Cyberwar's Future: Shoring Up Defenses

by James ShultzIn the cyberwar arms race, how do outgunned defenders stay a step ahead of armies of dedicated hackers?In the near future, the answer may be Internet-based cryptography: encryption of data and authentication procedures designed to give authorized users access while denying entry to those without proper credentials. Specialists in and out of government are working to develop a public key infrastructure, or PKI, that would establish secure protocols. Such encryption, while theoretically vulnerable to hacking, would require calculations of such complexity and length as to make successful attacks impractical for the foreseeable future. In establishing a series of public and private keys, or mathematically related constructs that users employ to authenticate the legitimacy of transactions, a fully implemented PKI would make anonymous or false-identity computer-systems entry extremely difficult, if not impossible. Users would be able to instantly block or reject files, e-mails and program code from any unknown or unverified sender ? stopping dead in its tracks, for example, a would-be virus attached to an e-mail or included in any other executable form. To provide this assurance, PKI users will have to register their identities in a digital format known as a public key certificate. Certification authorities will create the digital certificates by "signing" a set of data that includes information such as user name, employee number, if any, and public-key information. The public key is necessary so that others can encrypt transmissions or messages for a user or verify the user's digital signature. The certificates also will contain specific dates that indicate the lifetime of the certificate, as well as the particular operations ? such as data encryption and verification of digital signatures ? for which the public key is to be used.Because a certificate's integrity can be vetted by means of the certification authority's digital signature, certificates inherently are secure, and tampering can be easily detected. Users retrieving a public key from an online yellow-pageslike directory can, therefore, be confident that the public key is valid. The private key, solely in the user's possession, can then be used to decrypt and confirm the certificate's origination.XXXSPLITXXX-Although these robust cryptographic procedures already exist, common PKI standards remain to be set. For PKI to become widespread, those standards, and the procedures and infrastructure required to implement them, will need to be established and additional research and development conducted. Once that occurs, perhaps in the next two to three years, defenders will have one of the biggest information technology weapons yet conceived to combat computer intrusion and attack."PKI will play a bigger and bigger role, both in the protection of information in government and securing communications across agencies," said Russell Housley, chief scientist with computer security firm Spyrus Inc. of Santa Clara, Calif. "Cryptography is a fundamental building block, providing a secure pipe between computers. There will be widespread deployment of secure electronic mail and also additional deployment of secure Web applications."In the interim, computer maker Hewlett-Packard Co. is counting on a product it calls Protect Tools 2000. A combination of hardware and software protects systems against unauthorized use and access of equipment and programs. Protect Tools 2000 has two key elements: a smart card with embedded microprocessor that stores a user's password and authentication information; and a card reader that can be attached to a desktop or inserted within a laptop. To prevent unauthorized use, bundled software enables users to reconfigure their operating systems and e-mail programs to accept only stored smart-card information in order to function properly.In the worst case, if a hacker attempts to break into programs or literally walks away with a computer or its smart card, Hewlett-Packard claims the thief will be rewarded only by frustration. A smart-card-enabled computer will not work without a card, and the card itself will permit only five attempts at password entry ? mathematically, far too small a number of tries to crack the stored authentication data ? before the wrong keystroke sequence on the sixth try will prompt the card to disable itself."If the card is stolen, no one would be able to do anything with it," said Daniel Palmans, Hewlett-Packard security program manager for desktops. "Even the best hacker in the world won't be able to read the data on that card without the right password. You won't see smoke coming out, but the card will be unusable. It's basically an embedded software bomb."The smart cards also have enough memory to easily capture and retain the data on PKI certificates. In the future, Palmans said, the card may be used to encrypt transmissions or decode encrypted transmissions from another party."When you're done with your laptop or desktop, you take your digital certificates with you," he said. "Sure, your laptop can be stolen. But again, there are only five trials possible to get to the data. Given that each PIN number is eight characters long, that's nearly impossible. The technology is really secure."Smart cards may be one of the central players in the future of computer security, in particular because of their ability to accommodate so-called biometrics information, such as fingerprints, retinal scans, even DNA profiles. It is an approach endorsed by Spyrus, which supplies the National Security Agency with smart cards. Its Rosetta smart card can be used to establish secure computer-to-computer communications; some versions contain proximity sensors, which allow the cards to function as entry-and-access devices when swiped through or passed over the surface of a reader. The company also is working on a smaller version of the card, which can be carried unobtrusively on a key chain."When banks first installed safes, robbers went to great effort to break in and break the safes open. When the safes got so good that they resisted damage, thieves started to kidnap bankers' daughters and hold them hostage," said Housley. "Then the robbers were caught, and the threat diminished. I think we're going through a similar evolution, hopefully without the personal risk. "Every time we make an advance, the hackers do, too. I don't know how long it will take, but I think we'll get to the point where there will be pretty good protection," he said.XXXSPLITXXX-In the fictional world, where well-muscled secret agents routinely cheat death, protecting secrets and security is simply a matter of deploying the latest in jaw-dropping technology. In the real world, security, computer and otherwise, ultimately depends on human beings."Even though products will advance and awareness increase, the weak link in all this is people," said Joseph Patanella of TrustWave Corp., Annapolis, Md. "It all comes back to people, no matter what application comes out or what security device you install."Know who the person is who has access to your network," he said. "That person holds the keys to your kingdom, to your enterprise. It's amazing what kind of damage a person like that can do if he decides to."Human involvement will both shape and limit the future of e-security. Agencies and businesses, for example, are outsourcing security monitoring to specialists within computer services firms for continuous detection of intrusion and network-compromising attempts.Given government's size and ability to set a national agenda, legislators seem sure to determine the direction and speed of computer security initiatives. So, too, will agents of foreign governments, who may affect e-security policies if they ramp up efforts to crack security barriers in key systems to obtain national security or other classified information. And there is the human culture at universities and colleges: the ongoing dot-edu problem that, because of a tradition of unfettered access, makes such systems vulnerable to hijacking for denial-of-service attacks.Fortunately, experts agree that humans have an ancient tradition of cooperation. It is this predilection that, combined with new generations of technology, may give defenders an edge in the years to come. "There has to be more coordination across the Internet to identify attackers and respond to them," said Fred Kost of Recourse Technologies in Palo Alto, Calif. "There has to be a lot more intelligence and analysis of events occurring across the network and more preventative thinking. I think you'll see much more collaboration to solve the security problem, with the public and private sectors working together."Ultimately, however, one must settle for a certain level of risk, said security officials. Despite the promise of encryption and new generations of security-enhancing technologies, not every asset will be protected completely. No endeavor, computer-based or otherwise, can realistically be undertaken without minimal risk."We are definitely getting better in identifying what we can't afford to lose. And we are getting better at defending those pieces," said John Thomas of AverStar Inc. in Burlington, Mass. "But there's a lot out there that simply can't and won't be defended. It would cost too much money to fix, and the need is not as critical. "Security is a matter of balancing risk," he said. "It comes down to what you can afford and what you can't."