Darwin and cyber security from hexadecimal to Tyranocyber Hex
I sat down to write this letter with the modest aim of listing and briefly describing the range of security threats and describing the current state-of-the-art cures. There were physical security threats (fire, water, theft of equipment or storage media, etc.); human problems (careless, unlucky, unsuspecting, naive or dishonest people); access questions (physical and digital); adware, spyware, viruses and other malware; denial of service attacks; cryptography; financial security… etc., etc., etc. It didn’t take long to realise I would need a book to skim the surface or a rather long paper just to list the threats.
Where do you start when a problem has no end? ICT security is octopus wrestling – pin two arms to the mat and six come up to whack you down.
Pity the poor software developers, CIOs, security forces and everyone else who uses a computer or any information and/or communications technology.
Security is a Darwinian battle for survival. Every sort of attack is eventually neutralised by a better defence; this, in turn, prompts attackers to ratchet up the intensity and sophistication of their methods or look for a new front, a new battlefield, to wage war. Mobile phones are the latest in a long list of battlefronts. You probably have heard of ‘phishing’, the use of bogus official-looking Websites and emails to trick people into revealing sensitive, personal, information, but have you heard of SMishing? SMishing uses SMS spam messages for the same end. What’s next – Twitching, using Twitter to con people or TVitching, playing ‘gotcha’ on an interactive IPTV?
All these scams use virtually the same mechanism. The phishers ask for confidential information – ID, Social Security, credit card numbers, bank account information and such – via fake Websites or emails from a bank or credit card claiming your account is blocked, an attorney in some godforsaken country promising untold sums of money, a store promising to deposit a credit in your bank account or give you a credit line. The information you send back can open the doors to identity theft and other forms of fraud.
There are many types of security problems besides phishing and other forms of “…ishing”, but it makes an important point – people, themselves, are among the biggest security problems. As Pogo, the cartoon character, said, “We have met the enemy and he is us!” We are our own worst enemy.
Security products abound; some are quite good and others are not worth the trouble and expense. They aim at stopping viruses, network attacks and a host of other problems including many I have never heard of or bothered to think about.
For years, many professionals have complained that software should be inherently trustworthy and safe. If systems were safe, they say, there would be no need to spend untold millions for separate services to lock down the house. In principle, they are right, of course, but in practice this doesn’t happen and probably never can. I am sure university specialists and theorists have mathematically analysed the problem. I haven’t read anything at all about it, but I expect the problem of protecting software will prove to be, as the specialists say, ‘mathematically intractable’.
Anyone who has ever put together a complicated system, with umpteen thousands or millions of lines of code, knows in their heart there is no way to close all the doors and check all the possibilities – it is just not doable. Ask Microsoft or SAP or Oracle or Sun, ask any other company that has ever developed complicated code and they will tell you that no matter how brilliant the developers are or how hard they test and try, someone, somewhere, can eventually find a way to blow a hole in the best defended, tightest, code. That is the way it is today and, since software gets more complicated by the day, tomorrow will be worse. That is why companies that specialise in ICT security of any sort will always have a market – they are the Special Forces, the SWAT teams and the ‘green berets’ of the information society.
I cannot imagine the day when software will be so secure that we won’t need an anti-virus package, a firewall. Perhaps, we will need some sort of super software security manager as well, which will constantly evaluate threats to every conceivable internal state of a PC or, yes, cell phone. In the meantime (forever?), many companies are likely to outsource their ICT security to specialised companies or even to the carriers that handle their virtual private networks. It will probably cost less and be more effective for most companies than building – and maintaining – their own 24/7 state of the art security forces.
When attackers can’t find a way to break into the system, they will find a way to break through the defences of those that use it. Computer security is as fallible as we are. All security professionals know that the user is the ultimate backdoor into any system. ‘Social engineering’, fooling unobservant or gullible users to gain access to their secrets or their software, is often, perhaps even more often, a more effective way to crack a system than fancy programming. People can be easier to understand – and get around – than computer code.
Part of the problem, the technical part, might be better controlled if software as a service (SaaS) becomes more prevalent in coming years since the companies that provide it will have to work very hard indeed to make their systems secure and win the trust of users. I say ‘might’ because in a Darwinian world, whenever a stronger shell evolves a bigger nutcracker cannot be far behind. The other part of the problem – the people part – is even more difficult; how do you keep people from making asses of themselves? We have all done it – haven’t we?
The United State’s Oak Ridge National Laboratory has come up with a fascinating and somewhat frightening way of policing the Web. Its Ubiquitous Network Transient Autonomous Mission Entities – ‘UNTAME’ – software deploys ‘an army of software robots’ to scour the Web for malware and evil-doers. New, are the “cybot entities” that UNTAME sends scurrying through the Web. According to the Lab they form, “collectives that are mutually aware of the condition and activities of other bots in their colony”. This ‘intelligent’ software army, they hope, will collaborate in the task of watching over and keeping large networks like the Internet safe.
All well and good, but an uncontrolled band of software vigilantes roaming the Web, might well become a threat in itself. So far, UNTAME is still a prototype; it runs on a closed network in the lab. What happen, though, when it is set loose on the Net? Will it work as planned or will it become a menace? No matter how well you test, you cannot test everything. I expect the designers on the project have installed some failsafe mechanisms – Isaac Asimov, I Robot, do no harm, sort of directives. Will they work?
Here is the frightening part. The collaborative model the Lab is using sounds too much like a genetic learning algorithm for comfort.
For a number of years, scientists have run genetic algorithms in computers to optimise solutions to complex engineering, weather forecasting, financial strategy problems and the like. In the first evolutionary ‘generation’, a number of potential solutions to a problem are run against real data, and each potential solution is compared to the desired result. The best features of each solution that produces acceptable results are selected and combined in a variety of ways to produce a second generation of solutions. The procedure is repeated until an optimal solution is found. Vaccines have been produced by this method that are 250 thousand times more effective than the starting candidates and the orbits of communications satellites have been optimised far beyond the orbits produced by traditional calculations.
Genetic learning algorithms are powerful tools. Although this was nowhere spoken of in any of the reports I have read, the UNTAME sort of collaborative bots will ‘learn’ from one another and will – unless they are artificially hobbled for safety reasons – probably evolve ‘genetically optimised’ solutions to new threats on their own. The developers will, no doubt, insert elaborate safety mechanisms into the code. Nevertheless, software such as this, like a collection of genes, is subject to mutation (a critical bit is dropped or changed) – not all good and not all easily controllable.
Cyber warfare, a software hurricane Katrina, is a preoccupation of the new Obama administration. To combat cybercrime and cyber warfare experiments UNTAME and many other approaches will have to be investigated, but given the power of the tools, and their inevitable adoption by the enemy as well, the escalation of cyber threats has just begun. It is only starting, but are we already evolving from hexadecimal to Tyranocyber Hex?
The next issue of Connect-World India will be published early next month. This edition of Connect-World will be widely distributed to our reader base and, as well, at shows such as: Convergence India, New Delhi, (19-21 March 2009).
The theme of this issue of Connect-Word India will be – It’s more than outsourcing.
The growth of India’s economy, driven by ICT and business process outsourcing has inspired comment and imitation the world over. The credit given to outsourcing is deserved, but the government policies, astute entrepreneurs a vast number of well educated and prepared professionals that made India’s success in this field are often overlooked. India’s growing ability to source new service and products, not just outsource the operations of others, and its ability to move ahead by its own efforts are also overlooked by those not familiar with the country’s vast pool of talent and potential. This issue of Connect-World India will examine India’s growing strength and look a bit down the road it is travelling.
This issue of Connect-World India will explore the influence of information and communication technology upon the transformation of India, and how India, itself, is transforming technology and processes and helping create a seamless world.
India 2009 Media Pack; Click here