Cybersecurity Strategy: From Hierarchies to Smart Swarms
address to the
Boston University Center for Reliable Information Systems and Cyber Security
April 10, 2006
by W. David Stephenson
Thanks for the kind introduction. But let me tell you a little more about myself: not out of egotism, but because people like you and people like me don’t always get a chance to talk to each other. I think that one of the vital functions of the Center for Reliable Information Systems and Cyber Security can and must be to bring us together for mutual benefit.
What I have to say about my background may leave you thinking that you’re attending the wrong conference. Bear with me — I think you’ll see why how I think and what I’ve done, and the types of insights that people similar to me bring to the cybersecurity issue, may alert you to some aspects of it that are typically not the focus of traditional security programs — but which I argue must be as we face networked enemies in a networked age.
Now for those three things about me that may make you look at your challenges differently.
The first is that I’m an environmentalist.
The second thing is that I am a political liberal.
The third thing is that I’m right-brained and intuitive.
Before you get too worried, let me explain why these things relate to your work.
First, truth to tell, I’m not quite as ardent as an environmentalist as I was earlier this winter. That’s when some good soul at the Worcester Telegram and Gazette decided to do the right thing and put some paper from a faulty data run on Boston Globe subscribers’ bank or credit card records in the recycling box. That paper ultimately was used to bind copies of the Sunday T & G, which meant that thousands of us unwittingly had our credit card and/or bank account information exposed to potential thieves. The papers had all sorts of elaborate data protection systems in place, but ultimately one well-meaning individual undid them, putting us at risk. As a result, many of us who hadn’t been affected by Bank of America, Citibank, Mastercard, DSW, Wells Fargo, and Washington Mutual– to pick only a few of the past few year’s data security scandals– have now joined them in losing faith in the private sector’s ability to protect our privacy, and our financial information.
I’m not alone in this skepticism: a 2004 Harris poll showed that:
- 87% indicated that they had asked a company to remove their information from a marketing database.
- 65% had declined to register at an e-commerce site because of privacy concerns.
Oh, by the way,l I’m not so big a fan of recycling as I was before…
Secondly, as I said, I’m a political liberal.
One of the ways that manifests itself relating to cybersecurity is in my outrage that President Bush, on one hand, trumps the Constitution by unilaterally authorizing domestic wiretaps without going to the FISA Court for authorization. As we found out last week, on the other hand, he can unilaterally declassify information in order to leak it for political reasons. That, combined with my suspicion that one of America’s most recognizable politicians, Sen. Ted Kennedy, was on the No Fly list, and had a heck of a time getting off, has eroded my confidence in the objectivity and protections in government data collection and mining.
Again, I’m not alone. in a January ABC/Washington Post poll:
- 64% believed that federal agencies were intruding on Americans’ privacy rights in investigating terrorism.
- 44% were worried that the Bush Administration would go too far in compromising constitutional rights in order to investigate terrorism.
Combined, these manipulations of data mean that, beyond the objective challenges you face to improve cybersecurity, you now have an additional burden that’s not in your job description: convincing many of us that cybersecurity isn’t highly fungible, subject to threats ranging from unintentional sabotage by well-meaning recyclers to sloppy management practices to political manipulation at the highest levels that make a mockery of lofty statements such as the National Strategy to Secure Cyberspace.
Even worse, in the eyes of the general public, these incidents are cumulative. The real differences between improper use of personal financial data by industry and governmental data by security agencies are blurred if not forgotten. One breach becomes the same as another, and everyone gets tarred with the same brush.
Is that fair? No, but you must deal with it.
Now, for the third thing about me that relates to your mission. I was attracted to the homeland security field after 9/11 for reasons quite different from most of you. I want the people who analyze data that might be relevant to national security and critical infrastructure protection to be detail-oriented, methodical — and willing to keep at it day in and day out, year after year.
By contrast, I’m not a demon for process, procedure and accuracy. What attracted me to this field was the concerns raised soon after the terrorist attacks about “failure to connect the dots,” to find patterns between seemingly dissimilar information, find holistic solutions to complex problems that interweave many seemingly dissimilar threads. That’s something that, because of my right-brained, intuitive approach, is second nature for me. In fact, I had connected the dots for Fortune 50 companies during many years as a private sector crisis consultant. I suspect that, just as what you do day in day out is black magic to me, you might find what I do to be of little or no interest — or just plain mysterious.
So why are the differing ways that I suspect you and I process information relevant to your challenges? Four years ago, after speaking at a homeland security conference in DC, I found myself sitting at lunch with 8-10 veteran civilian DoD analysts. At some point during the lunch — maybe the chicken was bad — their conversation turned to Myers-Briggs personality profiles.
It was not surprising to me at all to find that, with only minor variations, these men and women were almost all the same Myers-Briggs profile: Introverted, Logical, Thinking, and Judging, or (ILTJ) — ideal personality types for analysts and detail-oriented challenges. I suspect that many of you, if you’ve taken the Myers-Briggs, found your own thinking styles were similar.
It’s no wonder that the physical and cyber security fields don’t have many people like me - the ILTJ’s polar opposites: ENFPs: Extroverts, iNtuitive, Emotional and Perceiving. One description of ENFPs will give you an idea of the problem: “ENFPs may find it difficult to work within the constraints of an institution, especially in following rules, regulations, and standard operating procedures. More frequently, institutional procedures and policies are target to be challenged and bent by the will of an ENFP”.
So, why the heck are my quirks relevant to the Center for Reliable Information Systems and Cyber Security’s mission of fostering collaboration between researchers from different colleges, building partnerships with industry and other colleges, and reaching out to the community to increase knowledge, awareness and education in cyber security?
Because we face challenges unlike any we’ve faced in the past.
We must respond in different ways, ways that will require the ILTJs and ENFPs, the political liberals and conservatives, the security skeptics and the security hard-liners.
Think about the current security threat. It’s not a group of programmers in a 1960’s-style Soviet gulag working in lockstep to break our codes because their very lives depend on it. Instead, it’s:
- a motley crew of teenage hackers in bedroom communities whose motivation is the intellectual challenge of cracking a system
- organized crime rings in Eastern Europe
- Islamic fundamentalists with an ideological zeal to bring the Great Satan to its knees.
- and many others
The fact that these threats to our cyber security aren’t tightly integrated in a hierarchical chain of command, and, in fact, may be as contemptuous of each other as they are of us, is irrelevant. It is the cumulative impact of these self-organizing, self-directed networks that makes them so effective.
In part that’s because a networked enemy can not only use a technology network such as the web to communicate between themselves, but also is more effective than a hierarchy could be in bringing down that very network, because they don’t concentrate on a single point of failure, but on multiple points at the same time.
The Pentagon realized the transformative role of networks in the 1990’s, due to the work of two Rand Corporation researchers, John Arquilla and David Ronfeldt. In 1993, they coined the term “netwar.” Arquilla and Ronfeld wrote that the information revolution is “altering the nature of conflict across the spectrum.” Communications technology gave small groups who communicate,
coordinate, and conduct their campaigns in a networked manner, without a precise central command, an advantage over hierarchical forms.
Logically, Arquilla and Ronfeldt said that it takes a networked defense to fight a networked offense. Their approach is now an accepted part of Pentagon strategy.
The second aspect of the evolution of networks arguing for a networked cybersecurity strategy is the nature of the communications technology that you and I increasingly use on a daily basis, from cell and camera phones to Wi-Fi laptops and GPS in our cars. These devices are increasingly IP- and packet-based. That means the resulting networks are decentralized, self-organizing and self-healing — they don’t depend on central authorities or facilities.
It also means that they are increasingly ubiquitous, combining more types of information into a unified whole, and therefore a more inviting target to hackers and terrorists, because disrupting them will affect every aspect of our lives. And, the more disparate elements are interwoven into the network, the more opportunities, especially at the fringes, present themselves for disruption, hence the growing concern about cell phone viruses, PIN thefts, and related threats outside the firewall that can trigger problems behind the firewall.
The final networked component, and the one that I hope becomes a key strategic focus of the Center for Reliable Information Systems and Cyber Security, is networked behavior.
I argue that the key to robust security in a networked age is networked thinking, and that’s where melding the diverse talents, insights and priorities of the intuitive and intellectual, liberal and conservative, must come into play.
We must replace the old hierarchical, topdown model with a bottoms-up one dominated by smart swarms.
In case you haven’t heard the term smart swarms, it is the outgrowth of research at the Santa Fe Institute — home of much of the pioneering work on chaos and complexity theory — on emergent behavior, first observed in lowly ant hills and bee hives, and now found in human society as well.
Emergent behavior is a phenomenon in which a higher-level of behavior and thinking spontaneously emerges from the acts of a large number of individual actors — action that is more than the sum of its parts.
I’m happy to report that emergent behavior is playing a critical role in cybersecurity.
We saw a dramatic example of this phenomenon just last week.
Coverity (a firm that does automatic analysis of code to quickly identify defects that might cause catastrophic crashes) Symantec, and Stanford have a contract with the Department of Homeland Security to analyze defects in open source products such as Linux, Apache, and my SQL. Why? Because these programs are so widely used today, so flaws in their code might be exploited by cyberterrorists.
Last week, as the program got up to speed, Coverity announced preliminary findings showing that were dramatic proof of the virtues of smart swarms:
In the first seven days after it was publicly announced, more than 200 open source developers registered to gain secure access to the online defect database that Coverity had compiled.
This smart swarm of independent developers fixed more than 900 defects during the first week, more than 5 bug fixes per hour. Samba, a widely used open source program used to connect Linux and Windows networks, showed the fastest developer response, reducing software defects from 216 to 18 in the first seven days!
Perhaps the most dramatic example was the Amanda backup and recovery software project. During that week, its developers eliminated all software defects that Coverity had found. In fact, they quickly released a major version, 2.5, to mark the fact that 0 outstanding defects remain.
Contrast that rapidity of response with what would seem on surface to be a much more easily-revised program: Windows. After all, Microsoft has many more coders on its staff and it can order them to make changes, rather than having to cajole a bunch of free agents and free spirits with only pizzas to offer as inducements, as is often the case with open source projects. Advantage, open source!
In the new security paradigm, we won’t use smart swarms to improve the security products themselves, but the resulting software will also encourage smart swarms when they are applied, as well.
It’s too bad that Charles Jennings of Swan Island Networks couldn’t be here to describe in depth the work they’ve done in this regard. It ain’t no coincidence that one of the company’s two primary products is called SWARM: Jennings is very much a pioneer in applying emergent behavior to software. SWARM® is an over-the-Internet communication system that allows a central authority to maintain persistent control over highly sensitive information, rich media (text, audio, video, dynamic mapping, etc.) and alerts while distributing it to trusted users on a real-time basis. SWARM also introduces robust security features for non-repudiation and security monitoring — all within a dynamic, components-based security framework.
Perhaps most innovative is a unique “poison pill” content erasure feature — not unlike the Mission Impossible self-destructing tapes, making it ideal for coordinators during an emergency to, for example, give access to security information to individuals who don’t have security clearance but who must have that data at that precise moment to cope with a situation. The issuing authority can impose limits on whom, if anyone, the recipient can share the information with, and how long they can possess it — at which point the data vanishes.
Each SWARM includes a closed-loop, highly secure “last mile” connection to a unique community of known users, making it easy for individual swarms to federate with each other, and to exchange information in standard data formats.
Fighting terrorism or disasters requires rapidly evolving collaborative action among players who may, under normal circumstances, be separated by organizational, jurisdictional, and IT boundaries.
SWARM can actually provoke higher-level, smart swarm behavior by enhancing communication pathways among members of these ad hoc, yet trusted, communities of users. It does this by adhering to a few simple rules about information access and targeting, by integrating rich feedback loops from individual members, and by issuing new software releases every 90 days, co-evolving with its users.
I’ve been called a visionary, but I’m also a realist.
Building the kind of smart swarm approach to cybersecurity that I’ve described won’t be easy.
We right- and left-brained people see the world, and our jobs, in fundamentally different ways. We process information differently, and we speak differently. We don’t always understand each other.
Yet, I argue that we have no choice. The nature of the networked enemy we face requires the best of both of us: your attention to structure and detail, and our attention to how those dots fit together. The threats will change constantly, as will the tools both we and our opponents will have to use. Only through a flexible, dynamic and robust networked strategy will we be able to counter the flexible, dynamic and robust network enemy we face.
I for one look forward to the challenge.
Thank you.
