followed by discontinuities that again lead to exponential growth. Once you think about it, you can understand how and why that has happened and what is going on. It began with the early mainframe days. Then came many computers, distributed computers, computers on desktops. We have all heard about the famous memo from IBM that says, "Forget about any sustained business use for personal computers; only 50,000 of them will ever be sold worldwide." By the time the memo was received at the Management Committee at IBM, there were 50 million in use.

As far as open systems, client/server is disappearing and clients, the end points of networks, are the intelligent nodes. Smart handheld devices are not necessarily cell phones anymore, but are remote control devices that we can use to access an array of resources including open global services, from Microsoft, for example. We have access to services that are assembled when needed; we negotiate identities, negotiate authorizations, and then they are torn apart, torn down, and disappear. They literally do not exist when they are not needed anymore, so each of these waves, each of these exponential mini-Moore's Laws, has given rise to a set of capabilities that has enabled the commoditized enterprise.

EE: What does the emergence of the commoditized enterprise mean for information security?

RD: At the most basic level, it means that this picture is grossly wrong because it is based on the left hand side of Figure 1 and on a glassed-in data center that has a perimeter, or at least is connected by railroad tracks that we own. Imagine all of the defenses that it takes to guard this perimeter: IT resources, security alarms, chemical means for controlling fires, intrusion detectors, and all the things it takes to keep people out of our space. The ways in which we defend this type of perimeter is very much in line with the classical view of war fighting that the United States has built into its military planning since the inception of the Republic. That is, we have an estimation of what the attacking force is going to be, and we overwhelm the attacking force with counterforce. When the counterforce mounts, we overwhelm those forces. This actually works reasonably well in a traditional environment.

The difficulty is that in the real world, we have people that do not play by the rules. What we are trying to defend has now evolved from a border or theater of operations, which we can array forces around, into a much more ambiguous world of asymmetric warfare. There are people and groups pursuing complex ends inside your perimeter that you do not fully understand and cannot attack with overwhelming force without destroying yourself. The whole idea of asymmetric warfare is that this countervailing balance of attacker and defender simply does not make sense anymore. And we saw what that means in real life in the most recent Gulf War. The insistence on agile military forces reflected the fact we are not defending a perimeter. We do not have a theater of battle; rather we have people moving all over our sphere of influence.

Returning to our earlier example, what does it mean for BP to defend its perimeter? BP does not have a perimeter. BP is in every gas station that pumps BP gas. It is in every well, every supplier of parts to those wells, and it is in Bechtel, which is a subcontractor to BP. We can go through all of the ways in which BP interacts with the world, and that is the enterprise. So any threat that BP is going to see to its infrastructure is very much an asymmetric threat.

EE: What changes for information security when threats are asymmetric?

RD: Asymmetric threats in the IT world mean some very special things. They obviously mean there are no perimeters to defend, which is a very big change. You do not have a guard sitting at the door because there is no door. Indirect attacks are the common mode of attack. People are not going to approach you head on; they are going to approach you in ways that are not anticipated by your defense. Things like insider threats become the dominant risk in the enterprise, which means that when we look at the newspaper or see what is happening in the world of IT security, asymmetric threats abound.

We have to recognize that our own security depends on the security of everyone else we are connected to; if we are connected over an open network, that means everyone else in the world. It is a growing set of people that we are depending on. Think about it. Why does Microsoft get beat up for Internet security violations? Because that is where the money is. Why do people rob banks? That is where the money is. Why are there relatively few muggings on deserted islands? People do not live there. Everybody lives on Microsoft infrastructure, which is why we see the incidents rising. It is an interdependent war.

Those little mini-Moore's laws in Figure 1 are also attack scenarios, or threat scenarios. People are using automation to mount sophisticated attacks against infrastructure, and we can see this in things like distributed denial of service attacks. It is not that we are accessing resources that we are not supposed to access; it is that we are flooding resources with so much traffic that they cannot respond, and they cannot do what they are supposed to do, which is what a "denial of service" is.

This may be a sophisticated concept, but it is not the infrastructure that we are attacking. We are attacking the value of the network. Metcalf's Law says the value of a network grows in proportion to the square of the number of nodes in the network. The only way the network has value is if we can talk to someone; so those connections between people attached to the network are where all the value is. So, it is enough to get access to the transactions; it is enough to find out what is going on; it is enough to spoof a resource; and it is enough to convince someone that you are person A and not person B. It is an attack against things that do not really exist in the sense that a glassed in data center exists.

EE: What can we do to win, or at least hold our own, in this asymmetric information warfare?

RD: At some point you go to the executive suite and you whisper in the right ear that there are these people out there trying to get us. What are we going to do about it, boss? That's a great question. One of the reasons I am delighted to be back in academia is that I do not have to answer that question anymore. I can just raise the question.

It is not an easy concept to align responding to those kinds of threats with business value. What you would like to say is that investing in security is like putting a padlock on your garage or locking your car. You would like a straightforward return on investment analysis for IT security. As you increase the level of security, you take down the cost or at least the expected cost of a security breach, because you are taking down the probability that a breach is going to occur. What does it cost you to do that? You have to invest in the cost of security countermeasures. You want to be sure that your bike is not going to be stolen? Put a bigger lock on it. The bigger lock costs more money, but it means that the guy walking down the street is going to have to get a bigger pair of wire bolt cutters in order to get at the lock. So those two ends of the spectrum are in balance with each other at some point where the investment makes sense. This is an analysis by Bruce Schneier (see Figure 2). The optimal level of security at minimal cost is going to be somewhere on this curve.

The difficulty with the analysis is this idea of indirect attack. This assumes that you know what the right countermeasure is going to be. It assumes that you know that people are going to try to cut the lock on the bike rack, as opposed to driving a pickup truck and lifting the bike rack onto the back of the pickup truck and driving away with it. You can see that in a variety of scenarios.

Encryption is one of those security technologies that is unassailable. It is mathematical, it is beautiful, and you can sell it. Companies distribute public keys over the Internet. Those of you who use the Internet regularly have a bazillion keys sitting on your desktop or laptop now. It is part of the fabric of commerce these days, and one of the compelling things about encryption is this: you know that the cost of breaking 128-bit RSA encryption is going to be about $20 million. Why? That is the cost of the machine that can break RSA encryption. If you do not have this machine or have not made the investment, the probability of compromising the crypto system is way down near zero. There may be some instances where you can find some things out by accident, but it is not until you get enough resources or invest enough in your attack infrastructure that you raise the probability to "one." The behavior is quite striking, and it gets to one right away.

Once you have the machine, you may think you have things knocked. What's the problem with that? The problem is that people are much more cost effective than $20 million cryptanalysis machines. It cost $2.5 million to buy Aldrich Ames; $1.4 million for Robert Hannsen; Robert Walker was had for $1 million, and poor old Mr. Pollard down here was bought for $50,000. What does that do to the analysis? As you start to buy off people who know things, I can no longer make any guarantees that my investment dollar is buying me more security? The asymmetric threat makes it difficult for the return-on-investment analysis.

What are you willing to pay for security? Sprint figured out 20 years ago that you were willing to pay for hearing a pin drop; you are willing to pay for a quality of service guarantee. Perhaps you will also pay for IT security. I will pay for a closed network; I will pay for the modern equivalent of a closed network, provided that you can instrument your open network and make quality of service guarantees about who is on it and what they are doing. There is a business model behind this because service providers make money every day. Actually, these days they do not make money, but in normal times they could make money by providing quality of security guarantees.

EE: How has September 11th affected the ways we think about and address these issues?

RD: One of the discussions that has taken place nationally and internationally is that the homeland security problem is really an enterprise security problem. It is an enterprise that has blown up quite literally, but also figuratively. We live in a country without borders; we live in an economy without borders. We connect and disconnect and provide services in ways that are difficult to understand and model precisely as a business enterprise. Homeland security is really an enterprise security problem. As a country, we are on the verge of investing billions of dollars in homeland security. Are we doing it wisely?

Probably not. If you look at the DHS budget, you find billions of dollars for very traditional defenses, such as handheld devices for first responders and chemical foam for mounting defenses against a chemical attack. We are making investments in bioterrorism, when in fact the lesson from the 1960s about how we built our arsenal to confront the Russians is that information technology is almost certainly going to drive the problem.

What did we see in the last two Gulf Wars? We saw flying computers and flying computer programs. We take it for granted now, but as we look at the laser-guided weapons hitting their targets, we forget the many articles that said, "There is a software crisis; none of our weapons work." We built weapons without thinking that they were going to be flying computers, and we found out, later, that it was very costly to fix problems. It took a lot of investment that we did not have to make and could have gone into other things, like accelerating the development of the Internet by many years.

We are at an inflection point today in deciding how to invest in homeland security as an enterprise problem. You have to look at it as an information technology problem. We already know, to a large extent, the technologies that need to be invested in and the kinds of technologies that we need to invent over the next generation. We have known it for some time, but we simply have not invested in them.

EE: Are there any especially important success factors in addressing this enterprise problem?

RD: One in particular — this stuff is just too complicated. The whole world of IT is not human-centric. It is boxcentric, it is protocol-centric, and it really is a conglomeration of processes and knowledge and legends that have grown up with this technology for the last 20 years. Widespread deployment of technology, widespread use of the technology, and widespread extraction of value from the investment are going to be difficult unless it becomes much more human-centric.

We think of information security as a technology problem — a business problem. However, it is also a mindset problem, and somehow this stuff has to become much more "human- centric." People have to drive what is going on. The technology should not drive what people do. I expect this insight to form the basis for what happens nationally on the R&D; side. We are excited about this at Georgia Tech, but it remains to be seen how widely the message is received and understood.

EE: Thank you, Dean DeMillo, for your ideas and insights into an enterprise-oriented view of information security.



• Fall 2003 Engineering Enterprise Table of Contents
• Engineering Enterprise Home Page



Web Site © Copyright 2020 by Lionheart Publishing, Inc. and ISyE, Georgia Institute of Technology. All rights reserved. No portion of this publication may be reproduced in any form without the written permission of the publisher.


Lionheart Publishing, Inc.
34 Hillside Ave
Phone: +44 23 8110 3411 |
E-mail:
Web: www.lionheartpub.com

ISyE / Georgia Institute of Technology
Atlanta, GA 30332-0205
|
Web: www.isye.gatech.edu